Received: by 2002:a05:6a10:f347:0:0:0:0 with SMTP id d7csp13952369pxu; Mon, 4 Jan 2021 08:50:15 -0800 (PST) X-Google-Smtp-Source: ABdhPJzScjBdSRIUsd34wjQy/HZy+zVPL5teLW7A2ktr+QpOJwqbAGizYeq0FRk1k07J3vWWFD00 X-Received: by 2002:a17:906:279a:: with SMTP id j26mr66721152ejc.203.1609779014845; Mon, 04 Jan 2021 08:50:14 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1609779014; cv=none; d=google.com; s=arc-20160816; b=hW1xmt8toodZCDNURQU71e+M2Ykn8nLc1/yj0zFdlb217HcbvWdAxfWFAK+hL4f+A7 dpQKPutEa1cDmNfG01wPIYSBC0Eas8VKs/DjEoQtBTrZ7R5YTKClNfyirxclXh4wQGGW n47ZC7DgcEsHbKD1ytG030RtAK6nLx/NiyEkEEw1oWXuWLh+RnGBL88DA53gy8+J8vA3 aCRd0iEmj6+9FYVhqAhazwvmx5nAnoa2zVg5ykZRViiHFobm0f8R0yE7SRfOsoWK0zf1 BNaEJLiktuDwek9QhXKSTUSuiVoc6piTFlY1F751Y29/LlaNR0QA1UEya6vhRPmdFASs TaaQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=d8C9jXu7Xl5QfB2P6KcFcNIvAbxY0R8NohT5XsX81P4=; b=d1/ZC1gEjC1L/6bngZZ3OaYjYex06QMm8NoWWaI5G+lOQ985mdyt/hFsoGao1vsRr3 lMu6OajeEJb/iWYgYD0R6aW6Mc0v0aX1CTi7C7SbAfsOCv5pw39c19K8Q5lmyq1rUW39 viNqT2lxDu/0WEKYo8cK/1tjp6DaKiJytSt9X7nHpnB7Htyc1v/esjwjfjsIbZzqGYeL 5ChHg5B+g1zWUPQ/Gec7XNS/I9SvRnc9ZLdwzUwc3mgUU8Oj3y13PZTtovqWjzOxKbZx FJmGfrIc33dkmaPTMXLJicydWITcU2GMgLYOcSWT3Zv16HYFOThZmlwonJ/M4Jp/bDxk 9wvQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=bequToN5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id g11si28851274ejc.500.2021.01.04.08.49.50; Mon, 04 Jan 2021 08:50:14 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=bequToN5; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728642AbhADQBo (ORCPT + 99 others); Mon, 4 Jan 2021 11:01:44 -0500 Received: from mail.kernel.org ([198.145.29.99]:38488 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728620AbhADQBi (ORCPT ); Mon, 4 Jan 2021 11:01:38 -0500 Received: by mail.kernel.org (Postfix) with ESMTPSA id 0C0C420769; Mon, 4 Jan 2021 16:01:22 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1609776082; bh=Hs3jfzFDRSTfkmGsTGQDWdYn+bzYaFnWjFQ6xIXWCdU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=bequToN5yFMGw+veQ84vixrn+hXHRjbjH8z82OXKs0VLbglYlSFIUx9i2Pu4L+4CV l0yySHwl5liWooVeY47OX5UEodXTOkOoB+grVyMG4UBFAnyDDbCOORwDaI9mnfjB5l A9tYNnu7pTjtks/lvUEIZKEbELq4+G/Epx+kpMhU= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Mike Kravetz , syzbot+5eee4145df3c15e96625@syzkaller.appspotmail.com, Naoya Horiguchi , Michal Hocko , Hugh Dickins , "Aneesh Kumar K . V" , Davidlohr Bueso , Andrew Morton , Linus Torvalds Subject: [PATCH 5.10 14/63] mm/hugetlb: fix deadlock in hugetlb_cow error path Date: Mon, 4 Jan 2021 16:57:07 +0100 Message-Id: <20210104155709.506839137@linuxfoundation.org> X-Mailer: git-send-email 2.30.0 In-Reply-To: <20210104155708.800470590@linuxfoundation.org> References: <20210104155708.800470590@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Mike Kravetz commit e7dd91c456a8cdbcd7066997d15e36d14276a949 upstream. syzbot reported the deadlock here [1]. The issue is in hugetlb cow error handling when there are not enough huge pages for the faulting task which took the original reservation. It is possible that other (child) tasks could have consumed pages associated with the reservation. In this case, we want the task which took the original reservation to succeed. So, we unmap any associated pages in children so that they can be used by the faulting task that owns the reservation. The unmapping code needs to hold i_mmap_rwsem in write mode. However, due to commit c0d0381ade79 ("hugetlbfs: use i_mmap_rwsem for more pmd sharing synchronization") we are already holding i_mmap_rwsem in read mode when hugetlb_cow is called. Technically, i_mmap_rwsem does not need to be held in read mode for COW mappings as they can not share pmd's. Modifying the fault code to not take i_mmap_rwsem in read mode for COW (and other non-sharable) mappings is too involved for a stable fix. Instead, we simply drop the hugetlb_fault_mutex and i_mmap_rwsem before unmapping. This is OK as it is technically not needed. They are reacquired after unmapping as expected by calling code. Since this is done in an uncommon error path, the overhead of dropping and reacquiring mutexes is acceptable. While making changes, remove redundant BUG_ON after unmap_ref_private. [1] https://lkml.kernel.org/r/000000000000b73ccc05b5cf8558@google.com Link: https://lkml.kernel.org/r/4c5781b8-3b00-761e-c0c7-c5edebb6ec1a@oracle.com Fixes: c0d0381ade79 ("hugetlbfs: use i_mmap_rwsem for more pmd sharing synchronization") Signed-off-by: Mike Kravetz Reported-by: syzbot+5eee4145df3c15e96625@syzkaller.appspotmail.com Cc: Naoya Horiguchi Cc: Michal Hocko Cc: Hugh Dickins Cc: "Aneesh Kumar K . V" Cc: Davidlohr Bueso Cc: Signed-off-by: Andrew Morton Signed-off-by: Linus Torvalds Signed-off-by: Greg Kroah-Hartman --- mm/hugetlb.c | 22 +++++++++++++++++++++- 1 file changed, 21 insertions(+), 1 deletion(-) --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -4106,10 +4106,30 @@ retry_avoidcopy: * may get SIGKILLed if it later faults. */ if (outside_reserve) { + struct address_space *mapping = vma->vm_file->f_mapping; + pgoff_t idx; + u32 hash; + put_page(old_page); BUG_ON(huge_pte_none(pte)); + /* + * Drop hugetlb_fault_mutex and i_mmap_rwsem before + * unmapping. unmapping needs to hold i_mmap_rwsem + * in write mode. Dropping i_mmap_rwsem in read mode + * here is OK as COW mappings do not interact with + * PMD sharing. + * + * Reacquire both after unmap operation. + */ + idx = vma_hugecache_offset(h, vma, haddr); + hash = hugetlb_fault_mutex_hash(mapping, idx); + mutex_unlock(&hugetlb_fault_mutex_table[hash]); + i_mmap_unlock_read(mapping); + unmap_ref_private(mm, vma, old_page, haddr); - BUG_ON(huge_pte_none(pte)); + + i_mmap_lock_read(mapping); + mutex_lock(&hugetlb_fault_mutex_table[hash]); spin_lock(ptl); ptep = huge_pte_offset(mm, haddr, huge_page_size(h)); if (likely(ptep &&