From: syzbot <syzbot+c473aa669b5e8a6f48d2@syzkaller.appspotmail.com>
To: eadavis@qq.com, linux-kernel@vger.kernel.org,
syzkaller-bugs@googlegroups.com
Subject: Re: [syzbot] [mm?] possible deadlock in mfill_get_vma
Date: Sun, 15 Mar 2026 19:20:03 -0700 [thread overview]
Message-ID: <69b768d3.050a0220.12d28.015b.GAE@google.com> (raw)
In-Reply-To: <tencent_A9BA55BB8A33E19E171B234BD91BFC25A208@qq.com>
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING: bad unlock balance in mfill_get_vma
=====================================
WARNING: bad unlock balance detected!
syzkaller #0 Not tainted
-------------------------------------
syz.0.17/6492 is trying to release lock (&mm->mmap_lock) at:
[<ffffffff823cd29e>] mmap_read_unlock include/linux/mmap_lock.h:619 [inline]
[<ffffffff823cd29e>] mfill_get_vma+0x1ee/0x560 mm/userfaultfd.c:264
but there are no more locks to release!
other info that might help us debug this:
1 lock held by syz.0.17/6492:
#0: ffff888077c73948 (vm_lock){++++}-{0:0}, at: lock_vma_under_rcu+0x1d1/0x500 mm/mmap_lock.c:310
stack backtrace:
CPU: 1 UID: 0 PID: 6492 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_unlock_imbalance_bug+0xdc/0xf0 kernel/locking/lockdep.c:5298
__lock_release kernel/locking/lockdep.c:5537 [inline]
lock_release+0x248/0x3d0 kernel/locking/lockdep.c:5889
up_read+0x16/0x20 kernel/locking/rwsem.c:1670
mmap_read_unlock include/linux/mmap_lock.h:619 [inline]
mfill_get_vma+0x1ee/0x560 mm/userfaultfd.c:264
mfill_atomic mm/userfaultfd.c:901 [inline]
mfill_atomic_continue+0x189/0x12b0 mm/userfaultfd.c:975
userfaultfd_continue fs/userfaultfd.c:1806 [inline]
userfaultfd_ioctl+0x232d/0x4c70 fs/userfaultfd.c:2071
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2ea8f9c799
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2ea9e4f028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f2ea9215fa0 RCX: 00007f2ea8f9c799
RDX: 0000200000000080 RSI: 00000000c020aa07 RDI: 0000000000000003
RBP: 00007f2ea9032c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f2ea9216038 R14: 00007f2ea9215fa0 R15: 00007ffc924a90f8
</TASK>
------------[ cut here ]------------
DEBUG_RWSEMS_WARN_ON(!is_rwsem_reader_owned(sem)): count = 0x0, magic = 0xffff888034691bd0, owner = 0x0, curr 0xffff888035dfdb80, list not empty
WARNING: kernel/locking/rwsem.c:1384 at __up_read+0x52e/0x6b0 kernel/locking/rwsem.c:1384, CPU#1: syz.0.17/6492
Modules linked in:
CPU: 1 UID: 0 PID: 6492 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:__up_read+0x614/0x6b0 kernel/locking/rwsem.c:1384
Code: f4 ec 8b 49 c7 c2 e0 f3 ec 8b 4c 0f 44 d0 48 8b 7c 24 28 48 c7 c6 a0 f3 ec 8b 48 89 da 48 8b 4c 24 20 4d 89 f0 4d 89 f9 41 52 <67> 48 0f b9 3a 48 83 c4 08 e8 5e 1f 15 03 4c 8b 7c 24 18 e9 38 fb
RSP: 0018:ffffc90003127698 EFLAGS: 00010246
RAX: ffffffff8becf400 RBX: 0000000000000000 RCX: ffff888034691bd0
RDX: 0000000000000000 RSI: ffffffff8becf3a0 RDI: ffffffff90579f30
RBP: ffffc90003127768 R08: 0000000000000000 R09: ffff888035dfdb80
R10: ffffffff8becf400 R11: ffffed10068d237c R12: ffff888034691c28
R13: 1ffff92000624edc R14: 0000000000000000 R15: ffff888035dfdb80
FS: 00007f2ea9e4f6c0(0000) GS:ffff888124ee0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2ea904eddd CR3: 0000000079298000 CR4: 00000000003526f0
Call Trace:
<TASK>
mmap_read_unlock include/linux/mmap_lock.h:619 [inline]
mfill_get_vma+0x1ee/0x560 mm/userfaultfd.c:264
mfill_atomic mm/userfaultfd.c:901 [inline]
mfill_atomic_continue+0x189/0x12b0 mm/userfaultfd.c:975
userfaultfd_continue fs/userfaultfd.c:1806 [inline]
userfaultfd_ioctl+0x232d/0x4c70 fs/userfaultfd.c:2071
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2ea8f9c799
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2ea9e4f028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f2ea9215fa0 RCX: 00007f2ea8f9c799
RDX: 0000200000000080 RSI: 00000000c020aa07 RDI: 0000000000000003
RBP: 00007f2ea9032c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f2ea9216038 R14: 00007f2ea9215fa0 R15: 00007ffc924a90f8
</TASK>
----------------
Code disassembly (best guess), 3 bytes skipped:
0: 49 c7 c2 e0 f3 ec 8b mov $0xffffffff8becf3e0,%r10
7: 4c 0f 44 d0 cmove %rax,%r10
b: 48 8b 7c 24 28 mov 0x28(%rsp),%rdi
10: 48 c7 c6 a0 f3 ec 8b mov $0xffffffff8becf3a0,%rsi
17: 48 89 da mov %rbx,%rdx
1a: 48 8b 4c 24 20 mov 0x20(%rsp),%rcx
1f: 4d 89 f0 mov %r14,%r8
22: 4d 89 f9 mov %r15,%r9
25: 41 52 push %r10
* 27: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction
2c: 48 83 c4 08 add $0x8,%rsp
30: e8 5e 1f 15 03 call 0x3151f93
35: 4c 8b 7c 24 18 mov 0x18(%rsp),%r15
3a: e9 .byte 0xe9
3b: 38 fb cmp %bh,%bl
Tested on:
commit: b84a0ebe Add linux-next specific files for 20260313
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=138bdd52580000
kernel config: https://syzkaller.appspot.com/x/.config?x=e7280ad1f68b2dce
dashboard link: https://syzkaller.appspot.com/bug?extid=c473aa669b5e8a6f48d2
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=15c078da580000
next prev parent reply other threads:[~2026-03-16 2:20 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-15 18:37 [syzbot] [mm?] possible deadlock in mfill_get_vma syzbot
2026-03-16 0:57 ` Edward Adam Davis
2026-03-16 1:35 ` syzbot
2026-03-16 1:19 ` Hillf Danton
2026-03-16 1:56 ` syzbot
2026-03-16 1:49 ` Edward Adam Davis
2026-03-16 2:20 ` syzbot [this message]
2026-03-16 2:21 ` Edward Adam Davis
2026-03-16 3:07 ` syzbot
2026-03-16 3:11 ` [PATCH next] userfaultfd: unassigned vma leads to a potential unreleased locks Edward Adam Davis
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=69b768d3.050a0220.12d28.015b.GAE@google.com \
--to=syzbot+c473aa669b5e8a6f48d2@syzkaller.appspotmail.com \
--cc=eadavis@qq.com \
--cc=linux-kernel@vger.kernel.org \
--cc=syzkaller-bugs@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.