From nobody Sat Jun 20 13:06:28 2026 Received: from mail-pf1-f180.google.com (mail-pf1-f180.google.com [209.85.210.180]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 70DAA30EF6C for ; Wed, 15 Apr 2026 08:48:53 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.210.180 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776242934; cv=none; b=GllL5xo+q580pjlvv6yb7e1Vm1dJswg4ILftgbHK2Hl7/sqf3eoUVjz+UkEA+XUnOTCyZGooHYcKMakGuiT96q0Det06g35GSXRhRzazsJd3TvWD4iOWo0KLt437639XqcjXLikQGSx9Y5N7ksRyeK4xYssn8JdFogiGp6OEWDk= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1776242934; c=relaxed/simple; bh=Ob/tkU/z3TP7Hs3YmLP2EqX3NB2X9PE7atOmzkfZG30=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=ZBH+jgOMUcM5GCV9YuNhW61IL4JnsFnhX9VD6JFzA5Rk/rZw9oHiiXCfmhkhG4oHS/7GUJB9xzKXlAI4FgkfHSqDslAw+axQmuhUwaaNFlLCnLNtkLyGG1uZcNp4MZrn7mycB8pGIvfnJJJdHpnNGXZ7E/OHjIkvDE+4h8/yALA= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=CQnsEexU; arc=none smtp.client-ip=209.85.210.180 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="CQnsEexU" Received: by mail-pf1-f180.google.com with SMTP id d2e1a72fcca58-8296dabef74so6052288b3a.1 for ; Wed, 15 Apr 2026 01:48:53 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1776242933; x=1776847733; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=cIih9jyLqWh/1mQVBgF5qH4tPxkp2GdHlk3qU9LOcbI=; b=CQnsEexUolMdhAY1qwW90pWmnGOmvL2Hk2u+qpyVRw9g/6HGTbzpzRs64fGIMQYnle tpFNETpw7LSjlnc/ncw20E6zxNhqp+FeC0ijeMdvCMhuWVBhSvVyoeVJsrfvXZd74Hxc r/kmK0M96n+mHpJwYz91XOw7dbQgp+E1Yo3xuJteEOaDEKsCR5unx4aqKK/X5ltfp79E Tq3VQ7RKph6r5O5AEJT+v9BATZQcXSRphKELI6+xJfhowhUc0HMw/8EDiHch4HuYTmim 8zisTzWvuRh0M5W/gUQ8czy2Stp6bMcBl4j2/I2UuWNQxwjElfiGchvvudFxGSGdMCKG mrOA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1776242933; x=1776847733; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=cIih9jyLqWh/1mQVBgF5qH4tPxkp2GdHlk3qU9LOcbI=; b=YwyYDqUdH8fJp0mvXHf03/3lErSbJlWQx73Rf0oCNAf+mqzDx7y1N6ibR7CePYDw1e 30z9Jb4BB69HCffGdt8OAkpH5zAMxyNQrhkFl3AlqL3GB+LfgDm3RG1+aTQZTZ0G8MfO OH96PEBw+qzoHSPL0phG/0/AiibLWGGB4QOxeFkwu5ADb4emvciU0nDHbBQ+p+oKijAD WHGQX5vsbtmf6XYG183ZDX+47S+ssvHsnqW407iCNCRJqQEUvN4v3Q9HsRaZW7azi5oU raNlobAbUOcxUvAXFtxI9xOR0PMaxqDTOL4ULS8zMS6ZjSjEsklkFKw5fg0SLXbPJ+tg k8yg== X-Forwarded-Encrypted: i=1; AFNElJ/drSwuwYw53g9PSJf9tyvT7+QolPQjOAN1lQkWgpwB5f/mTkTsM+SQMbn7AzWNzu97ExoMKFjQxG3JnoM=@vger.kernel.org X-Gm-Message-State: AOJu0YzIBrMckzjc7NVwoLFsByI5YXDQM02szXdY2peF5Ji/53ejO2Qj ER6BB0CwhayYdUQLT3d748bO/ZOH+lspxirJA6+PLX6da5a6eDlIrHPtZqFH0Q== X-Gm-Gg: AeBDieuffcc/8AK9H0YTE9YYtydukxtLg4BX7O967gacW7FS1YJS86PrW0yfTwy86V2 Vdj7WzZ4nsLjWcybesIxGnNUt9L0oySTAViX++pt1Nz+Sd2q5eage19/bGDtzc6X7btHX+75jCd D3Et5tqAod4qecV5nC0EHHPyXCoE+dT6uW9Sg6buZ3/OfSRrg6fre2mEhJG244z1o7vnv19cGLU 2faqWUZ3oJPjtGdN7Uu3UCr2MZkfl8HCYsqjQnZjXRJCVgUCU2bpUTx07clh9CTItQpSu06lqmJ u1YTgVtYK37tpJ9FdAYzsrQSt+j2kVxXfN9X5FDL5MIW0FfIkTesgFF0q15AFTE8T28QjN8Idjb OYjWKydLNiGW4hlMoU2MzhwJLIVu7dc5ARio7NHfZilBN+tx8ws7SM4dLb6DBpLalkaGYry2O/K LToLVq1EQ0+JiQ93Adh2P6oOYN1TQGSWc9eyaCvAk5L1aoR2vVlDwmav81etpyoqUXR3RR2EV8 X-Received: by 2002:a05:6a00:1947:b0:82c:70a8:faee with SMTP id d2e1a72fcca58-82f0c1d9e1dmr20498744b3a.6.1776242932685; Wed, 15 Apr 2026 01:48:52 -0700 (PDT) Received: from cps-manycore-1.. ([143.248.136.81]) by smtp.gmail.com with ESMTPSA id d2e1a72fcca58-82f67085562sm1616587b3a.24.2026.04.15.01.48.50 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 15 Apr 2026 01:48:52 -0700 (PDT) From: Sechang Lim To: akpm@linux-foundation.org, urezki@gmail.com Cc: linux-mm@kvack.org, linux-kernel@vger.kernel.org, Sechang Lim Subject: [PATCH] mm/vmalloc: Prevent RCU stall in decay_va_pool_node() Date: Wed, 15 Apr 2026 08:48:37 +0000 Message-ID: <20260415084837.1001739-1-rhkrqnwk98@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" decay_va_pool_node() walks every per-pool free-list entry under vmap_purge_lock and merges each vmap_area into a global RB-tree via reclaim_list_global() without yielding. The outer loop has no rescheduling point, so when many vmap areas are queued the function can monopolize the CPU long enough to trigger an RCU self-detected stall: rcu: INFO: rcu_preempt self-detected stall on CPU rcu: 2-...0: (6344 ticks this GP) idle=3D853c/1/0x4000000000000000 sof= tirq=3D41536/41536 fqs=3D3211 rcu: (t=3D6528 jiffies g=3D37549 q=3D4652 ncpus=3D4) CPU: 2 UID: 0 PID: 1516 Comm: syz.5.318 Not tainted 7.0.0-rc7 #4 PREEMPT(= full) Call Trace: finish_task_switch.isra.0+0x23e/0x990 kernel/sched/core.c:5155 context_switch kernel/sched/core.c:5301 [inli= ne] __schedule+0xb3d/0x3680 kernel/sched/core.c:6911 preempt_schedule_common+0x44/0xc0 kernel/sched/core.c:7095 preempt_schedule_thunk+0x16/0x30 arch/x86/entry/thunk.S:12 __raw_spin_unlock include/linux/spinlock_api_smp= .h:169 [inline] _raw_spin_unlock+0x43/0x50 kernel/locking/spinlock.c:186 reclaim_list_global mm/vmalloc.c:2213 [inline] decay_va_pool_node+0xccf/0x1070 mm/vmalloc.c:2273 __purge_vmap_area_lazy+0x136/0xc80 mm/vmalloc.c:2361 _vm_unmap_aliases+0x469/0x6e0 mm/vmalloc.c:2996 change_page_attr_set_clr+0x24d/0x4a0 arch/x86/mm/pat/set_memory.c:2= 082 set_memory_rox+0xc2/0x110 arch/x86/mm/pat/set_memory.c:2= 314 create_trampoline arch/x86/kernel/ftrace.c:421 [= inline] arch_ftrace_update_trampoline+0x79d/0xb50 arch/x86/kernel/ftrace.c:479 ftrace_update_trampoline+0x45/0x360 kernel/trace/ftrace.c:8391 __register_ftrace_function+0x238/0x340 kernel/trace/ftrace.c:365 ftrace_startup+0x3b/0x370 kernel/trace/ftrace.c:3098 register_ftrace_function_nolock+0x5e/0x160 kernel/trace/ftrace.c:9162 register_ftrace_function+0x32b/0x4c0 kernel/trace/ftrace.c:9189 perf_ftrace_function_register kernel/trace/trace_event_perf.= c:494 [inline] perf_ftrace_event_register+0x159/0x240 kernel/trace/trace_event_perf.= c:518 perf_trace_event_open kernel/trace/trace_event_perf.= c:184 [inline] perf_trace_event_init kernel/trace/trace_event_perf.= c:206 [inline] perf_trace_event_init+0x17b/0xad0 kernel/trace/trace_event_perf.= c:193 perf_trace_init+0x176/0x290 kernel/trace/trace_event_perf.= c:226 perf_tp_event_init+0xa6/0x120 kernel/events/core.c:11270 perf_try_init_event+0x103/0x930 kernel/events/core.c:13029 perf_init_event kernel/events/core.c:13127 [in= line] perf_event_alloc.part.0+0x11dd/0x4970 kernel/events/core.c:13402 perf_event_alloc kernel/events/core.c:13283 [in= line] __do_sys_perf_event_open+0x764/0x2eb0 kernel/events/core.c:13924 do_syscall_x64 arch/x86/entry/syscall_64.c:63= [inline] do_syscall_64+0xa9/0x580 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x76/0x7e Add cond_resched() at the bottom of the outer loop in decay_va_pool_node(). At that point the per-pool spinlock has already been released and the outer vmap_purge_lock is a mutex, so sleeping is safe. Found by Syzkaller. Fixes: 72210662c5a2 ("mm: vmalloc: offload free_vmap_area_lock lock") Signed-off-by: Sechang Lim --- mm/vmalloc.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/mm/vmalloc.c b/mm/vmalloc.c index 61caa55a4402..78e064a9c4c7 100644 --- a/mm/vmalloc.c +++ b/mm/vmalloc.c @@ -2268,6 +2268,8 @@ decay_va_pool_node(struct vmap_node *vn, bool full_de= cay) WRITE_ONCE(vn->pool[i].len, pool_len); spin_unlock(&vn->pool_lock); } + + cond_resched(); } =20 reclaim_list_global(&decay_list); --=20 2.43.0