[syzbot] [mm?] possible deadlock in mfill_get_vma

[syzbot] [mm?] possible deadlock in mfill_get_vma

[syzbot]

Hello,

syzbot found the following issue on:

HEAD commit:    b84a0ebe421c Add linux-next specific files for 20260313
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=131ab8da580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e7280ad1f68b2dce
dashboard link: https://syzkaller.appspot.com/bug?extid=c473aa669b5e8a6f48d2
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=126c98ba580000
C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1644a2d6580000

Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/09145161a8a9/disk-b84a0ebe.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b64c254e474c/vmlinux-b84a0ebe.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a7c33f5f7f45/bzImage-b84a0ebe.xz

IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c473aa669b5e8a6f48d2@syzkaller.appspotmail.com

======================================================
WARNING: possible circular locking dependency detected
syzkaller #0 Not tainted
------------------------------------------------------
syz.0.17/5990 is trying to acquire lock:
ffff88802caef3b8 (&mm->mmap_lock){++++}-{4:4}, at: __might_fault+0xaf/0x130 mm/memory.c:7249

but task is already holding lock:
ffff88807cdbccf0 (&ctx->map_changing_lock){.+.+}-{4:4}, at: mfill_get_vma+0x162/0x660 mm/userfaultfd.c:226

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #2 (&ctx->map_changing_lock){.+.+}-{4:4}:
       down_read+0x47/0x2e0 kernel/locking/rwsem.c:1568
       mfill_get_vma+0x162/0x660 mm/userfaultfd.c:226
       mfill_atomic mm/userfaultfd.c:900 [inline]
       mfill_atomic_continue+0x189/0x12c0 mm/userfaultfd.c:974
       userfaultfd_continue fs/userfaultfd.c:1806 [inline]
       userfaultfd_ioctl+0x232d/0x4c70 fs/userfaultfd.c:2071
       vfs_ioctl fs/ioctl.c:51 [inline]
       __do_sys_ioctl fs/ioctl.c:597 [inline]
       __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
       do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
       do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

-> #1 (vm_lock){++++}-{0:0}:
       __vma_start_exclude_readers+0x28a/0x940 mm/mmap_lock.c:125
       __vma_start_write+0xdc/0x290 mm/mmap_lock.c:148
       vma_start_write include/linux/mmap_lock.h:303 [inline]
       mprotect_fixup+0x5eb/0xa80 mm/mprotect.c:768
       setup_arg_pages+0x565/0xac0 fs/exec.c:670
       load_elf_binary+0xc5e/0x2980 fs/binfmt_elf.c:1029
       search_binary_handler fs/exec.c:1664 [inline]
       exec_binprm fs/exec.c:1696 [inline]
       bprm_execve+0x949/0x1470 fs/exec.c:1748
       kernel_execve+0x844/0x930 fs/exec.c:1892
       try_to_run_init_process+0x13/0x60 init/main.c:1514
       kernel_init+0xad/0x1d0 init/main.c:1642
       ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
       ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

-> #0 (&mm->mmap_lock){++++}-{4:4}:
       check_prev_add kernel/locking/lockdep.c:3165 [inline]
       check_prevs_add kernel/locking/lockdep.c:3284 [inline]
       validate_chain kernel/locking/lockdep.c:3908 [inline]
       __lock_acquire+0x15a5/0x2cf0 kernel/locking/lockdep.c:5237
       lock_acquire+0xf0/0x2e0 kernel/locking/lockdep.c:5868
       __might_fault+0xcb/0x130 mm/memory.c:7249
       userfaultfd_continue fs/userfaultfd.c:1813 [inline]
       userfaultfd_ioctl+0x2372/0x4c70 fs/userfaultfd.c:2071
       vfs_ioctl fs/ioctl.c:51 [inline]
       __do_sys_ioctl fs/ioctl.c:597 [inline]
       __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
       do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
       do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

other info that might help us debug this:

Chain exists of:
  &mm->mmap_lock --> vm_lock --> &ctx->map_changing_lock

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  rlock(&ctx->map_changing_lock);
                               lock(vm_lock);
                               lock(&ctx->map_changing_lock);
  rlock(&mm->mmap_lock);

 *** DEADLOCK ***

2 locks held by syz.0.17/5990:
 #0: ffff88807c119d08 (vm_lock){++++}-{0:0}, at: lock_vma_under_rcu+0x1d1/0x500 mm/mmap_lock.c:310
 #1: ffff88807cdbccf0 (&ctx->map_changing_lock){.+.+}-{4:4}, at: mfill_get_vma+0x162/0x660 mm/userfaultfd.c:226

stack backtrace:
CPU: 0 UID: 0 PID: 5990 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_circular_bug+0x2e1/0x300 kernel/locking/lockdep.c:2043
 check_noncircular+0x12e/0x150 kernel/locking/lockdep.c:2175
 check_prev_add kernel/locking/lockdep.c:3165 [inline]
 check_prevs_add kernel/locking/lockdep.c:3284 [inline]
 validate_chain kernel/locking/lockdep.c:3908 [inline]
 __lock_acquire+0x15a5/0x2cf0 kernel/locking/lockdep.c:5237
 lock_acquire+0xf0/0x2e0 kernel/locking/lockdep.c:5868
 __might_fault+0xcb/0x130 mm/memory.c:7249
 userfaultfd_continue fs/userfaultfd.c:1813 [inline]
 userfaultfd_ioctl+0x2372/0x4c70 fs/userfaultfd.c:2071
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f478759c799
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcc2bbac28 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f4787815fa0 RCX: 00007f478759c799
RDX: 0000200000000080 RSI: 00000000c020aa07 RDI: 0000000000000003
RBP: 00007f4787632c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f4787815fac R14: 00007f4787815fa0 R15: 00007f4787815fa0
 </TASK>


---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@googlegroups.com.

syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.

If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title

If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.

If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)

If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report

If you want to undo deduplication, reply with:
#syz undup

Re: [syzbot] [mm?] possible deadlock in mfill_get_vma

[Edward Adam Davis]

#syz test

diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
index 9ffc80d0a51b..ccfadea3dc79 100644
--- a/mm/userfaultfd.c
+++ b/mm/userfaultfd.c
@@ -197,7 +197,6 @@ static void mfill_put_vma(struct mfill_state *state)
 	if (!state->vma)
 		return;
 
-	up_read(&state->ctx->map_changing_lock);
 	uffd_mfill_unlock(state->vma);
 	state->vma = NULL;
 }
@@ -261,6 +260,7 @@ static int mfill_get_vma(struct mfill_state *state)
 	return 0;
 
 out_unlock:
+	up_read(&state->ctx->map_changing_lock);
 	mfill_put_vma(state);
 	return err;
 }

Re: [syzbot] [mm?] possible deadlock in mfill_get_vma

[Hillf Danton]

> Date: Sun, 15 Mar 2026 11:37:28 -0700	[thread overview]
> Hello,
> 
> syzbot found the following issue on:
> 
> HEAD commit:    b84a0ebe421c Add linux-next specific files for 20260313
> git tree:       linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=131ab8da580000
> kernel config:  https://syzkaller.appspot.com/x/.config?x=e7280ad1f68b2dce
> dashboard link: https://syzkaller.appspot.com/bug?extid=c473aa669b5e8a6f48d2
> compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> syz repro:      https://syzkaller.appspot.com/x/repro.syz?x=126c98ba580000
> C reproducer:   https://syzkaller.appspot.com/x/repro.c?x=1644a2d6580000

#syz test

--- x/mm/userfaultfd.c
+++ y/mm/userfaultfd.c
@@ -217,6 +217,7 @@ static int mfill_get_vma(struct mfill_st
 	dst_vma = uffd_mfill_lock(ctx->mm, state->dst_start, state->len);
 	if (IS_ERR(dst_vma))
 		return PTR_ERR(dst_vma);
+	state->vma = dst_vma;
 
 	/*
 	 * If memory mappings are changing because of non-cooperative
--

Re: [syzbot] [mm?] possible deadlock in mfill_get_vma

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
possible deadlock in lock_vma_under_rcu

======================================================
WARNING: possible circular locking dependency detected
syzkaller #0 Not tainted
------------------------------------------------------
syz.0.17/6543 is trying to acquire lock:
ffff8880342d8338 (&mm->mmap_lock){++++}-{4:4}, at: __might_fault+0xaf/0x130 mm/memory.c:7249

but task is already holding lock:
ffff88802c19fbc8 (vm_lock){++++}-{0:0}, at: lock_vma_under_rcu+0x1d1/0x500 mm/mmap_lock.c:310

which lock already depends on the new lock.


the existing dependency chain (in reverse order) is:

-> #1 (vm_lock){++++}-{0:0}:
       __vma_start_exclude_readers+0x28a/0x940 mm/mmap_lock.c:125
       __vma_start_write+0xdc/0x290 mm/mmap_lock.c:148
       vma_start_write include/linux/mmap_lock.h:303 [inline]
       mprotect_fixup+0x5eb/0xa80 mm/mprotect.c:768
       setup_arg_pages+0x565/0xac0 fs/exec.c:670
       load_elf_binary+0xc5e/0x2980 fs/binfmt_elf.c:1029
       search_binary_handler fs/exec.c:1664 [inline]
       exec_binprm fs/exec.c:1696 [inline]
       bprm_execve+0x949/0x1470 fs/exec.c:1748
       kernel_execve+0x844/0x930 fs/exec.c:1892
       try_to_run_init_process+0x13/0x60 init/main.c:1514
       kernel_init+0xad/0x1d0 init/main.c:1642
       ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
       ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

-> #0 (&mm->mmap_lock){++++}-{4:4}:
       check_prev_add kernel/locking/lockdep.c:3165 [inline]
       check_prevs_add kernel/locking/lockdep.c:3284 [inline]
       validate_chain kernel/locking/lockdep.c:3908 [inline]
       __lock_acquire+0x15a5/0x2cf0 kernel/locking/lockdep.c:5237
       lock_acquire+0xf0/0x2e0 kernel/locking/lockdep.c:5868
       __might_fault+0xcb/0x130 mm/memory.c:7249
       userfaultfd_continue fs/userfaultfd.c:1813 [inline]
       userfaultfd_ioctl+0x2372/0x4c70 fs/userfaultfd.c:2071
       vfs_ioctl fs/ioctl.c:51 [inline]
       __do_sys_ioctl fs/ioctl.c:597 [inline]
       __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
       do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
       do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

other info that might help us debug this:

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  rlock(vm_lock);
                               lock(&mm->mmap_lock);
                               lock(vm_lock);
  rlock(&mm->mmap_lock);

 *** DEADLOCK ***

1 lock held by syz.0.17/6543:
 #0: ffff88802c19fbc8 (vm_lock){++++}-{0:0}, at: lock_vma_under_rcu+0x1d1/0x500 mm/mmap_lock.c:310

stack backtrace:
CPU: 0 UID: 0 PID: 6543 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_circular_bug+0x2e1/0x300 kernel/locking/lockdep.c:2043
 check_noncircular+0x12e/0x150 kernel/locking/lockdep.c:2175
 check_prev_add kernel/locking/lockdep.c:3165 [inline]
 check_prevs_add kernel/locking/lockdep.c:3284 [inline]
 validate_chain kernel/locking/lockdep.c:3908 [inline]
 __lock_acquire+0x15a5/0x2cf0 kernel/locking/lockdep.c:5237
 lock_acquire+0xf0/0x2e0 kernel/locking/lockdep.c:5868
 __might_fault+0xcb/0x130 mm/memory.c:7249
 userfaultfd_continue fs/userfaultfd.c:1813 [inline]
 userfaultfd_ioctl+0x2372/0x4c70 fs/userfaultfd.c:2071
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fab1159c799
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fab12535028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fab11815fa0 RCX: 00007fab1159c799
RDX: 0000200000000080 RSI: 00000000c020aa07 RDI: 0000000000000003
RBP: 00007fab11632c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fab11816038 R14: 00007fab11815fa0 R15: 00007ffcb27f4f28
 </TASK>


Tested on:

commit:         b84a0ebe Add linux-next specific files for 20260313
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=148f44da580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e7280ad1f68b2dce
dashboard link: https://syzkaller.appspot.com/bug?extid=c473aa669b5e8a6f48d2
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=130228da580000

Re: [syzbot] [mm?] possible deadlock in mfill_get_vma

[Edward Adam Davis]

#syz test

diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
index 9ffc80d0a51b..7ee4f7b9e299 100644
--- a/mm/userfaultfd.c
+++ b/mm/userfaultfd.c
@@ -197,7 +197,6 @@ static void mfill_put_vma(struct mfill_state *state)
 	if (!state->vma)
 		return;
 
-	up_read(&state->ctx->map_changing_lock);
 	uffd_mfill_unlock(state->vma);
 	state->vma = NULL;
 }
@@ -261,7 +260,9 @@ static int mfill_get_vma(struct mfill_state *state)
 	return 0;
 
 out_unlock:
-	mfill_put_vma(state);
+	up_read(&state->ctx->map_changing_lock);
+	mmap_read_unlock(dst_vma->vm_mm);
+	state->vma = NULL;
 	return err;
 }
 

Re: [syzbot] [mm?] possible deadlock in mfill_get_vma

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+c473aa669b5e8a6f48d2@syzkaller.appspotmail.com
Tested-by: syzbot+c473aa669b5e8a6f48d2@syzkaller.appspotmail.com

Tested on:

commit:         b84a0ebe Add linux-next specific files for 20260313
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=15445602580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e7280ad1f68b2dce
dashboard link: https://syzkaller.appspot.com/bug?extid=c473aa669b5e8a6f48d2
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=147798ba580000

Note: testing is done by a robot and is best-effort only.

Re: [syzbot] [mm?] possible deadlock in mfill_get_vma

[syzbot]

Hello,

syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING: bad unlock balance in mfill_get_vma

=====================================
WARNING: bad unlock balance detected!
syzkaller #0 Not tainted
-------------------------------------
syz.0.17/6492 is trying to release lock (&mm->mmap_lock) at:
[<ffffffff823cd29e>] mmap_read_unlock include/linux/mmap_lock.h:619 [inline]
[<ffffffff823cd29e>] mfill_get_vma+0x1ee/0x560 mm/userfaultfd.c:264
but there are no more locks to release!

other info that might help us debug this:
1 lock held by syz.0.17/6492:
 #0: ffff888077c73948 (vm_lock){++++}-{0:0}, at: lock_vma_under_rcu+0x1d1/0x500 mm/mmap_lock.c:310

stack backtrace:
CPU: 1 UID: 0 PID: 6492 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
 <TASK>
 dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
 print_unlock_imbalance_bug+0xdc/0xf0 kernel/locking/lockdep.c:5298
 __lock_release kernel/locking/lockdep.c:5537 [inline]
 lock_release+0x248/0x3d0 kernel/locking/lockdep.c:5889
 up_read+0x16/0x20 kernel/locking/rwsem.c:1670
 mmap_read_unlock include/linux/mmap_lock.h:619 [inline]
 mfill_get_vma+0x1ee/0x560 mm/userfaultfd.c:264
 mfill_atomic mm/userfaultfd.c:901 [inline]
 mfill_atomic_continue+0x189/0x12b0 mm/userfaultfd.c:975
 userfaultfd_continue fs/userfaultfd.c:1806 [inline]
 userfaultfd_ioctl+0x232d/0x4c70 fs/userfaultfd.c:2071
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2ea8f9c799
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2ea9e4f028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f2ea9215fa0 RCX: 00007f2ea8f9c799
RDX: 0000200000000080 RSI: 00000000c020aa07 RDI: 0000000000000003
RBP: 00007f2ea9032c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f2ea9216038 R14: 00007f2ea9215fa0 R15: 00007ffc924a90f8
 </TASK>
------------[ cut here ]------------
DEBUG_RWSEMS_WARN_ON(!is_rwsem_reader_owned(sem)): count = 0x0, magic = 0xffff888034691bd0, owner = 0x0, curr 0xffff888035dfdb80, list not empty
WARNING: kernel/locking/rwsem.c:1384 at __up_read+0x52e/0x6b0 kernel/locking/rwsem.c:1384, CPU#1: syz.0.17/6492
Modules linked in:
CPU: 1 UID: 0 PID: 6492 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full) 
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:__up_read+0x614/0x6b0 kernel/locking/rwsem.c:1384
Code: f4 ec 8b 49 c7 c2 e0 f3 ec 8b 4c 0f 44 d0 48 8b 7c 24 28 48 c7 c6 a0 f3 ec 8b 48 89 da 48 8b 4c 24 20 4d 89 f0 4d 89 f9 41 52 <67> 48 0f b9 3a 48 83 c4 08 e8 5e 1f 15 03 4c 8b 7c 24 18 e9 38 fb
RSP: 0018:ffffc90003127698 EFLAGS: 00010246
RAX: ffffffff8becf400 RBX: 0000000000000000 RCX: ffff888034691bd0
RDX: 0000000000000000 RSI: ffffffff8becf3a0 RDI: ffffffff90579f30
RBP: ffffc90003127768 R08: 0000000000000000 R09: ffff888035dfdb80
R10: ffffffff8becf400 R11: ffffed10068d237c R12: ffff888034691c28
R13: 1ffff92000624edc R14: 0000000000000000 R15: ffff888035dfdb80
FS:  00007f2ea9e4f6c0(0000) GS:ffff888124ee0000(0000) knlGS:0000000000000000
CS:  0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2ea904eddd CR3: 0000000079298000 CR4: 00000000003526f0
Call Trace:
 <TASK>
 mmap_read_unlock include/linux/mmap_lock.h:619 [inline]
 mfill_get_vma+0x1ee/0x560 mm/userfaultfd.c:264
 mfill_atomic mm/userfaultfd.c:901 [inline]
 mfill_atomic_continue+0x189/0x12b0 mm/userfaultfd.c:975
 userfaultfd_continue fs/userfaultfd.c:1806 [inline]
 userfaultfd_ioctl+0x232d/0x4c70 fs/userfaultfd.c:2071
 vfs_ioctl fs/ioctl.c:51 [inline]
 __do_sys_ioctl fs/ioctl.c:597 [inline]
 __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2ea8f9c799
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2ea9e4f028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f2ea9215fa0 RCX: 00007f2ea8f9c799
RDX: 0000200000000080 RSI: 00000000c020aa07 RDI: 0000000000000003
RBP: 00007f2ea9032c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f2ea9216038 R14: 00007f2ea9215fa0 R15: 00007ffc924a90f8
 </TASK>
----------------
Code disassembly (best guess), 3 bytes skipped:
   0:	49 c7 c2 e0 f3 ec 8b 	mov    $0xffffffff8becf3e0,%r10
   7:	4c 0f 44 d0          	cmove  %rax,%r10
   b:	48 8b 7c 24 28       	mov    0x28(%rsp),%rdi
  10:	48 c7 c6 a0 f3 ec 8b 	mov    $0xffffffff8becf3a0,%rsi
  17:	48 89 da             	mov    %rbx,%rdx
  1a:	48 8b 4c 24 20       	mov    0x20(%rsp),%rcx
  1f:	4d 89 f0             	mov    %r14,%r8
  22:	4d 89 f9             	mov    %r15,%r9
  25:	41 52                	push   %r10
* 27:	67 48 0f b9 3a       	ud1    (%edx),%rdi <-- trapping instruction
  2c:	48 83 c4 08          	add    $0x8,%rsp
  30:	e8 5e 1f 15 03       	call   0x3151f93
  35:	4c 8b 7c 24 18       	mov    0x18(%rsp),%r15
  3a:	e9                   	.byte 0xe9
  3b:	38 fb                	cmp    %bh,%bl


Tested on:

commit:         b84a0ebe Add linux-next specific files for 20260313
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=138bdd52580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e7280ad1f68b2dce
dashboard link: https://syzkaller.appspot.com/bug?extid=c473aa669b5e8a6f48d2
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=15c078da580000

Re: [syzbot] [mm?] possible deadlock in mfill_get_vma

[Edward Adam Davis]

#syz test

diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
index 9ffc80d0a51b..a3333d5c6454 100644
--- a/mm/userfaultfd.c
+++ b/mm/userfaultfd.c
@@ -218,6 +218,7 @@ static int mfill_get_vma(struct mfill_state *state)
 	if (IS_ERR(dst_vma))
 		return PTR_ERR(dst_vma);
 
+	state->vma = dst_vma;
 	/*
 	 * If memory mappings are changing because of non-cooperative
 	 * operation (e.g. mremap) running in parallel, bail out and
@@ -257,7 +258,6 @@ static int mfill_get_vma(struct mfill_state *state)
 		goto out_unlock;
 
 out:
-	state->vma = dst_vma;
 	return 0;
 
 out_unlock:

Re: [syzbot] [mm?] possible deadlock in mfill_get_vma

[syzbot]

Hello,

syzbot has tested the proposed patch and the reproducer did not trigger any issue:

Reported-by: syzbot+c473aa669b5e8a6f48d2@syzkaller.appspotmail.com
Tested-by: syzbot+c473aa669b5e8a6f48d2@syzkaller.appspotmail.com

Tested on:

commit:         b84a0ebe Add linux-next specific files for 20260313
git tree:       linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=129ba2d6580000
kernel config:  https://syzkaller.appspot.com/x/.config?x=e7280ad1f68b2dce
dashboard link: https://syzkaller.appspot.com/bug?extid=c473aa669b5e8a6f48d2
compiler:       Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch:          https://syzkaller.appspot.com/x/patch.diff?x=15f24216580000

Note: testing is done by a robot and is best-effort only.

[PATCH next] userfaultfd: unassigned vma leads to a potential unreleased locks

[Edward Adam Davis]

A deadlock [1] occurs in mfill_get_vma() because the locks mmap_lock
and map_changing_lock are not released; the failure to release them
properly stems from the assignment of the vma variable occurring at
an inappropriate stage.

Moving the vma assignment operation within mfill_get_vma() to after
the vma has been got.

[1]
WARNING: possible circular locking dependency detected
syzkaller #0 Not tainted
------------------------------------------------------
syz.0.17/5990 is trying to acquire lock:
ffff88802caef3b8 (&mm->mmap_lock){++++}-{4:4}, at: __might_fault+0xaf/0x130 mm/memory.c:7249

but task is already holding lock:
ffff88807cdbccf0 (&ctx->map_changing_lock){.+.+}-{4:4}, at: mfill_get_vma+0x162/0x660 mm/userfaultfd.c:226

which lock already depends on the new lock.

the existing dependency chain (in reverse order) is:
-> #2 (&ctx->map_changing_lock){.+.+}-{4:4}:
       down_read+0x47/0x2e0 kernel/locking/rwsem.c:1568
       mfill_get_vma+0x162/0x660 mm/userfaultfd.c:226
       mfill_atomic mm/userfaultfd.c:900 [inline]
       mfill_atomic_continue+0x189/0x12c0 mm/userfaultfd.c:974
       userfaultfd_continue fs/userfaultfd.c:1806 [inline]
       userfaultfd_ioctl+0x232d/0x4c70 fs/userfaultfd.c:2071
       vfs_ioctl fs/ioctl.c:51 [inline]
       __do_sys_ioctl fs/ioctl.c:597 [inline]
       __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
       do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
       do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

-> #1 (vm_lock){++++}-{0:0}:
       __vma_start_exclude_readers+0x28a/0x940 mm/mmap_lock.c:125
       __vma_start_write+0xdc/0x290 mm/mmap_lock.c:148
       vma_start_write include/linux/mmap_lock.h:303 [inline]
       mprotect_fixup+0x5eb/0xa80 mm/mprotect.c:768
       setup_arg_pages+0x565/0xac0 fs/exec.c:670
       load_elf_binary+0xc5e/0x2980 fs/binfmt_elf.c:1029
       search_binary_handler fs/exec.c:1664 [inline]
       exec_binprm fs/exec.c:1696 [inline]
       bprm_execve+0x949/0x1470 fs/exec.c:1748
       kernel_execve+0x844/0x930 fs/exec.c:1892
       try_to_run_init_process+0x13/0x60 init/main.c:1514
       kernel_init+0xad/0x1d0 init/main.c:1642
       ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
       ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245

-> #0 (&mm->mmap_lock){++++}-{4:4}:
       check_prev_add kernel/locking/lockdep.c:3165 [inline]
       check_prevs_add kernel/locking/lockdep.c:3284 [inline]
       validate_chain kernel/locking/lockdep.c:3908 [inline]
       __lock_acquire+0x15a5/0x2cf0 kernel/locking/lockdep.c:5237
       lock_acquire+0xf0/0x2e0 kernel/locking/lockdep.c:5868
       __might_fault+0xcb/0x130 mm/memory.c:7249
       userfaultfd_continue fs/userfaultfd.c:1813 [inline]
       userfaultfd_ioctl+0x2372/0x4c70 fs/userfaultfd.c:2071
       vfs_ioctl fs/ioctl.c:51 [inline]
       __do_sys_ioctl fs/ioctl.c:597 [inline]
       __se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
       do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
       do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
       entry_SYSCALL_64_after_hwframe+0x77/0x7f

other info that might help us debug this:

Chain exists of:
  &mm->mmap_lock --> vm_lock --> &ctx->map_changing_lock

 Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  rlock(&ctx->map_changing_lock);
                               lock(vm_lock);
                               lock(&ctx->map_changing_lock);
  rlock(&mm->mmap_lock);

 *** DEADLOCK ***

Fixes: 7d4d4de3ac3e ("userfaultfd: introduce mfill_get_vma() and mfill_put_vma()")
Reported-by: syzbot+c473aa669b5e8a6f48d2@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c473aa669b5e8a6f48d2
Tested-by: syzbot+c473aa669b5e8a6f48d2@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <eadavis@qq.com>
---
 mm/userfaultfd.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
index 9ffc80d0a51b..a3333d5c6454 100644
--- a/mm/userfaultfd.c
+++ b/mm/userfaultfd.c
@@ -218,6 +218,7 @@ static int mfill_get_vma(struct mfill_state *state)
 	if (IS_ERR(dst_vma))
 		return PTR_ERR(dst_vma);
 
+	state->vma = dst_vma;
 	/*
 	 * If memory mappings are changing because of non-cooperative
 	 * operation (e.g. mremap) running in parallel, bail out and
@@ -257,7 +258,6 @@ static int mfill_get_vma(struct mfill_state *state)
 		goto out_unlock;
 
 out:
-	state->vma = dst_vma;
 	return 0;
 
 out_unlock:
-- 
2.43.0