From: Lance Yang <lance.yang@linux.dev>
To: akpm@linux-foundation.org
Cc: syzbot+3f5f9a0d292454409ca6@syzkaller.appspotmail.com,
david@redhat.com, linux-kernel@vger.kernel.org,
linux-mm@kvack.org, muchun.song@linux.dev, osalvador@suse.de,
syzkaller-bugs@googlegroups.com,
Lance Yang <lance.yang@linux.dev>
Subject: [PATCH 1/1] mm/hugetlb: fix possible deadlock in __hugetlb_zap_begin
Date: Mon, 10 Nov 2025 13:14:21 +0800 [thread overview]
Message-ID: <20251110051421.29436-1-lance.yang@linux.dev> (raw)
From: Lance Yang <lance.yang@linux.dev>
The hugetlb VMA unmap path contains a potential deadlock, as reported
by syzbot. In __hugetlb_zap_begin(), vma_lock is acquired before
i_mmap_lock. This lock ordering conflicts with the page fault path in
hugetlb_fault(), which acquires i_mmap_lock first, establishing the
correct dependency as i_mmap_lock -> vma_lock.
Chain exists of:
&hugetlbfs_i_mmap_rwsem_key
--> &hugetlb_fault_mutex_table[i]
--> &vma_lock->rw_sema
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(&vma_lock->rw_sema);
lock(&hugetlb_fault_mutex_table[i]);
lock(&vma_lock->rw_sema);
lock(&hugetlbfs_i_mmap_rwsem_key);
Resolve the deadlock by reordering the locks in __hugetlb_zap_begin() to
follow the established i_mmap_lock -> vma_lock order.
Reported-by: syzbot+3f5f9a0d292454409ca6@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/linux-mm/69113a97.a70a0220.22f260.00ca.GAE@google.com/
Signed-off-by: Lance Yang <lance.yang@linux.dev>
---
mm/hugetlb.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/mm/hugetlb.c b/mm/hugetlb.c
index b1f47b87ae65..2719995af18e 100644
--- a/mm/hugetlb.c
+++ b/mm/hugetlb.c
@@ -5327,9 +5327,9 @@ void __hugetlb_zap_begin(struct vm_area_struct *vma,
return;
adjust_range_if_pmd_sharing_possible(vma, start, end);
- hugetlb_vma_lock_write(vma);
if (vma->vm_file)
i_mmap_lock_write(vma->vm_file->f_mapping);
+ hugetlb_vma_lock_write(vma);
}
void __hugetlb_zap_end(struct vm_area_struct *vma,
--
2.49.0
next reply other threads:[~2025-11-10 5:14 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-11-10 5:14 Lance Yang [this message]
2025-11-10 9:15 ` [syzbot ci] Re: mm/hugetlb: fix possible deadlock in __hugetlb_zap_begin syzbot ci
2025-11-10 9:31 ` Lance Yang
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20251110051421.29436-1-lance.yang@linux.dev \
--to=lance.yang@linux.dev \
--cc=akpm@linux-foundation.org \
--cc=david@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=muchun.song@linux.dev \
--cc=osalvador@suse.de \
--cc=syzbot+3f5f9a0d292454409ca6@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.