Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp799424ybz; Wed, 15 Apr 2020 19:22:38 -0700 (PDT) X-Google-Smtp-Source: APiQypJH34hwMNAMKrYyXj5xzh/YaYSuKEVA21QiQsRjjd+FqrhYRGOtGPNMBzjv+eHfu7goENrL X-Received: by 2002:a17:906:2b96:: with SMTP id m22mr7017953ejg.330.1587003758596; Wed, 15 Apr 2020 19:22:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587003758; cv=none; d=google.com; s=arc-20160816; b=yosLDROFARtGwu7jedNRybrD2ljn3URyoCpMjue40kjQ9UQVTp5w155SpCrmrLIKdX jrSfQnm0HjpWKRc7kb3Bm8wM0VcgB0gRydV0J05H9cSeGkZir2pwSTKmvXP1dJfrnmCH sfEY5xb1/sDAbHf4aEEunBU49Zd6SUTDzc4RQQcuqE9y5dWIEB+3T7PYP/yQ8vHy3V+I gdlXjQ60pZUJvqhB8siWxlGcI5eDcnG+Wx5tfqsWnsmHEm9KoCCxEc47i6f+exwl0SFt V3lKu7Jt5mAxb45AYtb/r5yMWywHdBD5GTXTTr5k5ULMFP3mIJSyIjO2tOX5xv5ltluY q05A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=Mgz6bbdQfDVz34mF8jJQbTz4t2DA1H3apdU+WrR+R7Y=; b=LePUNMl/KzqTmNC/xvjPA2k56hxziu0kBDmSC7rEncTkMLQTsS8D349HeCmlWNaP1s +Wggl6fZlJ5StQ72R8ycjzCXfTgG1DWzHB0O/Y7RCspsUFm2S3DDjEdxdlXsQgoTElJ9 cM9zAES5XaNYqkZgp0ygQUx+nmsRcWryym4WfULJuykeIEvrzA9PH9rdvxsmxR/PxAl4 lsoJgE4bcH0ZlanZTPVOqugZgBPYrdQGDSpUO3/lJajg9KttGO3Gz7F+ET5bjy6suKhN Gkx+kGa5TU6sanUyzLYcgHgO4l0106iE/yrjITRpkya1YVqsqGVSxdO2KHcyizI7ORYs d/ZQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=kcq+6btH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bo7si51399edb.80.2020.04.15.19.22.15; Wed, 15 Apr 2020 19:22:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=kcq+6btH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732153AbgDPCUt (ORCPT + 99 others); Wed, 15 Apr 2020 22:20:49 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:36530 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1731550AbgDPCUo (ORCPT ); Wed, 15 Apr 2020 22:20:44 -0400 Received: from mail-ej1-x644.google.com (mail-ej1-x644.google.com [IPv6:2a00:1450:4864:20::644]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4AC26C061A0C for ; Wed, 15 Apr 2020 19:20:44 -0700 (PDT) Received: by mail-ej1-x644.google.com with SMTP id j15so151284ejt.13 for ; Wed, 15 Apr 2020 19:20:44 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=Mgz6bbdQfDVz34mF8jJQbTz4t2DA1H3apdU+WrR+R7Y=; b=kcq+6btHmb01cooZ1xUD/y9he2yoQ4t039E5mbUs2BkDlGwudOwJ46xfNOzh91fJrK cnmTtdcKJzViFnX/YSyC9g9bK9fy8Z8mBpig5VPviP3O0Zu3fidj81rq0sr+yioLllzb i0WBaroEoibasQOLasvyihivuvKavssL5fbCXotGXqFAhNSQebmrLYTKDEJhq1tFswer bIju+QaB37x9zzyPDW3ziDpn6Vcjc+yqGwagc5mHDmumsjsCq2LWLOiHIGWCNJK/e9XN HEhNHRDuqbY/gV1KmAvZ4hcdQ6vjgXO+BOPkJzxiUZWd34mkQULMsJZcLrOOQFUb8lj0 mqUw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=Mgz6bbdQfDVz34mF8jJQbTz4t2DA1H3apdU+WrR+R7Y=; b=G9TpeqDCygETTPMzADpIs11eN95EfcZnpMFjJwsl7WJAvprH5/fbxLuKWS6EUXzHcL 8domHfslwl802lGUwZ6KmbiA4cuESnrMBfD7VaHXwWm6gT/AaObeW6oaPNKJPO4g75Lt 58xprVb08WAPL3bUmQQppIKgcmk7xCg5ORtVScoqeCjtsAi/a2OtFTClchpFT32CXd0O ccW+na6r/gHoWdvftwvOEEdrSZdQdsTSr3SY5ATRQa6+/iaC4mZIVa6bOaXzVuBMD+SP ZhITNRlXHG3wfAkX9K1MW0bHCej3d1HGeiA5lxXVFwCykEp5tZAIXxBrzC8VKV9jqFVY mkjQ== X-Gm-Message-State: AGi0PuY2EYT3ealHQsDGlKHd9/LdVoysYQgqqT87u6mhW1JF2EoiLtnN EgaXdYg6Z5JN2rAu+pu2G9pHhXvSt2p8tflKg1U= X-Received: by 2002:a17:906:374b:: with SMTP id e11mr8047637ejc.283.1587003642849; Wed, 15 Apr 2020 19:20:42 -0700 (PDT) MIME-Version: 1.0 References: <000000000000e5838c05a3152f53@google.com> In-Reply-To: From: Yang Shi Date: Wed, 15 Apr 2020 19:20:30 -0700 Message-ID: Subject: Re: possible deadlock in shmem_uncharge To: Hugh Dickins Cc: syzbot , Andrew Morton , Linux Kernel Mailing List , Linux MM , syzkaller-bugs@googlegroups.com, Linus Torvalds Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Wed, Apr 15, 2020 at 7:04 PM Hugh Dickins wrote: > > On Mon, 13 Apr 2020, Yang Shi wrote: > > On Sun, Apr 12, 2020 at 3:11 AM syzbot > > wrote: > > > > > > Hello, > > > > > > syzbot found the following crash on: > > > > > > HEAD commit: ae46d2aa mm/gup: Let __get_user_pages_locked() return -EIN.. > > > git tree: upstream > > > console output: https://syzkaller.appspot.com/x/log.txt?x=14a30a77e00000 > > > kernel config: https://syzkaller.appspot.com/x/.config?x=ca75979eeebf06c2 > > > dashboard link: https://syzkaller.appspot.com/bug?extid=c8a8197c8852f566b9d9 > > > compiler: gcc (GCC) 9.0.0 20181231 (experimental) > > > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15f5632be00000 > > > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=132ade57e00000 > > > > > > The bug was bisected to: > > > > > > commit 71725ed10c40696dc6bdccf8e225815dcef24dba > > > Author: Hugh Dickins > > > Date: Tue Apr 7 03:07:57 2020 +0000 > > > > > > mm: huge tmpfs: try to split_huge_page() when punching hole > > > > > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=120a752be00000 > > > final crash: https://syzkaller.appspot.com/x/report.txt?x=110a752be00000 > > > console output: https://syzkaller.appspot.com/x/log.txt?x=160a752be00000 > > > > > > IMPORTANT: if you fix the bug, please add the following tag to the commit: > > > Reported-by: syzbot+c8a8197c8852f566b9d9@syzkaller.appspotmail.com > > > Fixes: 71725ed10c40 ("mm: huge tmpfs: try to split_huge_page() when punching hole") > > No, that commit just gave syzkaller an easier way to reach old code. > > > > > > > ===================================================== > > > WARNING: SOFTIRQ-safe -> SOFTIRQ-unsafe lock order detected > > > 5.6.0-syzkaller #0 Not tainted > > > ----------------------------------------------------- > > > syz-executor428/8337 [HC0[0]:SC0[0]:HE0:SE1] is trying to acquire: > > > ffff8880a851c778 (&info->lock){....}-{2:2}, at: shmem_uncharge+0x24/0x270 mm/shmem.c:341 > > > > > > and this task is already holding: > > > ffff8880a851cac8 (&xa->xa_lock#4){..-.}-{2:2}, at: spin_lock include/linux/spinlock.h:353 [inline] > > > ffff8880a851cac8 (&xa->xa_lock#4){..-.}-{2:2}, at: split_huge_page_to_list+0xad0/0x33b0 mm/huge_memory.c:2864 > > > which would create a new lock dependency: > > > (&xa->xa_lock#4){..-.}-{2:2} -> (&info->lock){....}-{2:2} > > > > > > but this new dependency connects a SOFTIRQ-irq-safe lock: > > > (&xa->xa_lock#4){..-.}-{2:2} > > > > It looks shmem_uncharge() is just called by __split_huge_page() and > > collapse_file(). The collapse_file() has acquired xa_lock with irq > > disabled before acquiring info->lock, so it is safe. > > __split_huge_page() is called with holding xa_lock with irq enabled, > > but lru_lock is acquired with irq disabled before acquiring xa_lock. > > > > So, it is unnecessary to acquire info->lock with irq disabled in > > shmem_uncharge(). Can syzbot try the below patch? > > But I disagree with the patch below. You're right that IRQ-disabling > here is unnecessary, given its two callers; but I'm not sure that we > want it to look different from shmem_charge() and all other info->lock > takers; and, more importantly, I don't see how removing the redundant > IRQ-saving below could make it any less liable to deadlock. Yes, I realized the patch can't suppress the lockdep splat. But, actually I didn't understand how this deadlock could happen because info_lock is acquired with IRQ disabled before acquiring user_shm_lock. So, interrupt can't come in at all if I didn't miss anything. > > The crucial observation comes lower down > > > to a SOFTIRQ-irq-unsafe lock: > > > (shmlock_user_lock){+.+.}-{2:2} > and there's another syzbot report that's come out on shmlock_user_lock, > "possible deadlock in user_shm_lock". > > I believe all that's needed to fix both reports is not to use info->lock > in shmem_lock() - I see now that we saw lockdep reports of this kind > internally, a long time ago, and fixed them in that way. > > (I haven't composed the patch and references yet, and not decided if > I'll add it here or there or separately. I'll put it together now.) > > Hugh > > > > > diff --git a/mm/shmem.c b/mm/shmem.c > > index d722eb8..100117b 100644 > > --- a/mm/shmem.c > > +++ b/mm/shmem.c > > @@ -334,15 +334,14 @@ bool shmem_charge(struct inode *inode, long pages) > > void shmem_uncharge(struct inode *inode, long pages) > > { > > struct shmem_inode_info *info = SHMEM_I(inode); > > - unsigned long flags; > > > > /* nrpages adjustment done by __delete_from_page_cache() or caller */ > > > > - spin_lock_irqsave(&info->lock, flags); > > + spin_lock(&info->lock); > > info->alloced -= pages; > > inode->i_blocks -= pages * BLOCKS_PER_PAGE; > > shmem_recalc_inode(inode); > > - spin_unlock_irqrestore(&info->lock, flags); > > + spin_unlock(&info->lock); > > > > shmem_inode_unacct_blocks(inode, pages); > > }