LKML Archive mirror
 help / color / mirror / Atom feed
* [syzbot] [mm?] possible deadlock in move_pages
@ 2024-03-19  9:52 syzbot
  2024-03-19 13:37 ` David Hildenbrand
  2024-03-20 10:45 ` Hillf Danton
  0 siblings, 2 replies; 6+ messages in thread
From: syzbot @ 2024-03-19  9:52 UTC (permalink / raw
  To: akpm, linux-kernel, linux-mm, syzkaller-bugs

Hello,

syzbot found the following issue on:

HEAD commit:    e5eb28f6d1af Merge tag 'mm-nonmm-stable-2024-03-14-09-36' ..
git tree:       upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=160dc26e180000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4ffb854606e658d
dashboard link: https://syzkaller.appspot.com/bug?extid=49056626fe41e01f2ba7
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10f467b9180000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=173b7ac9180000

Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-e5eb28f6.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/a5c7ad05d6b2/vmlinux-e5eb28f6.xz
kernel image: https://storage.googleapis.com/syzbot-assets/531cb1917612/bzImage-e5eb28f6.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+49056626fe41e01f2ba7@syzkaller.appspotmail.com

============================================
WARNING: possible recursive locking detected
6.8.0-syzkaller-09791-ge5eb28f6d1af #0 Not tainted
--------------------------------------------
syz-executor258/5169 is trying to acquire lock:
ffff88802a6d23d0 (&vma->vm_lock->lock){++++}-{3:3}, at: uffd_move_lock mm/userfaultfd.c:1447 [inline]
ffff88802a6d23d0 (&vma->vm_lock->lock){++++}-{3:3}, at: move_pages+0xbab/0x4970 mm/userfaultfd.c:1583

but task is already holding lock:
ffff88802a6d2580 (&vma->vm_lock->lock){++++}-{3:3}, at: uffd_move_lock mm/userfaultfd.c:1445 [inline]
ffff88802a6d2580 (&vma->vm_lock->lock){++++}-{3:3}, at: move_pages+0xb6f/0x4970 mm/userfaultfd.c:1583

other info that might help us debug this:
 Possible unsafe locking scenario:

       CPU0
       ----
  lock(&vma->vm_lock->lock);
  lock(&vma->vm_lock->lock);

 *** DEADLOCK ***

 May be due to missing lock nesting notation

2 locks held by syz-executor258/5169:
 #0: ffff888015086a20 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock include/linux/mmap_lock.h:146 [inline]
 #0: ffff888015086a20 (&mm->mmap_lock){++++}-{3:3}, at: uffd_move_lock mm/userfaultfd.c:1438 [inline]
 #0: ffff888015086a20 (&mm->mmap_lock){++++}-{3:3}, at: move_pages+0x8df/0x4970 mm/userfaultfd.c:1583
 #1: ffff88802a6d2580 (&vma->vm_lock->lock){++++}-{3:3}, at: uffd_move_lock mm/userfaultfd.c:1445 [inline]
 #1: ffff88802a6d2580 (&vma->vm_lock->lock){++++}-{3:3}, at: move_pages+0xb6f/0x4970 mm/userfaultfd.c:1583

stack backtrace:
CPU: 2 PID: 5169 Comm: syz-executor258 Not tainted 6.8.0-syzkaller-09791-ge5eb28f6d1af #0
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
 check_deadlock kernel/locking/lockdep.c:3062 [inline]
 validate_chain kernel/locking/lockdep.c:3856 [inline]
 __lock_acquire+0x20e6/0x3b30 kernel/locking/lockdep.c:5137
 lock_acquire kernel/locking/lockdep.c:5754 [inline]
 lock_acquire+0x1b1/0x540 kernel/locking/lockdep.c:5719
 down_read+0x9a/0x330 kernel/locking/rwsem.c:1526
 uffd_move_lock mm/userfaultfd.c:1447 [inline]
 move_pages+0xbab/0x4970 mm/userfaultfd.c:1583
 userfaultfd_move fs/userfaultfd.c:2008 [inline]
 userfaultfd_ioctl+0x5e1/0x60e0 fs/userfaultfd.c:2126
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:904 [inline]
 __se_sys_ioctl fs/ioctl.c:890 [inline]
 __x64_sys_ioctl+0x193/0x220 fs/ioctl.c:890
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xd2/0x260 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x6d/0x75
RIP: 0033:0x7fd48da20329
Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd1244f8e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007ffd1244fab8 RCX: 00007fd48da20329
RDX: 00000000200000c0 RSI: 00000000c028aa05 RDI: 0000000000000003
RBP: 00007fd48da93610 R08: 00007ffd1244fab8 R09: 00007ffd1244fab8
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
R13: 00007ffd1244faa8 R14: 0000000000000001 R15: 0000000000000001
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [syzbot] [mm?] possible deadlock in move_pages
  2024-03-19  9:52 [syzbot] [mm?] possible deadlock in move_pages syzbot
@ 2024-03-19 13:37 ` David Hildenbrand
  2024-03-19 17:24   ` Lokesh Gidra
  2024-03-20 10:45 ` Hillf Danton
  1 sibling, 1 reply; 6+ messages in thread
From: David Hildenbrand @ 2024-03-19 13:37 UTC (permalink / raw
  To: syzbot, akpm, linux-kernel, linux-mm, syzkaller-bugs; +Cc: Lokesh Gidra

On 19.03.24 10:52, syzbot wrote:
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    e5eb28f6d1af Merge tag 'mm-nonmm-stable-2024-03-14-09-36' ..
> git tree:       upstream
> console output: https://syzkaller.appspot.com/x/log.txt?x=160dc26e180000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=4ffb854606e658d
> dashboard link: https://syzkaller.appspot.com/bug?extid=49056626fe41e01f2ba7
> compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10f467b9180000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=173b7ac9180000
> 
> Downloadable assets:
> disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-e5eb28f6.raw.xz
> vmlinux: https://storage.googleapis.com/syzbot-assets/a5c7ad05d6b2/vmlinux-e5eb28f6.xz
> kernel image: https://storage.googleapis.com/syzbot-assets/531cb1917612/bzImage-e5eb28f6.xz
> 
> IMPORTANT: if you fix the issue, please add the following tag to the commit:
> Reported-by: syzbot+49056626fe41e01f2ba7@syzkaller.appspotmail.com
> 
> ============================================
> WARNING: possible recursive locking detected
> 6.8.0-syzkaller-09791-ge5eb28f6d1af #0 Not tainted
> --------------------------------------------
> syz-executor258/5169 is trying to acquire lock:
> ffff88802a6d23d0 (&vma->vm_lock->lock){++++}-{3:3}, at: uffd_move_lock mm/userfaultfd.c:1447 [inline]
> ffff88802a6d23d0 (&vma->vm_lock->lock){++++}-{3:3}, at: move_pages+0xbab/0x4970 mm/userfaultfd.c:1583
> 
> but task is already holding lock:
> ffff88802a6d2580 (&vma->vm_lock->lock){++++}-{3:3}, at: uffd_move_lock mm/userfaultfd.c:1445 [inline]
> ffff88802a6d2580 (&vma->vm_lock->lock){++++}-{3:3}, at: move_pages+0xb6f/0x4970 mm/userfaultfd.c:1583
> 
> other info that might help us debug this:
>   Possible unsafe locking scenario:
> 
>         CPU0
>         ----
>    lock(&vma->vm_lock->lock);
>    lock(&vma->vm_lock->lock);
> 
>   *** DEADLOCK ***
> 
>   May be due to missing lock nesting notation
> 
> 2 locks held by syz-executor258/5169:
>   #0: ffff888015086a20 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock include/linux/mmap_lock.h:146 [inline]
>   #0: ffff888015086a20 (&mm->mmap_lock){++++}-{3:3}, at: uffd_move_lock mm/userfaultfd.c:1438 [inline]
>   #0: ffff888015086a20 (&mm->mmap_lock){++++}-{3:3}, at: move_pages+0x8df/0x4970 mm/userfaultfd.c:1583
>   #1: ffff88802a6d2580 (&vma->vm_lock->lock){++++}-{3:3}, at: uffd_move_lock mm/userfaultfd.c:1445 [inline]
>   #1: ffff88802a6d2580 (&vma->vm_lock->lock){++++}-{3:3}, at: move_pages+0xb6f/0x4970 mm/userfaultfd.c:1583
> 
> stack backtrace:
> CPU: 2 PID: 5169 Comm: syz-executor258 Not tainted 6.8.0-syzkaller-09791-ge5eb28f6d1af #0
> Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
> Call Trace:
>   <TASK>
>   __dump_stack lib/dump_stack.c:88 [inline]
>   dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
>   check_deadlock kernel/locking/lockdep.c:3062 [inline]
>   validate_chain kernel/locking/lockdep.c:3856 [inline]
>   __lock_acquire+0x20e6/0x3b30 kernel/locking/lockdep.c:5137
>   lock_acquire kernel/locking/lockdep.c:5754 [inline]
>   lock_acquire+0x1b1/0x540 kernel/locking/lockdep.c:5719
>   down_read+0x9a/0x330 kernel/locking/rwsem.c:1526
>   uffd_move_lock mm/userfaultfd.c:1447 [inline]
>   move_pages+0xbab/0x4970 mm/userfaultfd.c:1583
>   userfaultfd_move fs/userfaultfd.c:2008 [inline]
>   userfaultfd_ioctl+0x5e1/0x60e0 fs/userfaultfd.c:2126
>   vfs_ioctl fs/ioctl.c:51 [inline]
>   __do_sys_ioctl fs/ioctl.c:904 [inline]
>   __se_sys_ioctl fs/ioctl.c:890 [inline]
>   __x64_sys_ioctl+0x193/0x220 fs/ioctl.c:890
>   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
>   do_syscall_64+0xd2/0x260 arch/x86/entry/common.c:83
>   entry_SYSCALL_64_after_hwframe+0x6d/0x75
> RIP: 0033:0x7fd48da20329
> Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> RSP: 002b:00007ffd1244f8e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> RAX: ffffffffffffffda RBX: 00007ffd1244fab8 RCX: 00007fd48da20329
> RDX: 00000000200000c0 RSI: 00000000c028aa05 RDI: 0000000000000003
> RBP: 00007fd48da93610 R08: 00007ffd1244fab8 R09: 00007ffd1244fab8
> R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
> R13: 00007ffd1244faa8 R14: 0000000000000001 R15: 0000000000000001
>   </TASK>
> 
> 
> ---
> This report is generated by a bot. It may contain errors.
> See https://goo.gl/tpsmEJ for more information about syzbot.
> syzbot engineers can be reached at syzkaller@googlegroups.com.
> 
> syzbot will keep track of this issue. See:
> https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> 
> If the report is already addressed, let syzbot know by replying with:
> #syz fix: exact-commit-title
> 
> If you want syzbot to run the reproducer, reply with:
> #syz test: git://repo/address.git branch-or-commit-hash
> If you attach or paste a git patch, syzbot will apply it before testing.
> 
> If you want to overwrite report's subsystems, reply with:
> #syz set subsystems: new-subsystem
> (See the list of subsystem names on the web dashboard)
> 
> If the report is a duplicate of another one, reply with:
> #syz dup: exact-subject-of-another-report
> 
> If you want to undo deduplication, reply with:
> #syz undup
> 

Possibly

commit 867a43a34ff8a38772212045262b2c9b77807ea3
Author: Lokesh Gidra <lokeshgidra@google.com>
Date:   Thu Feb 15 10:27:56 2024 -0800

     userfaultfd: use per-vma locks in userfaultfd operations
     
     All userfaultfd operations, except write-protect, opportunistically use
     per-vma locks to lock vmas.  On failure, attempt again inside mmap_lock
     critical section.
     
     Write-protect operation requires mmap_lock as it iterates over multiple
     vmas.

and

commit 5e4c24a57b0c126686534b5b159a406c5dd02400
Author: Lokesh Gidra <lokeshgidra@google.com>
Date:   Thu Feb 15 10:27:54 2024 -0800

     userfaultfd: protect mmap_changing with rw_sem in userfaulfd_ctx
     
     Increments and loads to mmap_changing are always in mmap_lock critical
     section.  This ensures that if userspace requests event notification for
     non-cooperative operations (e.g.  mremap), userfaultfd operations don't
     occur concurrently.
     
     This can be achieved by using a separate read-write semaphore in
     userfaultfd_ctx such that increments are done in write-mode and loads in
     read-mode, thereby eliminating the dependency on mmap_lock for this
     purpose.
     
     This is a preparatory step before we replace mmap_lock usage with per-vma
     locks in fill/move ioctls.

might responsible.

CCin Lokesh

-- 
Cheers,

David / dhildenb


^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [syzbot] [mm?] possible deadlock in move_pages
  2024-03-19 13:37 ` David Hildenbrand
@ 2024-03-19 17:24   ` Lokesh Gidra
  2024-03-19 23:47     ` Lokesh Gidra
  0 siblings, 1 reply; 6+ messages in thread
From: Lokesh Gidra @ 2024-03-19 17:24 UTC (permalink / raw
  To: David Hildenbrand
  Cc: syzbot, akpm, linux-kernel, linux-mm, syzkaller-bugs,
	Suren Baghdasaryan

On Tue, Mar 19, 2024 at 6:37 AM David Hildenbrand <david@redhat.com> wrote:
>
> On 19.03.24 10:52, syzbot wrote:
> > Hello,
> >
> > syzbot found the following issue on:
> >
> > HEAD commit:    e5eb28f6d1af Merge tag 'mm-nonmm-stable-2024-03-14-09-36' ..
> > git tree:       upstream
> > console output: https://syzkaller.appspot.com/x/log.txt?x=160dc26e180000
> > kernel config:  https://syzkaller.appspot.com/x/.config?x=4ffb854606e658d
> > dashboard link: https://syzkaller.appspot.com/bug?extid=49056626fe41e01f2ba7
> > compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10f467b9180000
> > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=173b7ac9180000
> >
> > Downloadable assets:
> > disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-e5eb28f6.raw.xz
> > vmlinux: https://storage.googleapis.com/syzbot-assets/a5c7ad05d6b2/vmlinux-e5eb28f6.xz
> > kernel image: https://storage.googleapis.com/syzbot-assets/531cb1917612/bzImage-e5eb28f6.xz
> >
> > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > Reported-by: syzbot+49056626fe41e01f2ba7@syzkaller.appspotmail.com
> >
> > ============================================
> > WARNING: possible recursive locking detected
> > 6.8.0-syzkaller-09791-ge5eb28f6d1af #0 Not tainted
> > --------------------------------------------
> > syz-executor258/5169 is trying to acquire lock:
> > ffff88802a6d23d0 (&vma->vm_lock->lock){++++}-{3:3}, at: uffd_move_lock mm/userfaultfd.c:1447 [inline]
> > ffff88802a6d23d0 (&vma->vm_lock->lock){++++}-{3:3}, at: move_pages+0xbab/0x4970 mm/userfaultfd.c:1583
> >
> > but task is already holding lock:
> > ffff88802a6d2580 (&vma->vm_lock->lock){++++}-{3:3}, at: uffd_move_lock mm/userfaultfd.c:1445 [inline]
> > ffff88802a6d2580 (&vma->vm_lock->lock){++++}-{3:3}, at: move_pages+0xb6f/0x4970 mm/userfaultfd.c:1583
> >
> > other info that might help us debug this:
> >   Possible unsafe locking scenario:
> >
> >         CPU0
> >         ----
> >    lock(&vma->vm_lock->lock);
> >    lock(&vma->vm_lock->lock);
> >
> >   *** DEADLOCK ***
> >
> >   May be due to missing lock nesting notation
> >
> > 2 locks held by syz-executor258/5169:
> >   #0: ffff888015086a20 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock include/linux/mmap_lock.h:146 [inline]
> >   #0: ffff888015086a20 (&mm->mmap_lock){++++}-{3:3}, at: uffd_move_lock mm/userfaultfd.c:1438 [inline]
> >   #0: ffff888015086a20 (&mm->mmap_lock){++++}-{3:3}, at: move_pages+0x8df/0x4970 mm/userfaultfd.c:1583
> >   #1: ffff88802a6d2580 (&vma->vm_lock->lock){++++}-{3:3}, at: uffd_move_lock mm/userfaultfd.c:1445 [inline]
> >   #1: ffff88802a6d2580 (&vma->vm_lock->lock){++++}-{3:3}, at: move_pages+0xb6f/0x4970 mm/userfaultfd.c:1583
> >
> > stack backtrace:
> > CPU: 2 PID: 5169 Comm: syz-executor258 Not tainted 6.8.0-syzkaller-09791-ge5eb28f6d1af #0
> > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
> > Call Trace:
> >   <TASK>
> >   __dump_stack lib/dump_stack.c:88 [inline]
> >   dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
> >   check_deadlock kernel/locking/lockdep.c:3062 [inline]
> >   validate_chain kernel/locking/lockdep.c:3856 [inline]
> >   __lock_acquire+0x20e6/0x3b30 kernel/locking/lockdep.c:5137
> >   lock_acquire kernel/locking/lockdep.c:5754 [inline]
> >   lock_acquire+0x1b1/0x540 kernel/locking/lockdep.c:5719
> >   down_read+0x9a/0x330 kernel/locking/rwsem.c:1526
> >   uffd_move_lock mm/userfaultfd.c:1447 [inline]
> >   move_pages+0xbab/0x4970 mm/userfaultfd.c:1583
> >   userfaultfd_move fs/userfaultfd.c:2008 [inline]
> >   userfaultfd_ioctl+0x5e1/0x60e0 fs/userfaultfd.c:2126
> >   vfs_ioctl fs/ioctl.c:51 [inline]
> >   __do_sys_ioctl fs/ioctl.c:904 [inline]
> >   __se_sys_ioctl fs/ioctl.c:890 [inline]
> >   __x64_sys_ioctl+0x193/0x220 fs/ioctl.c:890
> >   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> >   do_syscall_64+0xd2/0x260 arch/x86/entry/common.c:83
> >   entry_SYSCALL_64_after_hwframe+0x6d/0x75
> > RIP: 0033:0x7fd48da20329
> > Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> > RSP: 002b:00007ffd1244f8e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> > RAX: ffffffffffffffda RBX: 00007ffd1244fab8 RCX: 00007fd48da20329
> > RDX: 00000000200000c0 RSI: 00000000c028aa05 RDI: 0000000000000003
> > RBP: 00007fd48da93610 R08: 00007ffd1244fab8 R09: 00007ffd1244fab8
> > R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
> > R13: 00007ffd1244faa8 R14: 0000000000000001 R15: 0000000000000001
> >   </TASK>
> >
> >
> > ---
> > This report is generated by a bot. It may contain errors.
> > See https://goo.gl/tpsmEJ for more information about syzbot.
> > syzbot engineers can be reached at syzkaller@googlegroups.com.
> >
> > syzbot will keep track of this issue. See:
> > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> >
> > If the report is already addressed, let syzbot know by replying with:
> > #syz fix: exact-commit-title
> >
> > If you want syzbot to run the reproducer, reply with:
> > #syz test: git://repo/address.git branch-or-commit-hash
> > If you attach or paste a git patch, syzbot will apply it before testing.
> >
> > If you want to overwrite report's subsystems, reply with:
> > #syz set subsystems: new-subsystem
> > (See the list of subsystem names on the web dashboard)
> >
> > If the report is a duplicate of another one, reply with:
> > #syz dup: exact-subject-of-another-report
> >
> > If you want to undo deduplication, reply with:
> > #syz undup
> >
>
> Possibly
>
> commit 867a43a34ff8a38772212045262b2c9b77807ea3
> Author: Lokesh Gidra <lokeshgidra@google.com>
> Date:   Thu Feb 15 10:27:56 2024 -0800
>
>      userfaultfd: use per-vma locks in userfaultfd operations
>
>      All userfaultfd operations, except write-protect, opportunistically use
>      per-vma locks to lock vmas.  On failure, attempt again inside mmap_lock
>      critical section.
>
>      Write-protect operation requires mmap_lock as it iterates over multiple
>      vmas.
>
> and
>
> commit 5e4c24a57b0c126686534b5b159a406c5dd02400
> Author: Lokesh Gidra <lokeshgidra@google.com>
> Date:   Thu Feb 15 10:27:54 2024 -0800
>
>      userfaultfd: protect mmap_changing with rw_sem in userfaulfd_ctx
>
>      Increments and loads to mmap_changing are always in mmap_lock critical
>      section.  This ensures that if userspace requests event notification for
>      non-cooperative operations (e.g.  mremap), userfaultfd operations don't
>      occur concurrently.
>
>      This can be achieved by using a separate read-write semaphore in
>      userfaultfd_ctx such that increments are done in write-mode and loads in
>      read-mode, thereby eliminating the dependency on mmap_lock for this
>      purpose.
>
>      This is a preparatory step before we replace mmap_lock usage with per-vma
>      locks in fill/move ioctls.
>
> might responsible.
>
> CCin Lokesh

Thanks for looping me in. Taking a look.
>
> --
> Cheers,
>
> David / dhildenb
>

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [syzbot] [mm?] possible deadlock in move_pages
  2024-03-19 17:24   ` Lokesh Gidra
@ 2024-03-19 23:47     ` Lokesh Gidra
  0 siblings, 0 replies; 6+ messages in thread
From: Lokesh Gidra @ 2024-03-19 23:47 UTC (permalink / raw
  To: David Hildenbrand
  Cc: syzbot, linux-kernel, linux-mm, syzkaller-bugs,
	Suren Baghdasaryan, akpm

On Tue, Mar 19, 2024 at 10:24 AM Lokesh Gidra <lokeshgidra@google.com> wrote:
>
> On Tue, Mar 19, 2024 at 6:37 AM David Hildenbrand <david@redhat.com> wrote:
> >
> > On 19.03.24 10:52, syzbot wrote:
> > > Hello,
> > >
> > > syzbot found the following issue on:
> > >
> > > HEAD commit:    e5eb28f6d1af Merge tag 'mm-nonmm-stable-2024-03-14-09-36' ..
> > > git tree:       upstream
> > > console output: https://syzkaller.appspot.com/x/log.txt?x=160dc26e180000
> > > kernel config:  https://syzkaller.appspot.com/x/.config?x=4ffb854606e658d
> > > dashboard link: https://syzkaller.appspot.com/bug?extid=49056626fe41e01f2ba7
> > > compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
> > > syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=10f467b9180000
> > > C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=173b7ac9180000
> > >
> > > Downloadable assets:
> > > disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/7bc7510fe41f/non_bootable_disk-e5eb28f6.raw.xz
> > > vmlinux: https://storage.googleapis.com/syzbot-assets/a5c7ad05d6b2/vmlinux-e5eb28f6.xz
> > > kernel image: https://storage.googleapis.com/syzbot-assets/531cb1917612/bzImage-e5eb28f6.xz
> > >
> > > IMPORTANT: if you fix the issue, please add the following tag to the commit:
> > > Reported-by: syzbot+49056626fe41e01f2ba7@syzkaller.appspotmail.com
> > >
> > > ============================================
> > > WARNING: possible recursive locking detected
> > > 6.8.0-syzkaller-09791-ge5eb28f6d1af #0 Not tainted
> > > --------------------------------------------
> > > syz-executor258/5169 is trying to acquire lock:
> > > ffff88802a6d23d0 (&vma->vm_lock->lock){++++}-{3:3}, at: uffd_move_lock mm/userfaultfd.c:1447 [inline]
> > > ffff88802a6d23d0 (&vma->vm_lock->lock){++++}-{3:3}, at: move_pages+0xbab/0x4970 mm/userfaultfd.c:1583
> > >
> > > but task is already holding lock:
> > > ffff88802a6d2580 (&vma->vm_lock->lock){++++}-{3:3}, at: uffd_move_lock mm/userfaultfd.c:1445 [inline]
> > > ffff88802a6d2580 (&vma->vm_lock->lock){++++}-{3:3}, at: move_pages+0xb6f/0x4970 mm/userfaultfd.c:1583
> > >
> > > other info that might help us debug this:
> > >   Possible unsafe locking scenario:
> > >
> > >         CPU0
> > >         ----
> > >    lock(&vma->vm_lock->lock);
> > >    lock(&vma->vm_lock->lock);
> > >
> > >   *** DEADLOCK ***
> > >
> > >   May be due to missing lock nesting notation
> > >
> > > 2 locks held by syz-executor258/5169:
> > >   #0: ffff888015086a20 (&mm->mmap_lock){++++}-{3:3}, at: mmap_read_lock include/linux/mmap_lock.h:146 [inline]
> > >   #0: ffff888015086a20 (&mm->mmap_lock){++++}-{3:3}, at: uffd_move_lock mm/userfaultfd.c:1438 [inline]
> > >   #0: ffff888015086a20 (&mm->mmap_lock){++++}-{3:3}, at: move_pages+0x8df/0x4970 mm/userfaultfd.c:1583
> > >   #1: ffff88802a6d2580 (&vma->vm_lock->lock){++++}-{3:3}, at: uffd_move_lock mm/userfaultfd.c:1445 [inline]
> > >   #1: ffff88802a6d2580 (&vma->vm_lock->lock){++++}-{3:3}, at: move_pages+0xb6f/0x4970 mm/userfaultfd.c:1583
> > >
> > > stack backtrace:
> > > CPU: 2 PID: 5169 Comm: syz-executor258 Not tainted 6.8.0-syzkaller-09791-ge5eb28f6d1af #0
> > > Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
> > > Call Trace:
> > >   <TASK>
> > >   __dump_stack lib/dump_stack.c:88 [inline]
> > >   dump_stack_lvl+0x116/0x1f0 lib/dump_stack.c:114
> > >   check_deadlock kernel/locking/lockdep.c:3062 [inline]
> > >   validate_chain kernel/locking/lockdep.c:3856 [inline]
> > >   __lock_acquire+0x20e6/0x3b30 kernel/locking/lockdep.c:5137
> > >   lock_acquire kernel/locking/lockdep.c:5754 [inline]
> > >   lock_acquire+0x1b1/0x540 kernel/locking/lockdep.c:5719
> > >   down_read+0x9a/0x330 kernel/locking/rwsem.c:1526
> > >   uffd_move_lock mm/userfaultfd.c:1447 [inline]
> > >   move_pages+0xbab/0x4970 mm/userfaultfd.c:1583
> > >   userfaultfd_move fs/userfaultfd.c:2008 [inline]
> > >   userfaultfd_ioctl+0x5e1/0x60e0 fs/userfaultfd.c:2126
> > >   vfs_ioctl fs/ioctl.c:51 [inline]
> > >   __do_sys_ioctl fs/ioctl.c:904 [inline]
> > >   __se_sys_ioctl fs/ioctl.c:890 [inline]
> > >   __x64_sys_ioctl+0x193/0x220 fs/ioctl.c:890
> > >   do_syscall_x64 arch/x86/entry/common.c:52 [inline]
> > >   do_syscall_64+0xd2/0x260 arch/x86/entry/common.c:83
> > >   entry_SYSCALL_64_after_hwframe+0x6d/0x75
> > > RIP: 0033:0x7fd48da20329
> > > Code: 48 83 c4 28 c3 e8 37 17 00 00 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 b8 ff ff ff f7 d8 64 89 01 48
> > > RSP: 002b:00007ffd1244f8e8 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
> > > RAX: ffffffffffffffda RBX: 00007ffd1244fab8 RCX: 00007fd48da20329
> > > RDX: 00000000200000c0 RSI: 00000000c028aa05 RDI: 0000000000000003
> > > RBP: 00007fd48da93610 R08: 00007ffd1244fab8 R09: 00007ffd1244fab8
> > > R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000001
> > > R13: 00007ffd1244faa8 R14: 0000000000000001 R15: 0000000000000001
> > >   </TASK>
> > >
> > >
> > > ---
> > > This report is generated by a bot. It may contain errors.
> > > See https://goo.gl/tpsmEJ for more information about syzbot.
> > > syzbot engineers can be reached at syzkaller@googlegroups.com.
> > >
> > > syzbot will keep track of this issue. See:
> > > https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
> > >
> > > If the report is already addressed, let syzbot know by replying with:
> > > #syz fix: exact-commit-title
> > >
> > > If you want syzbot to run the reproducer, reply with:
> > > #syz test: git://repo/address.git branch-or-commit-hash
> > > If you attach or paste a git patch, syzbot will apply it before testing.
> > >
> > > If you want to overwrite report's subsystems, reply with:
> > > #syz set subsystems: new-subsystem
> > > (See the list of subsystem names on the web dashboard)
> > >
> > > If the report is a duplicate of another one, reply with:
> > > #syz dup: exact-subject-of-another-report
> > >
> > > If you want to undo deduplication, reply with:
> > > #syz undup
> > >
> >
> > Possibly
> >
> > commit 867a43a34ff8a38772212045262b2c9b77807ea3
> > Author: Lokesh Gidra <lokeshgidra@google.com>
> > Date:   Thu Feb 15 10:27:56 2024 -0800
> >
> >      userfaultfd: use per-vma locks in userfaultfd operations
> >
> >      All userfaultfd operations, except write-protect, opportunistically use
> >      per-vma locks to lock vmas.  On failure, attempt again inside mmap_lock
> >      critical section.
> >
> >      Write-protect operation requires mmap_lock as it iterates over multiple
> >      vmas.
> >
> > and
> >
> > commit 5e4c24a57b0c126686534b5b159a406c5dd02400
> > Author: Lokesh Gidra <lokeshgidra@google.com>
> > Date:   Thu Feb 15 10:27:54 2024 -0800
> >
> >      userfaultfd: protect mmap_changing with rw_sem in userfaulfd_ctx
> >
> >      Increments and loads to mmap_changing are always in mmap_lock critical
> >      section.  This ensures that if userspace requests event notification for
> >      non-cooperative operations (e.g.  mremap), userfaultfd operations don't
> >      occur concurrently.
> >
> >      This can be achieved by using a separate read-write semaphore in
> >      userfaultfd_ctx such that increments are done in write-mode and loads in
> >      read-mode, thereby eliminating the dependency on mmap_lock for this
> >      purpose.
> >
> >      This is a preparatory step before we replace mmap_lock usage with per-vma
> >      locks in fill/move ioctls.
> >
> > might responsible.
> >
I tried reproducing the issue with the provided reproducer locally and
with few additional checks:

down_read(&(*dst_vmap)->vm_lock->lock);
if (*dst_vmap != *src_vmap) {
            BUG_ON((*src_vmap)->vm_lock == (*dst_vmap)->vm_lock);
            BUG_ON(&(*src_vmap)->vm_lock->lock == &(*dst_vmap)->vm_lock->lock);
            BUG_ON(rwsem_is_locked(&(*src_vmap)->vm_lock->lock));
            down_read(&(*src_vmap)->vm_lock->lock);
}

None of the BUG_ONs are causing pani but the following down_read() is
reporting the deadlock as above. Even if I change the if condition to

if (&(*dst_vmap)->vm_lock->lock != &(*src_vmap)->vm_lock->lock)

I still get the deadlock trace. Possibly a bug in lockdep?




> > CCin Lokesh
>
> Thanks for looping me in. Taking a look.
> >
> > --
> > Cheers,
> >
> > David / dhildenb
> >

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [syzbot] [mm?] possible deadlock in move_pages
  2024-03-19  9:52 [syzbot] [mm?] possible deadlock in move_pages syzbot
  2024-03-19 13:37 ` David Hildenbrand
@ 2024-03-20 10:45 ` Hillf Danton
  2024-03-20 11:09   ` syzbot
  1 sibling, 1 reply; 6+ messages in thread
From: Hillf Danton @ 2024-03-20 10:45 UTC (permalink / raw
  To: syzbot; +Cc: linux-kernel, syzkaller-bugs

On Tue, 19 Mar 2024 02:52:16 -0700
> syzbot found the following issue on:
> 
> HEAD commit:    e5eb28f6d1af Merge tag 'mm-nonmm-stable-2024-03-14-09-36' ..
> git tree:       upstream
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=173b7ac9180000

#syz test https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git  e5eb28f6d1af

--- x/mm/userfaultfd.c
+++ y/mm/userfaultfd.c
@@ -1442,9 +1442,9 @@ static int uffd_move_lock(struct mm_stru
 		 * See comment in lock_vma() as to why not using
 		 * vma_start_read() here.
 		 */
-		down_read(&(*dst_vmap)->vm_lock->lock);
+		down_read_nested(&(*dst_vmap)->vm_lock->lock, 1);
 		if (*dst_vmap != *src_vmap)
-			down_read(&(*src_vmap)->vm_lock->lock);
+			down_read_nested(&(*src_vmap)->vm_lock->lock, 2);
 	}
 	mmap_read_unlock(mm);
 	return err;
--

^ permalink raw reply	[flat|nested] 6+ messages in thread

* Re: [syzbot] [mm?] possible deadlock in move_pages
  2024-03-20 10:45 ` Hillf Danton
@ 2024-03-20 11:09   ` syzbot
  0 siblings, 0 replies; 6+ messages in thread
From: syzbot @ 2024-03-20 11:09 UTC (permalink / raw
  To: hdanton, linux-kernel, syzkaller-bugs

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-and-tested-by: syzbot+49056626fe41e01f2ba7@syzkaller.appspotmail.com

Tested on:

commit:         e5eb28f6 Merge tag 'mm-nonmm-stable-2024-03-14-09-36' ..
git tree:       https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
console output: https://syzkaller.appspot.com/x/log.txt?x=10b7afc1180000
kernel config:  https://syzkaller.appspot.com/x/.config?x=4ffb854606e658d
dashboard link: https://syzkaller.appspot.com/bug?extid=49056626fe41e01f2ba7
compiler:       gcc (Debian 12.2.0-14) 12.2.0, GNU ld (GNU Binutils for Debian) 2.40
patch:          https://syzkaller.appspot.com/x/patch.diff?x=17d44231180000

Note: testing is done by a robot and is best-effort only.

^ permalink raw reply	[flat|nested] 6+ messages in thread

end of thread, other threads:[~2024-03-20 11:09 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-03-19  9:52 [syzbot] [mm?] possible deadlock in move_pages syzbot
2024-03-19 13:37 ` David Hildenbrand
2024-03-19 17:24   ` Lokesh Gidra
2024-03-19 23:47     ` Lokesh Gidra
2024-03-20 10:45 ` Hillf Danton
2024-03-20 11:09   ` syzbot

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).