From nobody Sun Feb  8 09:01:50 2026
Received: from mail-pf1-f177.google.com (mail-pf1-f177.google.com
 [209.85.210.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id AF9021C8616
	for <linux-kernel@vger.kernel.org>; Fri,  9 Jan 2026 03:47:29 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.210.177
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1767930451; cv=none;
 b=QOQqxKNidENbTHMX7VA3PJBEAiEQWxGuQQDoTJDkDE5qzlsHuT6B1P2atyZm3rleQ4yPnwQxDdm34DgMTFo50eOQj04Z6JoN83D7qwJPyVFMkzZZy3aZHelBbPX9SL8E3fzYsln0VTfA4iqnZh9TQ8hs7EmZh57bllN3pwFOqnQ=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1767930451; c=relaxed/simple;
	bh=FnF7xprZ4LNKpNjS/6KpF5GTe3qy+YxrWMXlLX/OYeY=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=pw3cWbeVzi+LDgsamvHOnPlwv4lD+fq3Ri66uim8GZSI5X3vEM1H0QkebVMO9Y5uzRTktXLXoKm3GJomuQZ184QANSpZ7KBuWBFHvM4kpwIrvfD5uWp9f0kYGepI9qP0lI1yyva7QC4YQMzqnQBq9DY4iE2NM/Y/gOX0ewc8Qhw=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=knKfpLGJ; arc=none smtp.client-ip=209.85.210.177
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="knKfpLGJ"
Received: by mail-pf1-f177.google.com with SMTP id
 d2e1a72fcca58-81e8b1bdf0cso9287b3a.3
        for <linux-kernel@vger.kernel.org>;
 Thu, 08 Jan 2026 19:47:29 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1767930449; x=1768535249;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=Uuf9znc2JXT64dK1OAwjInh6+QxOWgZX8hjVTojr7X4=;
        b=knKfpLGJif3ScQptvwG8Zi9RRsYuHc60IQ8HW5+LrtHgoYktV6Dyl6xDXklsNeYxDw
         RPlNRJnbFVGBTULx+q3+co1uRAM7qsVlx6Gm7sdvUAS5Pe/+Hx/BJ0o+YaMUMw+zFs9Y
         p2Yq8LpyPiyRencQ4qjJ8qsXsV46niITgliMZVsR/R6Xom8dKxyLD8t7rYZU+s5h7go+
         KWSQ7GsnsCWLImBxlkK1py52sgDdwIANoiMzg2AG6BW1WWokcpupLM3kjPBaFUEa38Wa
         RA9KgaBgbhjWoSKnR0k8la2yX8qR3/fFQS7TGdnQ3uCUXBXKfx+bM2bU1j7HpIyU/lA0
         TzyQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1767930449; x=1768535249;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=Uuf9znc2JXT64dK1OAwjInh6+QxOWgZX8hjVTojr7X4=;
        b=rlRbkB2NjnCPnZEMtElVeFouPsikZyc/acQL0ixR6P93CriSXSeH1A0u3oTz1rME43
         OmlqRbXcBGsgQ6vqAx7dtIkqYGeiXgb3r8Wlu4jx9hMq6AzcXKYJpfBMdfKbelrnq2fm
         3LFV0CDdQw1Q1N1hFm9xnpqU6FtEBHZyGdDX9gcz27/gJ6Cra/Sm8ffXZJzV1ReMcxBu
         eYeykvf39+npddY5NreReY47wfC+PHWRUn0pKkd/mHEbM/lwJ82N/ravBkXHLw42aL8/
         oVEy09Xam0+1ko6KpOao8LxbqgsxKijn4S1dfn8mWJj0hn70laiTSs59HyRxVpy3jtx/
         KeSw==
X-Forwarded-Encrypted: i=1;
 AJvYcCXm3CguEJc7aNzYnbtslIePCoaOx2vT6dMoOWqSUXu2fY6vGjhAFg4GwvbERoMSkMATafedzXLc78fJHjw=@vger.kernel.org
X-Gm-Message-State: AOJu0YzX9E7MYcQmkTDgxFIb+jYq3E0EFBxNmnnGLpUH1cWCtqfBYAxb
	16OkbQUnmV0OMgRMR7+IiQEKix3EHIF9d6hE86KjK1tYagKJWucc5B1SbbKB2w==
X-Gm-Gg: AY/fxX4Iaf2gGt2YqBvzwasAz0MdNbOxi6XMGDHmzgVXRUnLOF4vFmmBWLkD78vVAm7
	m93vAot0oWLN4rfV0wpLj3FLqn3PFKycRajAT0x98EtYhtVp6SN37Q1yz6T/OTidum23tk21hqz
	fokMoe3wPWhXG2JXPYKzws51ZNjotd5y9eHx18mtZCz/YFR5gb2DFi47hTGOiAWUduNuKczyIT/
	5iZk8SWbRzkGhU6dkotQP74ZaDLsXMzM1HtvuM7FWRIt3TDiFkc3ExtpBZqhjCajntDEneShzdx
	GlU6efBp1Eptxyo59ouv7nE7L+2nzRbiS7f1JPmRtv/Vya2S43UYj1gFbqkgBw9Jxwzd7heeeEf
	nr2MsgGyyseoRNzKNb/O5Q4aKFobnn6zeEjB8MJA3VgnPOhUyTCPac+hw3caJaRBmPazFbpxeTW
	PovbU=
X-Google-Smtp-Source: 
 AGHT+IE8gWRX3DrNuMIGM8r39xNhzYOGAPewp+igde1G05i6UeVcSmYtk7n600bzgjyxna2PYCCSGQ==
X-Received: by 2002:a05:6a00:ad89:b0:7b7:631a:2444 with SMTP id
 d2e1a72fcca58-81b7f101bb8mr8011069b3a.22.1767930448890;
        Thu, 08 Jan 2026 19:47:28 -0800 (PST)
Received: from localhost ([2a12:a304:100::205b])
        by smtp.gmail.com with ESMTPSA id
 d2e1a72fcca58-819c5de6405sm8958856b3a.61.2026.01.08.19.47.27
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Thu, 08 Jan 2026 19:47:28 -0800 (PST)
From: Jinchao Wang <wangjinchao600@gmail.com>
To: Matthew Wilcox <willy@infradead.org>,
	Andrew Morton <akpm@linux-foundation.org>,
	David Hildenbrand <david@kernel.org>,
	Zi Yan <ziy@nvidia.com>,
	Matthew Brost <matthew.brost@intel.com>,
	Joshua Hahn <joshua.hahnjy@gmail.com>,
	Rakie Kim <rakie.kim@sk.com>,
	Byungchul Park <byungchul@sk.com>,
	Gregory Price <gourry@gourry.net>,
	Ying Huang <ying.huang@linux.alibaba.com>,
	Alistair Popple <apopple@nvidia.com>,
	linux-mm@kvack.org,
	linux-kernel@vger.kernel.org
Cc: Jinchao Wang <wangjinchao600@gmail.com>,
	syzbot+2d9c96466c978346b55f@syzkaller.appspotmail.com
Subject: [PATCH] mm/migrate: fix hugetlbfs deadlock by respecting lock
 ordering
Date: Fri,  9 Jan 2026 11:47:16 +0800
Message-ID: <20260109034723.1342798-1-wangjinchao600@gmail.com>
X-Mailer: git-send-email 2.43.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

Fix an AB-BA deadlock between hugetlbfs_punch_hole() and page migration.

The deadlock occurs because migration violates the lock ordering defined
in mm/rmap.c for hugetlbfs:

  * hugetlbfs PageHuge() take locks in this order:
  * hugetlb_fault_mutex
  * vma_lock
  * mapping->i_mmap_rwsem
  * folio_lock

The following trace illustrates the inversion:

Task A (punch_hole):             Task B (migration):
Reported-by: syzbot+2d9c96466c978346b55f@syzkaller.appspotmail.com
Suggested-by with Co-developed-by, or by listing you as the author instead.=
  I
Suggested-by: Matthew Wilcox <willy@infradead.org>
--------------------             -------------------
1. i_mmap_lock_write(mapping)    1. folio_lock(folio)
2. folio_lock(folio)             2. i_mmap_lock_read(mapping)
   (blocks waiting for B)           (blocks waiting for A)

Task A is blocked in the punch-hole path:
  hugetlbfs_fallocate
    hugetlbfs_punch_hole
      hugetlbfs_zero_partial_page
        folio_lock

Task B is blocked in the migration path:
  migrate_pages
    unmap_and_move_huge_page
      remove_migration_ptes
        __rmap_walk_file
          i_mmap_lock_read

To fix this, adjust unmap_and_move_huge_page() to respect the established
hierarchy. If i_mmap_rwsem is acquired during try_to_migrate(), hold it
until remove_migration_ptes() completes.

This utilizes the existing retry logic, which unlocks the folio and
returns -EAGAIN if hugetlb_folio_mapping_lock_write() fails.

Link: https://lore.kernel.org/all/68e9715a.050a0220.1186a4.000d.GAE@google.=
com/
Link: https://lore.kernel.org/all/20260108123957.1123502-2-wangjinchao600@g=
mail.com
Reported-by: syzbot+2d9c96466c978346b55f@syzkaller.appspotmail.com
Suggested-by: Matthew Wilcox <willy@infradead.org>
Signed-off-by: Jinchao Wang <wangjinchao600@gmail.com>
---
 mm/migrate.c | 12 ++++++------
 1 file changed, 6 insertions(+), 6 deletions(-)

diff --git a/mm/migrate.c b/mm/migrate.c
index 5169f9717f60..bcaa13541acc 100644
--- a/mm/migrate.c
+++ b/mm/migrate.c
@@ -1458,6 +1458,7 @@ static int unmap_and_move_huge_page(new_folio_t get_n=
ew_folio,
 	int page_was_mapped =3D 0;
 	struct anon_vma *anon_vma =3D NULL;
 	struct address_space *mapping =3D NULL;
+	enum ttu_flags ttu =3D 0;
=20
 	if (folio_ref_count(src) =3D=3D 1) {
 		/* page was freed from under us. So we are done. */
@@ -1498,8 +1499,6 @@ static int unmap_and_move_huge_page(new_folio_t get_n=
ew_folio,
 		goto put_anon;
=20
 	if (folio_mapped(src)) {
-		enum ttu_flags ttu =3D 0;
-
 		if (!folio_test_anon(src)) {
 			/*
 			 * In shared mappings, try_to_unmap could potentially
@@ -1516,16 +1515,17 @@ static int unmap_and_move_huge_page(new_folio_t get=
_new_folio,
=20
 		try_to_migrate(src, ttu);
 		page_was_mapped =3D 1;
-
-		if (ttu & TTU_RMAP_LOCKED)
-			i_mmap_unlock_write(mapping);
 	}
=20
 	if (!folio_mapped(src))
 		rc =3D move_to_new_folio(dst, src, mode);
=20
 	if (page_was_mapped)
-		remove_migration_ptes(src, !rc ? dst : src, 0);
+		remove_migration_ptes(src, !rc ? dst : src,
+				      ttu ? RMP_LOCKED : 0);
+
+	if (ttu & TTU_RMAP_LOCKED)
+		i_mmap_unlock_write(mapping);
=20
 unlock_put_anon:
 	folio_unlock(dst);
--=20
2.43.0