Re: [syzbot] [net?] possible deadlock in vm_insert_page

linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed

From: Boqun Feng <boqun.feng@gmail.com>
To: Suren Baghdasaryan <surenb@google.com>
Cc: Hillf Danton <hdanton@sina.com>,
	syzbot <syzbot+11701838dd42428ab7b3@syzkaller.appspotmail.com>,
	Tetsuo Handa <penguin-kernel@i-love.sakura.ne.jp>,
	edumazet@google.com, linux-kernel@vger.kernel.org,
	linux-mm@kvack.org, syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [net?] possible deadlock in vm_insert_page
Date: Mon, 30 Dec 2024 10:31:22 -0800	[thread overview]
Message-ID: <Z3Lm-kHkNcOjXRMq@boqun-archlinux> (raw)
In-Reply-To: <CAJuCfpGabHbK_YvdZO9rq=LLXVOX6Emd-6tDH9g7xE-jJAucig@mail.gmail.com>

On Mon, Dec 30, 2024 at 10:22:27AM -0800, Suren Baghdasaryan wrote:
[...]
> > > >
> > > > Also a quick look seems to suggest that the lock dependency on CPU 1:
> > > >
> > > >         lock(&vma->vm_lock->lock);
> > > >         lock(sb_pagefaults#4);
> > > >
> > > > can happen in a page fault with a reader of &vma->vm_lock->lock.
> > >
> > > The report clearly indicates a call to vma_start_write(), which means
> > > vm_lock is being write-locked, not read-locked. That's why I commented
> > > that the report does not consider that mmap_write_lock is already
> > > taken when vma_start_write() is called.
> > >
> > > >
> > > >         do_page_fault():
> > > >           lock_vma_under_rcu():
> > > >             vma_start_read():
> > > >               down_read_trylock(); // read lock &vma->vm_lock_lock here.
> > > >           ...
> > > >           handle_mm_fault():
> > > >             sb_start_pagefault(); // lock(sb_pagefaults#4);
> > > >
> > > > if so, an existing reader can block the other writer, so I don't think
> > > > the mmap_lock write protection can help here.
> > >
> > > In your example vma->vm_lock would be read-locked before
> > > po->pg_vec_lock but in the report po->pg_vec_lock is locked before
> > > vma->vm_lock->lock. I don't think what is reported here is the
> > > do_page_fault() path.
> > >
> >
> > You're missing the point, in the report, the current stack is indeed in
> > a write path (i.e. &mm->mmap_lock first and then &vma->vm_lock->lock),
> > however that's only part of the picture. The deadlock
> > possibility is due to that there could be a concurrent do_page_fault()
> > which will hold &vma->vm_lock->lock first and wait for another lock that
> > eventually has a dependency on a &mm->mmap_lock.
> 
> I need to see a more concrete example.
> Note that do_page_fault() does not even read-lock the mmap_lock when
> it uses vma->vm_lock, that's the whole point of per-vma locks that we
> avoid using mmap_lock. So, even if it later waits on some other lock
> that has mm->mmap_lock dependency, that should not block it.
> Again, you might be right and there might be a lockdep issue but I
> need a more specific example to see if it's real.
> 

Understood. I clearly don't have the whole set of knowledge/skills to
make the call ;-) I just tried my best to figure out what lockdep
thought in this case (see the other email), it's quite fun to hunt down
a "deadlock" possiblity involing 11 locks. Right now, I'm leaning
torwards that this is 80% a false positive because one of the dependency
was built during initcall, so it may not happen in real code, but I need
to defer that to drm folks.

Regards,
Boqun

> >
> > Regards,
> > Boqun
> >
[...]

next prev parent reply	other threads:[~2024-12-30 18:31 UTC|newest]

Thread overview: 10+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <676ea4aa.050a0220.2f3838.0483.GAE@google.com>
2024-12-28  0:19 ` Hillf Danton
2024-12-28  2:03   ` Suren Baghdasaryan
2024-12-28  9:52     ` Boqun Feng
2024-12-28 11:01       ` Hillf Danton
2024-12-30 17:21       ` Suren Baghdasaryan
2024-12-30 18:04         ` Boqun Feng
2024-12-30 18:22           ` Suren Baghdasaryan
2024-12-30 18:31             ` Boqun Feng [this message]
2024-12-30 18:23       ` Boqun Feng
2024-12-30 18:49         ` Suren Baghdasaryan

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Z3Lm-kHkNcOjXRMq@boqun-archlinux \
    --to=boqun.feng@gmail.com \
    --cc=edumazet@google.com \
    --cc=hdanton@sina.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=penguin-kernel@i-love.sakura.ne.jp \
    --cc=surenb@google.com \
    --cc=syzbot+11701838dd42428ab7b3@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox