From mboxrd@z Thu Jan  1 00:00:00 1970
Received: from mail-pl1-f171.google.com (mail-pl1-f171.google.com [209.85.214.171])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id EB3D923D7F0
	for <linux-kernel@vger.kernel.org>; Fri,  9 Jan 2026 14:16:06 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.171
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1767968168; cv=none; b=A004305dC+VihyacRlKvf2y/y3rUVTsn8hAf5V7v1mseWeL3CidinajiInsSoVdZ8uL64iQ7g5Sr0Qm3yR5hf7ZIUXKID+agsQtUBgtN1sl+PUyZy6k7Dh/v8aQDgf3c00rIChzEzZdieNSL2zRv8tscui+byNdePMcm0a8jaXA=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1767968168; c=relaxed/simple;
	bh=vLlixhT5WsHV4yrUOSlOVMTJLGTy/0mQHAqaU1Mt4Ko=;
	h=Date:From:To:Cc:Subject:Message-ID:References:MIME-Version:
	 Content-Type:Content-Disposition:In-Reply-To; b=X5gv46CLwS5pEQhGfkD2r9kda+enFOhtr+JBGh4s4gEDPAT8EuzrXxqBbV0r6MFW2OeALIfS+VYKsgRE07raHu2C3LYjvcxE8Dqh8xN8FpRcEO5rax+XHrnXX2sSS7RaRQxiAjc8O+o1QvZOIy1BWHMnrDL9V4H8Tl8e87fk1M8=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=lyhRPW4c; arc=none smtp.client-ip=209.85.214.171
Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="lyhRPW4c"
Received: by mail-pl1-f171.google.com with SMTP id d9443c01a7336-2a07fac8aa1so32736165ad.1
        for <linux-kernel@vger.kernel.org>; Fri, 09 Jan 2026 06:16:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1767968166; x=1768572966; darn=vger.kernel.org;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:from:to:cc:subject:date:message-id:reply-to;
        bh=aAu865RG13YPN+TrjnkLBNTQ4kJSTvKxWZR6NpMGsoU=;
        b=lyhRPW4cClQ5d0CJ67dvd20l687vsbrQ38DBLNG+hT30BXV64b2kukDjUAuNueULEn
         eWq+KC7bQfvtqkVeRk9FUctRtNFpAcR6FZtm3j30sarLp/ZZjfvoyXHCQSS3KK7Lyfm7
         QvNaSU0aDZbifCvRsZVkfUOM5TymRrMcJp/NFy0ZVRjhueQ3B1mvbxIyj7zWRcWYM5l3
         Qi7NaF0zSdb74rrVGJbpautMo4d0mC2lZCmV7fheIQ6fiYzR6Bq7FLCrNhUfU4R8TQl8
         Bm5kocF9PzAMOGvWY6hpfO1+Ng6fbQVIhFQFjTBy8wZ8scI5LRYN3cL7H6vzeXawfvTZ
         YVkw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1767968166; x=1768572966;
        h=in-reply-to:content-disposition:mime-version:references:message-id
         :subject:cc:to:from:date:x-gm-gg:x-gm-message-state:from:to:cc
         :subject:date:message-id:reply-to;
        bh=aAu865RG13YPN+TrjnkLBNTQ4kJSTvKxWZR6NpMGsoU=;
        b=ICcupytVMI0AP27Qv4zYvaUQnRBgVIDTsno6owA1PqW1aYszuxMAUcztQl1HDRJM6X
         K6/3siFHaY1cS6uTZMit2AhVyZLB6KWtYIHXB+F5rxw/BH1bI3LVeMuds0g0m4Ac0dl7
         835UWvjwXYOyBfZpDuh+tfVLinCbPuK5dJktmIPGW30B9DWAwK/VmiYlhSiMr/KttaAn
         dP81k/cr1q9pvFbhPfPzEHJmxwISmN90n5obsrD7BCTRem8oza4s3rXkGsUvq29L9wJK
         JEZdD8tGOrsesUZdmOFGARpAzeE7spNQ9GP2Un9diTiCiBKL4yzPuPn1f3/2NvIZCrw8
         /yRQ==
X-Forwarded-Encrypted: i=1; AJvYcCXHta3tZIBCxy2tWGlOtiSd1oPHbmPGTnQV/J46BiglwGDKEfXN1N+7p1hUcbU0IHJVCuvp3OPb6xnwbEo=@vger.kernel.org
X-Gm-Message-State: AOJu0YwMbi44pm8DqO+ai64qDyfMx6ujfLaSJAjqGD5czA6Od3N8Kzue
	vaoRkgrefO+MyDbE5mTwTTXWTIvRR9i6eW82WsG0Y2OAzwSgIgdohtcZ
X-Gm-Gg: AY/fxX59vfW1bYbXf3J6Oa3SQHzDc5hPvu+DIibC40Nq5tfYWNpIahKBaTL5YJ+0w7T
	tuC+pITQCcaAJREpD4EHeh+ZokJDWpWjfFfhokDeKDj2dt5hRlYAZ5SNEkks8q+q/NH+dj5jyMi
	01qPnWov+0heIywzVWEqa2TYpU4ofmicHNYCwq+lgz93T2Zx6vx3qwb334jQVEPoQLc/uLXqGXr
	OjDA9qm7HeaLGvVoGdexzpDyncWU3I7qil9yNczFi2cB52xIZu/tyCJsWYB5cmLDB36GarM6IuG
	1gGIts0jzsxCR+H/7sHGckcP98lm5P1EsQv+5Acq8CEdl+099TyKNydQKwaQME2wiECcIW8BHUi
	ktsHIuQl2424oo34hz9zTugOJ41uCHVY1a9yIc05uX5w0cAq48sHca7ZiW4uVwJGj8JzwLfPo/m
	rHhDI=
X-Google-Smtp-Source: AGHT+IHgfpYIbRK+7/j7SI5n3j1GxFGSxQj4TtSlijDDau2mONeoD91EzRj6aL24cfbEyV7b8KUfVQ==
X-Received: by 2002:a17:902:ce07:b0:2a0:a92c:2cb6 with SMTP id d9443c01a7336-2a3ee4aadb3mr97742295ad.36.1767968165898;
        Fri, 09 Jan 2026 06:16:05 -0800 (PST)
Received: from localhost ([2a12:a304:100::105b])
        by smtp.gmail.com with ESMTPSA id d9443c01a7336-2a3e3cc793fsm108248585ad.72.2026.01.09.06.16.04
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 09 Jan 2026 06:16:05 -0800 (PST)
Date: Fri, 9 Jan 2026 22:16:00 +0800
From: Jinchao Wang <wangjinchao600@gmail.com>
To: "David Hildenbrand (Red Hat)" <david@kernel.org>
Cc: Matthew Wilcox <willy@infradead.org>,
	Andrew Morton <akpm@linux-foundation.org>, Zi Yan <ziy@nvidia.com>,
	Matthew Brost <matthew.brost@intel.com>,
	Joshua Hahn <joshua.hahnjy@gmail.com>, Rakie Kim <rakie.kim@sk.com>,
	Byungchul Park <byungchul@sk.com>,
	Gregory Price <gourry@gourry.net>,
	Ying Huang <ying.huang@linux.alibaba.com>,
	Alistair Popple <apopple@nvidia.com>, linux-mm@kvack.org,
	linux-kernel@vger.kernel.org,
	syzbot+2d9c96466c978346b55f@syzkaller.appspotmail.com
Subject: Re: [PATCH] mm/migrate: fix hugetlbfs deadlock by respecting lock
 ordering
Message-ID: <aWENkov0R-1nIB8M@ndev>
References: <20260109034723.1342798-1-wangjinchao600@gmail.com>
 <920c641e-e092-46f0-89cb-0f1c130d979a@kernel.org>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <920c641e-e092-46f0-89cb-0f1c130d979a@kernel.org>

On Fri, Jan 09, 2026 at 02:39:08PM +0100, David Hildenbrand (Red Hat) wrote:
> On 1/9/26 04:47, Jinchao Wang wrote:
> > Fix an AB-BA deadlock between hugetlbfs_punch_hole() and page migration.
> > 
> > The deadlock occurs because migration violates the lock ordering defined
> > in mm/rmap.c for hugetlbfs:
> > 
> >    * hugetlbfs PageHuge() take locks in this order:
> >    * hugetlb_fault_mutex
> >    * vma_lock
> >    * mapping->i_mmap_rwsem
> >    * folio_lock
> > 
> > The following trace illustrates the inversion:
> > 
> > Task A (punch_hole):             Task B (migration):
> > --------------------             -------------------
> > 1. i_mmap_lock_write(mapping)    1. folio_lock(folio)
> > 2. folio_lock(folio)             2. i_mmap_lock_read(mapping)
> >     (blocks waiting for B)           (blocks waiting for A)
> > 
> > Task A is blocked in the punch-hole path:
> >    hugetlbfs_fallocate
> >      hugetlbfs_punch_hole
> >        hugetlbfs_zero_partial_page
> >          folio_lock
> > 
> > Task B is blocked in the migration path:
> >    migrate_pages
> >      unmap_and_move_huge_page
> >        remove_migration_ptes
> >          __rmap_walk_file
> >            i_mmap_lock_read
> > 
> > To fix this, adjust unmap_and_move_huge_page() to respect the established
> > hierarchy. If i_mmap_rwsem is acquired during try_to_migrate(), hold it
> 
> 
> I'm confused. Isn't it unmap_and_move_huge_page() that grabs the
> i_mmap_rwsem during hugetlb_page_mapping_lock_write() (where we do a
> try-lock)?
Yes, but the lock is released before remove_migration_ptes().

Task A can enter the race window between
	i_mmap_unlock_write(mapping)
and
	remove_migration_ptes() -> i_mmap_lock_read(mapping).

This window was introduced by the change below:
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/diff/mm/migrate.c?id=336bf30eb765

> 
> 
> We now handle file-backed folios correctly I think. Could we somehow also be
> in trouble for anon folios? Because there, we'd still take the rmap lock
> after grabbing the folio lock.
> 
> 
> -- 
> Cheers
> 
> David