From: syzbot <syzbot+c8461425abb63bfd3445@syzkaller.appspotmail.com>
To: akpm@linux-foundation.org, david@kernel.org, jgg@ziepe.ca,
jhubbard@nvidia.com, linux-kernel@vger.kernel.org,
linux-mm@kvack.org, peterx@redhat.com,
syzkaller-bugs@googlegroups.com
Subject: [syzbot] [mm?] possible deadlock in gup_fast_fallback (2)
Date: Thu, 05 Feb 2026 13:44:33 -0800 [thread overview]
Message-ID: <69850f41.a00a0220.34fa92.001d.GAE@google.com> (raw)
Hello,
syzbot found the following issue on:
HEAD commit: f14faaf3a1fb Merge tag 'tsm-fixes-for-6.19' of git://git.k..
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=10928a52580000
kernel config: https://syzkaller.appspot.com/x/.config?x=4aae00ac5a9d2645
dashboard link: https://syzkaller.appspot.com/bug?extid=c8461425abb63bfd3445
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=17078a5a580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=14df4b22580000
Downloadable assets:
disk image (non-bootable): https://storage.googleapis.com/syzbot-assets/d900f083ada3/non_bootable_disk-f14faaf3.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/2fe7f2219e97/vmlinux-f14faaf3.xz
kernel image: https://storage.googleapis.com/syzbot-assets/b1acb6ecfb89/bzImage-f14faaf3.xz
mounted in repro: https://storage.googleapis.com/syzbot-assets/c52bcc06e784/mount_0.gz
fsck result: failed (log: https://syzkaller.appspot.com/x/fsck.log?x=13a5c7fa580000)
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c8461425abb63bfd3445@syzkaller.appspotmail.com
loop0: detected capacity change from 0 to 32768
XFS (loop0): Mounting V5 Filesystem bfdc47fc-10d8-4eed-a562-11a831b3f791
XFS (loop0): Ending clean mount
======================================================
WARNING: possible circular locking dependency detected
syzkaller #0 Not tainted
------------------------------------------------------
syz.0.17/5488 is trying to acquire lock:
ffff888044e06540 (&mm->mmap_lock){++++}-{4:4}, at: gup_fast_fallback+0x20d/0x22e0 mm/gup.c:3204
but task is already holding lock:
ffff8880467da130 (&sb->s_type->i_mutex_key#24){++++}-{4:4}, at: xfs_ilock_demote+0xbd/0x290 fs/xfs/xfs_inode.c:285
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (&sb->s_type->i_mutex_key#24){++++}-{4:4}:
down_read_nested+0x49/0x2e0 kernel/locking/rwsem.c:1662
xfs_ilock+0x109/0x360 fs/xfs/xfs_inode.c:152
xfs_ilock_iocb fs/xfs/xfs_file.c:195 [inline]
xfs_file_buffered_read+0x15b/0x330 fs/xfs/xfs_file.c:284
xfs_file_read_iter+0x280/0x510 fs/xfs/xfs_file.c:312
__kernel_read+0x504/0x9b0 fs/read_write.c:530
freader_fetch+0x1cb/0xa00 lib/buildid.c:100
__build_id_parse+0x168/0x870 lib/buildid.c:297
do_procmap_query fs/proc/task_mmu.c:733 [inline]
procfs_procmap_ioctl+0x7ae/0xd50 fs/proc/task_mmu.c:813
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #1 (vm_lock){++++}-{0:0}:
__vma_enter_locked+0x243/0x710 mm/mmap_lock.c:72
__vma_start_write+0x23/0x140 mm/mmap_lock.c:104
vma_start_write include/linux/mmap_lock.h:213 [inline]
mprotect_fixup+0x5e1/0xa50 mm/mprotect.c:768
setup_arg_pages+0x565/0xae0 fs/exec.c:670
load_elf_binary+0xc5e/0x2980 fs/binfmt_elf.c:1028
search_binary_handler fs/exec.c:1669 [inline]
exec_binprm fs/exec.c:1701 [inline]
bprm_execve+0x93d/0x1410 fs/exec.c:1753
kernel_execve+0x8ef/0x9e0 fs/exec.c:1919
try_to_run_init_process+0x13/0x60 init/main.c:1506
kernel_init+0xad/0x1d0 init/main.c:1634
ret_from_fork+0x51b/0xa40 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:246
-> #0 (&mm->mmap_lock){++++}-{4:4}:
check_prev_add kernel/locking/lockdep.c:3165 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain kernel/locking/lockdep.c:3908 [inline]
__lock_acquire+0x15a5/0x2cf0 kernel/locking/lockdep.c:5237
lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868
gup_fast_fallback+0x226/0x22e0 mm/gup.c:3204
iov_iter_extract_user_pages lib/iov_iter.c:1763 [inline]
iov_iter_extract_pages+0x37b/0x5f0 lib/iov_iter.c:1826
__bio_iov_iter_get_pages block/bio.c:1237 [inline]
bio_iov_iter_get_pages+0x4a8/0x14b0 block/bio.c:1359
iomap_dio_bio_iter+0xcb3/0x14d0 fs/iomap/direct-io.c:460
iomap_dio_iter fs/iomap/direct-io.c:-1 [inline]
__iomap_dio_rw+0xf57/0x1e10 fs/iomap/direct-io.c:753
iomap_dio_rw+0x45/0xb0 fs/iomap/direct-io.c:847
xfs_file_dio_write_aligned+0x36a/0x450 fs/xfs/xfs_file.c:707
xfs_file_dio_write fs/xfs/xfs_file.c:910 [inline]
xfs_file_write_iter+0x7dd/0x920 fs/xfs/xfs_file.c:1122
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x61d/0xb90 fs/read_write.c:686
ksys_write+0x150/0x270 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
other info that might help us debug this:
Chain exists of:
&mm->mmap_lock --> vm_lock --> &sb->s_type->i_mutex_key#24
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
rlock(&sb->s_type->i_mutex_key#24);
lock(vm_lock);
lock(&sb->s_type->i_mutex_key#24);
rlock(&mm->mmap_lock);
*** DEADLOCK ***
2 locks held by syz.0.17/5488:
#0: ffff888031ac6420 (sb_writers#12){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:2683 [inline]
#0: ffff888031ac6420 (sb_writers#12){.+.+}-{0:0}, at: vfs_write+0x227/0xb90 fs/read_write.c:682
#1: ffff8880467da130 (&sb->s_type->i_mutex_key#24){++++}-{4:4}, at: xfs_ilock_demote+0xbd/0x290 fs/xfs/xfs_inode.c:285
stack backtrace:
CPU: 0 UID: 0 PID: 5488 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-debian-1.16.3-2 04/01/2014
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_circular_bug+0x2e1/0x300 kernel/locking/lockdep.c:2043
check_noncircular+0x12e/0x150 kernel/locking/lockdep.c:2175
check_prev_add kernel/locking/lockdep.c:3165 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain kernel/locking/lockdep.c:3908 [inline]
__lock_acquire+0x15a5/0x2cf0 kernel/locking/lockdep.c:5237
lock_acquire+0x106/0x330 kernel/locking/lockdep.c:5868
gup_fast_fallback+0x226/0x22e0 mm/gup.c:3204
iov_iter_extract_user_pages lib/iov_iter.c:1763 [inline]
iov_iter_extract_pages+0x37b/0x5f0 lib/iov_iter.c:1826
__bio_iov_iter_get_pages block/bio.c:1237 [inline]
bio_iov_iter_get_pages+0x4a8/0x14b0 block/bio.c:1359
iomap_dio_bio_iter+0xcb3/0x14d0 fs/iomap/direct-io.c:460
iomap_dio_iter fs/iomap/direct-io.c:-1 [inline]
__iomap_dio_rw+0xf57/0x1e10 fs/iomap/direct-io.c:753
iomap_dio_rw+0x45/0xb0 fs/iomap/direct-io.c:847
xfs_file_dio_write_aligned+0x36a/0x450 fs/xfs/xfs_file.c:707
xfs_file_dio_write fs/xfs/xfs_file.c:910 [inline]
xfs_file_write_iter+0x7dd/0x920 fs/xfs/xfs_file.c:1122
new_sync_write fs/read_write.c:593 [inline]
vfs_write+0x61d/0xb90 fs/read_write.c:686
ksys_write+0x150/0x270 fs/read_write.c:738
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0xe2/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f85b679aeb9
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffd910b1588 EFLAGS: 00000246 ORIG_RAX: 0000000000000001
RAX: ffffffffffffffda RBX: 00007f85b6a15fa0 RCX: 00007f85b679aeb9
RDX: 000000000000f000 RSI: 0000200000000200 RDI: 0000000000000007
RBP: 00007f85b6808c1f R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f85b6a15fac R14: 00007f85b6a15fa0 R15: 00007f85b6a15fa0
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
next reply other threads:[~2026-02-05 21:44 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-05 21:44 syzbot [this message]
2026-02-05 22:05 ` [syzbot] [mm?] possible deadlock in gup_fast_fallback (2) John Hubbard
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69850f41.a00a0220.34fa92.001d.GAE@google.com \
--to=syzbot+c8461425abb63bfd3445@syzkaller.appspotmail.com \
--cc=akpm@linux-foundation.org \
--cc=david@kernel.org \
--cc=jgg@ziepe.ca \
--cc=jhubbard@nvidia.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-mm@kvack.org \
--cc=peterx@redhat.com \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.