Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp789123ybz; Wed, 15 Apr 2020 19:07:21 -0700 (PDT) X-Google-Smtp-Source: APiQypJB/CyTLPU6Dvrc2ka+epILylWc2OTfmqT8Nu90dXtDt4/OLb4lJD92F/BhCAwQYWU84bCq X-Received: by 2002:a17:906:18a2:: with SMTP id c2mr7746385ejf.167.1587002840859; Wed, 15 Apr 2020 19:07:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587002840; cv=none; d=google.com; s=arc-20160816; b=VkN2s4ymF1NHyAhDta/3pn5Jin1HmXDqJbINO6xKDkraHi7PLtGGBQsWA/ymKj9E2j SepDnM+GhgmcTx9gmIAjNfkrkBZ5N7jGMrSfrdg8Wvfv91tPxMusMJYe02Y7oOfiJB50 EyUNrb6+o0C7f8bsw4uV6LNmv6K3ec+eJC2OSb2MXA/Wx6+9GzAClaIZWUvE8sheCwNM Va8l5pYvIbqBPRidU84unV+fgtIOFbW2rlvv5h5dVY5KyRD5xAkAan6iW67ZFpLJgybQ StKEF9hNJtKp+D+cBg1couD3Igaodv7zBV5CHb1X6q3nsXmCVC5kdvLpvK2k1cuCYJyN IOtw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:user-agent:references :message-id:in-reply-to:subject:cc:to:from:date:dkim-signature; bh=WUOdBHVjTYSAdHEkzTfIK+cQNyJIvAhfkkqze9Y3vHY=; b=tuTMcUlbhxd484m57JVso1qXp9WIm50Ioj67j/dfJkQvojDfkyTX8KAkiiJLlGQe8U v0ZwfblD6yOcq8JytRH9gTpO7jodTA1GK5gleWZpudq1FTjOuReVB8xQjAHt/fo/nxRi 2yGWUpiSZ9fLN5EldFKtb1f7HS3Qy8RmHAOVSNyFOxjwFsRCVqoZ7IZwdtFUWwD66kud 290BTs15xWuueAwMQuP7u/PJdKjGpXa/ngN5lWoSOF94UpkySmsOP3bT8BeKaPzTYYZj I8YkKVCWcllDS1lHwfnY8yu5K/8UnyNW+G4PThl+vEORmAOCbs+OoYDbsJB6Cwbg7u6H aC1A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=dFuhPIKF; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b3si10911278edn.402.2020.04.15.19.06.57; Wed, 15 Apr 2020 19:07:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=dFuhPIKF; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729584AbgDPCED (ORCPT + 99 others); Wed, 15 Apr 2020 22:04:03 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33878 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1728397AbgDPCEA (ORCPT ); Wed, 15 Apr 2020 22:04:00 -0400 Received: from mail-ot1-x342.google.com (mail-ot1-x342.google.com [IPv6:2607:f8b0:4864:20::342]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 6C209C061A0C for ; Wed, 15 Apr 2020 19:04:00 -0700 (PDT) Received: by mail-ot1-x342.google.com with SMTP id j4so1783268otr.11 for ; Wed, 15 Apr 2020 19:04:00 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=date:from:to:cc:subject:in-reply-to:message-id:references :user-agent:mime-version; bh=WUOdBHVjTYSAdHEkzTfIK+cQNyJIvAhfkkqze9Y3vHY=; b=dFuhPIKF68NNEtuqTBL5h6FNtryPc7t+6DAdUlHMtza7uJ0lRStsOHpmMu2bth4kbg EoLKBlW00QfAXI9xwv5Uba5MgnBSFpa2S12qa3l5NWosBUseQPZ4CMntQhK8OZpDnpjR xC6WFPWIVmL9FYv1TmGjK99eXmZOYJgFoGzVl2CkW3VtnvHf09jWjFE3x+q84wf0xkKb Cdc4s1FVZGiKG/ePW971uFULtyONT0W5mZKaEvAa3YfXg09Aw2nr2y+kQAjd6uz8Xmwu h+AaE0g4c9LYi3y29ho6N/YgqTrMrDU82FapTLDMsqqEQh/2WDj/HK9IAhsa3Ny7hgvl b9gA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:date:from:to:cc:subject:in-reply-to:message-id :references:user-agent:mime-version; bh=WUOdBHVjTYSAdHEkzTfIK+cQNyJIvAhfkkqze9Y3vHY=; b=QOn6PYqX+KBZU/qhBpwJ7dR3zIci+K421O+GJiSCSBC7/XI8xJPRopELx4HvSzhQET GrrO4dcEOKCcNALL5b6AZb+evLf2UUHj3Mx2VWAgyc8hTe2xP2frMUPOhGlLvjCeSqf5 fMfKmSxRQJK8opjL3Hw3oJO+oWM/t0xXkC1GBuYOCN8r7tN+WpzMCIKYJ94RTJBWo6/7 B3r2cj9nmIB/idy5jaRS8urR7ITKEcjpp8Z6yr5vMABU/argUHlntsYc+PTracoWA3hr hknlvasbSscz5R0Zs1V3fazdvAJPCExEfutOc4TLSWQRDtY6bYyf1STOP+4K1gwaA2I/ 7bqw== X-Gm-Message-State: AGi0PuZq/IWtUWkjzOtj7xB0arZAHS6c6ECNefPRFbpS1irp+Z0ItCzD AQHyG7cSop4q0Me6IXisDdZEhA== X-Received: by 2002:a9d:620c:: with SMTP id g12mr30601otj.158.1587002639307; Wed, 15 Apr 2020 19:03:59 -0700 (PDT) Received: from eggly.attlocal.net (172-10-233-147.lightspeed.sntcca.sbcglobal.net. [172.10.233.147]) by smtp.gmail.com with ESMTPSA id v15sm7492966ook.37.2020.04.15.19.03.58 (version=TLS1 cipher=ECDHE-ECDSA-AES128-SHA bits=128/128); Wed, 15 Apr 2020 19:03:58 -0700 (PDT) Date: Wed, 15 Apr 2020 19:03:56 -0700 (PDT) From: Hugh Dickins X-X-Sender: hugh@eggly.anvils To: Yang Shi cc: syzbot , Andrew Morton , Hugh Dickins , Linux Kernel Mailing List , Linux MM , syzkaller-bugs@googlegroups.com, Linus Torvalds Subject: Re: possible deadlock in shmem_uncharge In-Reply-To: Message-ID: References: <000000000000e5838c05a3152f53@google.com> User-Agent: Alpine 2.11 (LSU 23 2013-08-11) MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, 13 Apr 2020, Yang Shi wrote: > On Sun, Apr 12, 2020 at 3:11 AM syzbot > wrote: > > > > Hello, > > > > syzbot found the following crash on: > > > > HEAD commit: ae46d2aa mm/gup: Let __get_user_pages_locked() return -EIN.. > > git tree: upstream > > console output: https://syzkaller.appspot.com/x/log.txt?x=14a30a77e00000 > > kernel config: https://syzkaller.appspot.com/x/.config?x=ca75979eeebf06c2 > > dashboard link: https://syzkaller.appspot.com/bug?extid=c8a8197c8852f566b9d9 > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15f5632be00000 > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=132ade57e00000 > > > > The bug was bisected to: > > > > commit 71725ed10c40696dc6bdccf8e225815dcef24dba > > Author: Hugh Dickins > > Date: Tue Apr 7 03:07:57 2020 +0000 > > > > mm: huge tmpfs: try to split_huge_page() when punching hole > > > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=120a752be00000 > > final crash: https://syzkaller.appspot.com/x/report.txt?x=110a752be00000 > > console output: https://syzkaller.appspot.com/x/log.txt?x=160a752be00000 > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > Reported-by: syzbot+c8a8197c8852f566b9d9@syzkaller.appspotmail.com > > Fixes: 71725ed10c40 ("mm: huge tmpfs: try to split_huge_page() when punching hole") No, that commit just gave syzkaller an easier way to reach old code. > > > > ===================================================== > > WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected > > 5.6.0-syzkaller #0 Not tainted > > ----------------------------------------------------- > > syz-executor428/8337 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire: > > ffff8880a851c778 (&info->lock){....}-{2:2}, at: shmem_uncharge+0x24/0x270 mm/shmem.c:341 > > > > and this task is already holding: > > ffff8880a851cac8 (&xa->xa_lock#4){..-.}-{2:2}, at: spin_lock include/linux/spinlock.h:353 [inline] > > ffff8880a851cac8 (&xa->xa_lock#4){..-.}-{2:2}, at: split_huge_page_to_list+0xad0/0x33b0 mm/huge_memory.c:2864 > > which would create a new lock dependency: > > (&xa->xa_lock#4){..-.}-{2:2} -> (&info->lock){....}-{2:2} > > > > but this new dependency connects a SOFTIRQ-irq-safe lock: > > (&xa->xa_lock#4){..-.}-{2:2} > > It looks shmem_uncharge() is just called by __split_huge_page() and > collapse_file(). The collapse_file() has acquired xa_lock with irq > disabled before acquiring info->lock, so it is safe. > __split_huge_page() is called with holding xa_lock with irq enabled, > but lru_lock is acquired with irq disabled before acquiring xa_lock. > > So, it is unnecessary to acquire info->lock with irq disabled in > shmem_uncharge(). Can syzbot try the below patch? But I disagree with the patch below. You're right that IRQ-disabling here is unnecessary, given its two callers; but I'm not sure that we want it to look different from shmem_charge() and all other info->lock takers; and, more importantly, I don't see how removing the redundant IRQ-saving below could make it any less liable to deadlock. The crucial observation comes lower down > > to a SOFTIRQ-irq-unsafe lock: > > (shmlock_user_lock){+.+.}-{2:2} and there's another syzbot report that's come out on shmlock_user_lock, "possible deadlock in user_shm_lock". I believe all that's needed to fix both reports is not to use info->lock in shmem_lock() - I see now that we saw lockdep reports of this kind internally, a long time ago, and fixed them in that way. (I haven't composed the patch and references yet, and not decided if I'll add it here or there or separately. I'll put it together now.) Hugh > > diff --git a/mm/shmem.c b/mm/shmem.c > index d722eb8..100117b 100644 > --- a/mm/shmem.c > +++ b/mm/shmem.c > @@ -334,15 +334,14 @@ bool shmem_charge(struct inode *inode, long pages) > void shmem_uncharge(struct inode *inode, long pages) > { > struct shmem_inode_info *info = SHMEM_I(inode); > - unsigned long flags; > > /* nrpages adjustment done by __delete_from_page_cache() or caller */ > > - spin_lock_irqsave(&info->lock, flags); > + spin_lock(&info->lock); > info->alloced -= pages; > inode->i_blocks -= pages * BLOCKS_PER_PAGE; > shmem_recalc_inode(inode); > - spin_unlock_irqrestore(&info->lock, flags); > + spin_unlock(&info->lock); > > shmem_inode_unacct_blocks(inode, pages); > }