Received: by 2002:a25:868d:0:0:0:0:0 with SMTP id z13csp2904847ybk; Mon, 18 May 2020 10:46:06 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzxpKjXKsui3HHB67AFYnOJd7wdTso7yQrJaunO7lCFY6qotnTGyxZAqW6xbDNb83dyxDDa X-Received: by 2002:a50:8b42:: with SMTP id l60mr14183349edl.55.1589823966450; Mon, 18 May 2020 10:46:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1589823966; cv=none; d=google.com; s=arc-20160816; b=MmuKj5nD/CfAWCp5IlT4zLX3H6epABPAnkzT/pclo1QPpYoT8fE1ILxt4TwPn/FzbI yIURc9UzslQveZGvqkEEX6SbQFBV1HrC0nB/YOQkshZ1JMVVbx7DKYArCBE8l9aXtw49 CGLSBcOv2s9yHBPUETMsJTiSf4hlru+DTFxDPsQb+rUj3tG1SZLDV/vw970YPAcwhMk7 ACktF1dudFCmRhFoEeZx2Ys5LqEdK5dYoRlrpX//aa5aDpSqhFJUxGUYslOHF5tx9e12 ahAzGNsPhuPv4k4ygLtLXki/tUB6OUJoIb+fORC5iO8VN/G5meHWngb6qP0ZkX725HEN K6JQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=fMFpkRiIG5yQTJxTfmszm6aKJYih5ijTadwN5lV89tE=; b=hwfHrrVPw1V9wkM7BDY9cLGic38LqrBBoj5DhXtvP30Z+xZ82zGUFGwzQ1eWjdQVE7 m8xwUsc/oULRJw3KAtjSGS37AIdB2ytmxf/CnBFBva2bHT1XfiavFUqOa3gFgGScAz2d MmlH/EpBw1VP6udm2GUGhr6zEpCB08MAWhC9Bvn73eC59QSHmT/HOlbtFlSh3YICO50y VbEB9NXqDub3Vxvj02FnTRMPeGxAqyYT/Hto1yvxbscxMdSYDOJglb+57k8aWy+vIEEh hTtcNwJqjK5HE7zv2uiE5exWOZxgTA8mNKzju4G4NKtLqIQ/ZaShtgPWTIz3jegnQyQs HulA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=DQRhVrgG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id bo16si6680678edb.537.2020.05.18.10.45.43; Mon, 18 May 2020 10:46:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=DQRhVrgG; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729568AbgERRnX (ORCPT + 99 others); Mon, 18 May 2020 13:43:23 -0400 Received: from mail.kernel.org ([198.145.29.99]:40734 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729552AbgERRnS (ORCPT ); Mon, 18 May 2020 13:43:18 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id DF27220835; Mon, 18 May 2020 17:43:17 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1589823798; bh=R5QK326AH5inWhvKfzZwcHD32UTKHTovUyeZHJAtRzg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=DQRhVrgGl9+Hga66EN/rCwzPRE9GYz8tAstC/1DWQqDMxDKtngmlPSwUo9eUsPsBa eH2FjnEE/S9Y5TTPXN66YC3+h/9WWucNwf1XxihIjQtlIhgeovok4vmWOaqP1nJlC0 xenHFYlGjvLJ20A0SM00HHI3/l1GBhKWylTLeS8k= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+c8a8197c8852f566b9d9@syzkaller.appspotmail.com, syzbot+40b71e145e73f78f81ad@syzkaller.appspotmail.com, Hugh Dickins , Andrew Morton , Yang Shi , Linus Torvalds , Sasha Levin Subject: [PATCH 4.9 41/90] shmem: fix possible deadlocks on shmlock_user_lock Date: Mon, 18 May 2020 19:36:19 +0200 Message-Id: <20200518173459.560223961@linuxfoundation.org> X-Mailer: git-send-email 2.26.2 In-Reply-To: <20200518173450.930655662@linuxfoundation.org> References: <20200518173450.930655662@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Hugh Dickins [ Upstream commit ea0dfeb4209b4eab954d6e00ed136bc6b48b380d ] Recent commit 71725ed10c40 ("mm: huge tmpfs: try to split_huge_page() when punching hole") has allowed syzkaller to probe deeper, uncovering a long-standing lockdep issue between the irq-unsafe shmlock_user_lock, the irq-safe xa_lock on mapping->i_pages, and shmem inode's info->lock which nests inside xa_lock (or tree_lock) since 4.8's shmem_uncharge(). user_shm_lock(), servicing SysV shmctl(SHM_LOCK), wants shmlock_user_lock while its caller shmem_lock() holds info->lock with interrupts disabled; but hugetlbfs_file_setup() calls user_shm_lock() with interrupts enabled, and might be interrupted by a writeback endio wanting xa_lock on i_pages. This may not risk an actual deadlock, since shmem inodes do not take part in writeback accounting, but there are several easy ways to avoid it. Requiring interrupts disabled for shmlock_user_lock would be easy, but it's a high-level global lock for which that seems inappropriate. Instead, recall that the use of info->lock to guard info->flags in shmem_lock() dates from pre-3.1 days, when races with SHMEM_PAGEIN and SHMEM_TRUNCATE could occur: nowadays it serves no purpose, the only flag added or removed is VM_LOCKED itself, and calls to shmem_lock() an inode are already serialized by the caller. Take info->lock out of the chain and the possibility of deadlock or lockdep warning goes away. Fixes: 4595ef88d136 ("shmem: make shmem_inode_info::lock irq-safe") Reported-by: syzbot+c8a8197c8852f566b9d9@syzkaller.appspotmail.com Reported-by: syzbot+40b71e145e73f78f81ad@syzkaller.appspotmail.com Signed-off-by: Hugh Dickins Signed-off-by: Andrew Morton Acked-by: Yang Shi Cc: Yang Shi Link: http://lkml.kernel.org/r/alpine.LSU.2.11.2004161707410.16322@eggly.anvils Link: https://lore.kernel.org/lkml/000000000000e5838c05a3152f53@google.com/ Link: https://lore.kernel.org/lkml/0000000000003712b305a331d3b1@google.com/ Signed-off-by: Linus Torvalds Signed-off-by: Sasha Levin --- mm/shmem.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/mm/shmem.c b/mm/shmem.c index 90ccbb35458bd..31b0c09fe6c60 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -2082,7 +2082,11 @@ int shmem_lock(struct file *file, int lock, struct user_struct *user) struct shmem_inode_info *info = SHMEM_I(inode); int retval = -ENOMEM; - spin_lock_irq(&info->lock); + /* + * What serializes the accesses to info->flags? + * ipc_lock_object() when called from shmctl_do_lock(), + * no serialization needed when called from shm_destroy(). + */ if (lock && !(info->flags & VM_LOCKED)) { if (!user_shm_lock(inode->i_size, user)) goto out_nomem; @@ -2097,7 +2101,6 @@ int shmem_lock(struct file *file, int lock, struct user_struct *user) retval = 0; out_nomem: - spin_unlock_irq(&info->lock); return retval; } -- 2.20.1