Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp86694ybz; Thu, 16 Apr 2020 20:02:45 -0700 (PDT) X-Google-Smtp-Source: APiQypKqDlFZkBptgh4eQRRxNKqtILYb2hlDkkzhs8AQJjFl1+x+vpxXUQCBlQiF8ciq2r3hIFnd X-Received: by 2002:a05:6402:1437:: with SMTP id c23mr1061117edx.327.1587092565257; Thu, 16 Apr 2020 20:02:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587092565; cv=none; d=google.com; s=arc-20160816; b=QpdqP2mQr2Iy6lhLjxdJ6u1nFcyDVUbpuuDzRqwEEXeDMX0Z0cpPv07yfCy8/KD0A6 SJRGGTKSgMhvLFNAp5NqTLKjV3e096LziZ8eEiZni7bucUm22OBZthr7I7I2mDf1TqX8 U2yC3JOOlMSZ2NGmdjKRn+k2xa0CDHYkaOV9szzWUos06qdTNt33vO1dAJSnA/poRYkt +0WQXYoVrmmoZiCDHwLOJjDuTAC80BRl85mkwIEuHuUbf4yQjGc0ft6s390QKtWNXkJk IOchqRaBMCxuIVtjsALjpZLUGBBbD9r3j8LblcqeJ5TGBl+RwFZ2CWVHD2PG610+D2T0 KiuA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-language :content-transfer-encoding:in-reply-to:mime-version:user-agent:date :message-id:from:references:cc:to:subject; bh=0yHImKPFw36ZVJh9NSH8vBL6hrP6k+Al1KSrLNZWTXw=; b=rHSIqpRr6dt12+I3QbvALe6UkDT3a9owDTNsqZy26n8tyM+eiWK4gJ5T+TuKmgcv3s My6RLQOMioqIxVYzqPH/x/yLaPXQULwVia04pR12ka5sb4Hcg7lQPGlhYSGnz6JOZg1D f6ebjmgmr/nFCjLsEO3CbzSEcWwL5r1YNTfDccN9yle4MIi6YWGEg44rv3ZXLsaG1TMA a0qVpoS+6u82SCsSUaagkU7R7JrMiCNcUiCqezDuMRirDShtScZ1vqun6QCOJclLBp1S ahyyxI+k7BNRarmEx6iNDCxvjc44DrD3hCQtk11XCMxgzN+mDqfM4bZgUqB8I3P4BN7n Ruvw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bu17si2110381edb.276.2020.04.16.20.02.21; Thu, 16 Apr 2020 20:02:45 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=alibaba.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729430AbgDQDAL (ORCPT + 99 others); Thu, 16 Apr 2020 23:00:11 -0400 Received: from out30-45.freemail.mail.aliyun.com ([115.124.30.45]:35203 "EHLO out30-45.freemail.mail.aliyun.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726261AbgDQDAK (ORCPT ); Thu, 16 Apr 2020 23:00:10 -0400 X-Alimail-AntiSpam: AC=PASS;BC=-1|-1;BR=01201311R161e4;CH=green;DM=||false|;DS=||;FP=0|-1|-1|-1|0|-1|-1|-1;HT=e01f04397;MF=yang.shi@linux.alibaba.com;NM=1;PH=DS;RN=4;SR=0;TI=SMTPD_---0Tvl54ED_1587092406; Received: from US-143344MP.local(mailfrom:yang.shi@linux.alibaba.com fp:SMTPD_---0Tvl54ED_1587092406) by smtp.aliyun-inc.com(127.0.0.1); Fri, 17 Apr 2020 11:00:07 +0800 Subject: Re: [PATCH] shmem: fix possible deadlocks on shmlock_user_lock To: Hugh Dickins , Andrew Morton Cc: linux-kernel@vger.kernel.org, linux-mm@kvack.org References: From: Yang Shi Message-ID: Date: Thu, 16 Apr 2020 20:00:05 -0700 User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.12; rv:52.0) Gecko/20100101 Thunderbird/52.7.0 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Transfer-Encoding: 7bit Content-Language: en-US Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 4/16/20 5:11 PM, Hugh Dickins wrote: > Recent commit 71725ed10c40 ("mm: huge tmpfs: try to split_huge_page() > when punching hole") has allowed syzkaller to probe deeper, uncovering > a long-standing lockdep issue between the irq-unsafe shmlock_user_lock, > the irq-safe xa_lock on mapping->i_pages, and shmem inode's info->lock > which nests inside xa_lock (or tree_lock) since 4.8's shmem_uncharge(). > > user_shm_lock(), servicing SysV shmctl(SHM_LOCK), wants shmlock_user_lock > while its caller shmem_lock() holds info->lock with interrupts disabled; > but hugetlbfs_file_setup() calls user_shm_lock() with interrupts enabled, > and might be interrupted by a writeback endio wanting xa_lock on i_pages. > This may not risk an actual deadlock, since shmem inodes do not take part > in writeback accounting, but there are several easy ways to avoid it. > > Requiring interrupts disabled for shmlock_user_lock would be easy, > but it's a high-level global lock for which that seems inappropriate. > Instead, recall that the use of info->lock to guard info->flags in > shmem_lock() dates from pre-3.1 days, when races with SHMEM_PAGEIN and > SHMEM_TRUNCATE could occur: nowadays it serves no purpose, the only flag > added or removed is VM_LOCKED itself, and calls to shmem_lock() an inode > are already serialized by the caller. Take info->lock out of the chain > and the possibility of deadlock or lockdep warning goes away. > > Reported-by: syzbot+c8a8197c8852f566b9d9@syzkaller.appspotmail.com > Link: https://lore.kernel.org/lkml/000000000000e5838c05a3152f53@google.com/ > Reported-by: syzbot+40b71e145e73f78f81ad@syzkaller.appspotmail.com > Link: https://lore.kernel.org/lkml/0000000000003712b305a331d3b1@google.com/ > Fixes: 4595ef88d136 ("shmem: make shmem_inode_info::lock irq-safe") > Signed-off-by: Hugh Dickins > Cc: Yang Shi > --- > > mm/shmem.c | 7 +++++-- > 1 file changed, 5 insertions(+), 2 deletions(-) Acked-by: Yang Shi > > --- 5.7-rc1/mm/shmem.c 2020-04-11 12:58:26.415524805 -0700 > +++ linux/mm/shmem.c 2020-04-16 11:04:06.729738730 -0700 > @@ -2179,7 +2179,11 @@ int shmem_lock(struct file *file, int lo > struct shmem_inode_info *info = SHMEM_I(inode); > int retval = -ENOMEM; > > - spin_lock_irq(&info->lock); > + /* > + * What serializes the accesses to info->flags? > + * ipc_lock_object() when called from shmctl_do_lock(), > + * no serialization needed when called from shm_destroy(). > + */ > if (lock && !(info->flags & VM_LOCKED)) { > if (!user_shm_lock(inode->i_size, user)) > goto out_nomem; > @@ -2194,7 +2198,6 @@ int shmem_lock(struct file *file, int lo > retval = 0; > > out_nomem: > - spin_unlock_irq(&info->lock); > return retval; > } >