From: Andrew Morton <akpm@linux-foundation.org>
To: Christian Brauner <brauner@kernel.org>
Cc: Thomas Graf <tgraf@suug.ch>,
Herbert Xu <herbert@gondor.apana.org.au>,
Vlastimil Babka <vbabka@kernel.org>,
Lorenzo Stoakes <ljs@kernel.org>,
David Hildenbrand <david@kernel.org>,
Suren Baghdasaryan <surenb@google.com>,
Michal Hocko <mhocko@suse.com>,
linux-kernel@vger.kernel.org, linux-mm@kvack.org,
linux-fsdevel@vger.kernel.org,
syzbot+5af806780f38a5fe691f@syzkaller.appspotmail.com,
"Uladzislau Rezki (Sony)" <urezki@gmail.com>
Subject: Re: [PATCH] rhashtable: give each instance its own lockdep class
Date: Mon, 27 Apr 2026 04:31:49 -0700 [thread overview]
Message-ID: <20260427043149.e8fe46494d92d561175861ca@linux-foundation.org> (raw)
In-Reply-To: <20260427-work-rhashtable-lockdep-v1-1-f69e8bd91cb2@kernel.org>
On Mon, 27 Apr 2026 13:09:57 +0200 Christian Brauner <brauner@kernel.org> wrote:
> syzbot reported a possible circular locking dependency between
> &ht->mutex and fs_reclaim:
>
> CPU0 (kswapd0) CPU1 (kworker)
> -------------- --------------
> fs_reclaim ht->mutex
> shmem_evict_inode rhashtable_rehash_alloc
> simple_xattrs_free bucket_table_alloc(GFP_KERNEL)
> rhashtable_free_and_destroy __kvmalloc_node
> mutex_lock(&ht->mutex) might_alloc -> fs_reclaim
>
> The two halves of the splat refer to two different events on
> &ht->mutex.
>
> The kswapd0 path is unambiguous: shmem_evict_inode at mm/shmem.c:1429
> calls simple_xattrs_free(), which calls rhashtable_free_and_destroy()
> on the per-inode simple_xattrs rhashtable being torn down with the
> inode.
>
> The previously-recorded ht->mutex -> fs_reclaim edge comes from
> rht_deferred_worker -> rhashtable_rehash_alloc ->
> bucket_table_alloc(GFP_KERNEL) -> __kvmalloc_node ->
> might_alloc -> fs_reclaim. That stack stops at generic library code:
> there is no subsystem-specific frame above rht_deferred_worker, so
> the splat does not identify which rhashtable's worker recorded the
> edge -- only that some rhashtable in the system did.
>
> Whether or not that recording happened on the same simple_xattrs ht
> that is now being destroyed, the predicted deadlock cannot occur:
> rhashtable_free_and_destroy() does cancel_work_sync(&ht->run_work)
> before taking ht->mutex, so the deferred worker cannot be running on
> the instance being torn down. If the recording was on a different
> rhashtable instance, the two ht->mutex acquisitions are on distinct
> mutex objects and cannot deadlock either.
>
> Lockdep flags a cycle regardless because mutex_init(&ht->mutex) lives
> on a single source line in rhashtable_init_noprof(), so every
> ht->mutex in the kernel shares one static lockdep class. Lockdep
> matches by class, not by instance, and collapses all of these into
> one node.
>
> Lift the lockdep key out of rhashtable_init_noprof() and into the
> caller. The user-visible rhashtable_init_noprof() /
> rhltable_init_noprof() identifiers become macros that declare a
> per-call-site static lock_class_key.
>
> Reported-by: syzbot+5af806780f38a5fe691f@syzkaller.appspotmail.com
> Closes: https://lore.kernel.org/69e798fe.050a0220.24bfd3.0032.GAE@google.com
Thanks.
Is this related to https://lore.kernel.org/202604211323.fac1b29e-lkp@intel.com
Are we able to identify a Fixes: target?
In the above-linked thread Herbert had
Fixes: c6307674ed82 ("mm: kvmalloc: add non-blocking support for vmalloc")
next prev parent reply other threads:[~2026-04-27 11:31 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-04-27 11:09 [PATCH] rhashtable: give each instance its own lockdep class Christian Brauner
2026-04-27 11:29 ` Herbert Xu
2026-04-27 12:21 ` Christian Brauner
2026-04-27 12:51 ` Mikhail Gavrilov
2026-04-27 11:31 ` Andrew Morton [this message]
2026-04-27 11:34 ` Herbert Xu
2026-04-27 13:01 ` Michal Hocko
2026-04-29 8:27 ` kernel test robot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260427043149.e8fe46494d92d561175861ca@linux-foundation.org \
--to=akpm@linux-foundation.org \
--cc=brauner@kernel.org \
--cc=david@kernel.org \
--cc=herbert@gondor.apana.org.au \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=ljs@kernel.org \
--cc=mhocko@suse.com \
--cc=surenb@google.com \
--cc=syzbot+5af806780f38a5fe691f@syzkaller.appspotmail.com \
--cc=tgraf@suug.ch \
--cc=urezki@gmail.com \
--cc=vbabka@kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.