From nobody Fri Jun 12 15:58:07 2026 Received: from mail-pj1-f48.google.com (mail-pj1-f48.google.com [209.85.216.48]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AC1983AE6F7 for ; Wed, 13 May 2026 21:19:55 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.216.48 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778707197; cv=none; b=Z+F/e22CQ1Xmv3wTHD2tSHn7k0QI/6VFey7NOKF6FLrCbpXMDnlTJ8LQi60HYEAWZb2gW+2G205A+7icRTM1AeEbU+sD8rBViNF4QNjh47vVl4N8JECgA1p+GGDqFcpcu7Yf5VJRKzILZqLJJABL6AKSgurUxFtZEEJUhUtgfWc= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1778707197; c=relaxed/simple; bh=7LJURyTYvLXgPzs6vRp4v7080HzsRd1qsp2XpR2mhpc=; h=From:To:Cc:Subject:Date:Message-Id:MIME-Version; b=ZCDl83LLZA3sKx/Bh3ZFnnyIVkBSlPrlq6RWbDylI//HNUBPc9Jy6g552chXUBYLZvznMMP/gruazGjvNEQEv6x22OtBAVCRb357nMw5hRHfHBCaTTcNnQ/DZO33aUGTDgOsy4nrZ9kr+nWnWj7MjzKQzAxzxacNYl2c/RnRncQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=X1Krog98; arc=none smtp.client-ip=209.85.216.48 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="X1Krog98" Received: by mail-pj1-f48.google.com with SMTP id 98e67ed59e1d1-3680540a6efso2980651a91.2 for ; Wed, 13 May 2026 14:19:55 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1778707195; x=1779311995; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=79r3Xvm3zHl33g8qNEsQlwXC0J0bAYA0YdKvzx0CR7w=; b=X1Krog98sUPOanbFQaseDRvGXuP6AhFwD3HhZeAtkp6AVlVHvQPis8DgFQ7aqfS3FU +se1tKUZdHq5mT2soOyJRzw4LWhtMXrPzH47swiZoe1Uvxrlhc2zrc7WyQEYAKoa1fJl 847VNVDnw22bRkyzCyeJRHZm6GjFRISIRtPnhrvCjBLAv9exUCkcirDygdXYInnKNDVi TMlnIUTdON6wVcF3pDYdroPrO6iDSjxgGJUgiMhpu+3CRqL3j7POrW3m4ogyUjnK3DC2 qlbmB+6yHfn5hpGyF1cvGJmZJq9whBGw2bLBgxYd2nG8objPMg1qrenAuIavW+4mCgyn orcA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1778707195; x=1779311995; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=79r3Xvm3zHl33g8qNEsQlwXC0J0bAYA0YdKvzx0CR7w=; b=H09SD2MoL5tkXjrDPler/SwUEsqh9QPmIGcuAv6fWtILI4JGJQydo34fKdk5S5CTj8 A7IW8yXeEi1bqMDHpWtEzznFR8ZbtTPutC7ydvhv2sP/WJaAOJtM3Vn98AH/aAy6GWV5 ZoEMItRPSZaq9//j+WGN1s5CRgMM20ZrODhOpamJcYAa+6j5ne9Sx0ZSZP4QoTJ9vjPU IZUo41c0VV79FTVL9MPtgQdnnPgSX5vuxRfHHauMRyOTYQKJCE+E+75/IWS7gZkiHd0b mMWvz86pVMzxSkH0fZjQayG4IQLcVpOs4IcyiF29zROmPnuQRmh7lywwIrzN8oSxkP9U 7THw== X-Forwarded-Encrypted: i=1; AFNElJ8wK6K+X8p/MJqqNSVvYvCCAuiC8kGU24iO2NmcVUwbt2zgO1WdsKl5iv+M0KZK72S/2Vwyl3BcHrOnCfM=@vger.kernel.org X-Gm-Message-State: AOJu0Yx+9pKm0ZtRXpSSu7lr2ZH282UywJfiak+wXeteo1h643Zm/80R Pz3A1HevrAWpijIU2doRgdFhP1YvGWzB715DY9/O81q/gberWC223rlg X-Gm-Gg: Acq92OFC5sVmnenBW9f8RZB3Z/kGOjXT/aP2seJ20AfbdOwIAO2Vr9Rj4pIqF/QsMtO fb/IUF3ESct6MNpt0QoaeYUCFZMHy+shMX4fQhzui1bqp5UhNpoIJPJrP5TozmuNWX3mtzac2a/ bUeGSF610kY+Bza7nAAwcUQjPb26TolhWOy3y/Z6dQoTTaSWdA5LFdPDYksgO9SDKGY2q73EwxE n1b+ZFaAa8u0ayoTFrxZCcXwHaer8ELa/46Di4Mjp5HmlTtB7xq//NDvQMQDD3ntgjqktWdQzWy bx2MthqQD5Di0WJjCUpt+k1ik4cdUzIyfUJhKnOuwMgITTLG1nRGwNnVfo3oV7Pw70hGtAdrWjt 2pd5MXvR1x7DtrhwlD9mRDXf5y3BYKzij3BhC1+o93LG9hsKYCOu+AkevbP5IfJ0qeYZNt5JBtf u3RPJ5H7dhyTHGarpK3T0UOwt79pe5AC1PNVy8jIbHyCLc24l9jSaseYLCBA== X-Received: by 2002:a17:90a:fc47:b0:367:cb53:7436 with SMTP id 98e67ed59e1d1-368f79f8744mr4805466a91.27.1778707194819; Wed, 13 May 2026 14:19:54 -0700 (PDT) Received: from localhost.localdomain ([171.76.86.132]) by smtp.gmail.com with ESMTPSA id 98e67ed59e1d1-369224d0130sm354725a91.0.2026.05.13.14.19.49 (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256); Wed, 13 May 2026 14:19:54 -0700 (PDT) From: Kartik Nair To: muchun.song@linux.dev, osalvador@suse.de Cc: david@kernel.org, akpm@linux-foundation.org, ljs@kernel.org, liam@infradead.org, vbabka@kernel.org, rppt@kernel.org, surenb@google.com, mhocko@suse.com, linux-mm@kvack.org, linux-kernel@vger.kernel.org, syzbot+bd6aaf99e8443d8a9034@syzkaller.appspotmail.com, Kartik Nair Subject: [PATCH] mm/hugetlb: fix deadlock in __hugetlb_zap_begin() by using trylock Date: Thu, 14 May 2026 02:49:27 +0530 Message-Id: <20260513211927.4206-1-contact.kartikn@gmail.com> X-Mailer: git-send-email 2.39.5 (Apple Git-154) Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" syzbot reported a circular locking dependency involving resv_map->rw_sema and mmap_lock: CPU0 CPU1 lock(&mm->mmap_lock) lock(sk_lock-AF_INET6) lock(&mm->mmap_lock) lock(&resv_map->rw_sema) __hugetlb_zap_begin() calls hugetlb_vma_lock_write() which does a blocking down_write() on either vma_lock->rw_sema or resv_map->rw_sema while mmap_lock is already held for write by the caller chain (vm_mmap_pgoff -> mmap_region -> __mmap_region -> unmap_region -> unmap_vmas -> hugetlb_zap_begin). Fix this by converting __hugetlb_zap_begin() to use hugetlb_vma_trylock_write() instead of hugetlb_vma_lock_write(). If the trylock fails, return false to the callers so they can skip the zap operation safely. Update hugetlb_zap_begin() and its callers in unmap_vmas() and zap_vma_range_batched() accordingly. Reported-by: syzbot+bd6aaf99e8443d8a9034@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3Dbd6aaf99e8443d8a9034 Signed-off-by: Kartik Nair --- include/linux/hugetlb.h | 10 ++++++---- mm/hugetlb.c | 8 +++++--- mm/memory.c | 10 ++++++---- 3 files changed, 17 insertions(+), 11 deletions(-) diff --git a/include/linux/hugetlb.h b/include/linux/hugetlb.h index 93418625d3c5..1972464bd92f 100644 --- a/include/linux/hugetlb.h +++ b/include/linux/hugetlb.h @@ -244,16 +244,17 @@ void huge_pmd_unshare_flush(struct mmu_gather *tlb, s= truct vm_area_struct *vma); void adjust_range_if_pmd_sharing_possible(struct vm_area_struct *vma, unsigned long *start, unsigned long *end); =20 -extern void __hugetlb_zap_begin(struct vm_area_struct *vma, +extern bool __hugetlb_zap_begin(struct vm_area_struct *vma, unsigned long *begin, unsigned long *end); extern void __hugetlb_zap_end(struct vm_area_struct *vma, struct zap_details *details); =20 -static inline void hugetlb_zap_begin(struct vm_area_struct *vma, +static inline bool hugetlb_zap_begin(struct vm_area_struct *vma, unsigned long *start, unsigned long *end) { if (is_vm_hugetlb_page(vma)) - __hugetlb_zap_begin(vma, start, end); + return __hugetlb_zap_begin(vma, start, end); + return true; } =20 static inline void hugetlb_zap_end(struct vm_area_struct *vma, @@ -318,10 +319,11 @@ static inline void adjust_range_if_pmd_sharing_possib= le( { } =20 -static inline void hugetlb_zap_begin( +static inline bool hugetlb_zap_begin( struct vm_area_struct *vma, unsigned long *start, unsigned long *end) { + return true; } =20 static inline void hugetlb_zap_end( diff --git a/mm/hugetlb.c b/mm/hugetlb.c index f24bf49be047..dd55ec2ef007 100644 --- a/mm/hugetlb.c +++ b/mm/hugetlb.c @@ -5309,16 +5309,18 @@ void __unmap_hugepage_range(struct mmu_gather *tlb,= struct vm_area_struct *vma, huge_pmd_unshare_flush(tlb, vma); } =20 -void __hugetlb_zap_begin(struct vm_area_struct *vma, +bool __hugetlb_zap_begin(struct vm_area_struct *vma, unsigned long *start, unsigned long *end) { if (!vma->vm_file) /* hugetlbfs_file_mmap error */ - return; + return false; =20 adjust_range_if_pmd_sharing_possible(vma, start, end); - hugetlb_vma_lock_write(vma); + if (!hugetlb_vma_trylock_write(vma)) + return false; if (vma->vm_file) i_mmap_lock_write(vma->vm_file->f_mapping); + return true; } =20 void __hugetlb_zap_end(struct vm_area_struct *vma, diff --git a/mm/memory.c b/mm/memory.c index ea6568571131..c1451e5b6ee7 100644 --- a/mm/memory.c +++ b/mm/memory.c @@ -2158,9 +2158,10 @@ void unmap_vmas(struct mmu_gather *tlb, struct unmap= _desc *unmap) unsigned long start =3D max(vma->vm_start, unmap->vma_start); unsigned long end =3D min(vma->vm_end, unmap->vma_end); =20 - hugetlb_zap_begin(vma, &start, &end); - __zap_vma_range(tlb, vma, start, end, &details); - hugetlb_zap_end(vma, &details); + if (hugetlb_zap_begin(vma, &start, &end)) { + __zap_vma_range(tlb, vma, start, end, &details); + hugetlb_zap_end(vma, &details); + } vma =3D mas_find(unmap->mas, unmap->tree_end - 1); } while (vma); mmu_notifier_invalidate_range_end(&range); @@ -2194,7 +2195,8 @@ void zap_vma_range_batched(struct mmu_gather *tlb, =20 mmu_notifier_range_init(&range, MMU_NOTIFY_CLEAR, 0, vma->vm_mm, address, end); - hugetlb_zap_begin(vma, &range.start, &range.end); + if (!hugetlb_zap_begin(vma, &range.start, &range.end)) + return; update_hiwater_rss(vma->vm_mm); mmu_notifier_invalidate_range_start(&range); /* --=20 2.39.5 (Apple Git-154)