[syzbot] [mm?] possible deadlock in mfill_get_vma
1 view
Skip to first unread message
syzbot
Mar 15, 2026, 2:37:30āÆPMĀ (11 hours ago)Ā Mar 15
to ak...@linux-foundation.org, linux-...@vger.kernel.org, linu...@kvack.org, pet...@redhat.com, rp...@kernel.org, syzkall...@googlegroups.com
Hello,
syzbot found the following issue on:
HEAD commit: b84a0ebe421c Add linux-next specific files for 20260313
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=131ab8da580000
kernel config: https://syzkaller.appspot.com/x/.config?x=e7280ad1f68b2dce
dashboard link: https://syzkaller.appspot.com/bug?extid=c473aa669b5e8a6f48d2
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=126c98ba580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1644a2d6580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/09145161a8a9/disk-b84a0ebe.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b64c254e474c/vmlinux-b84a0ebe.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a7c33f5f7f45/bzImage-b84a0ebe.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c473aa...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
syzkaller #0 Not tainted
------------------------------------------------------
syz.0.17/5990 is trying to acquire lock:
ffff88802caef3b8 (&mm->mmap_lock){++++}-{4:4}, at: __might_fault+0xaf/0x130 mm/memory.c:7249
but task is already holding lock:
ffff88807cdbccf0 (&ctx->map_changing_lock){.+.+}-{4:4}, at: mfill_get_vma+0x162/0x660 mm/userfaultfd.c:226
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (&ctx->map_changing_lock){.+.+}-{4:4}:
down_read+0x47/0x2e0 kernel/locking/rwsem.c:1568
mfill_get_vma+0x162/0x660 mm/userfaultfd.c:226
mfill_atomic mm/userfaultfd.c:900 [inline]
mfill_atomic_continue+0x189/0x12c0 mm/userfaultfd.c:974
userfaultfd_continue fs/userfaultfd.c:1806 [inline]
userfaultfd_ioctl+0x232d/0x4c70 fs/userfaultfd.c:2071
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #1 (vm_lock){++++}-{0:0}:
__vma_start_exclude_readers+0x28a/0x940 mm/mmap_lock.c:125
__vma_start_write+0xdc/0x290 mm/mmap_lock.c:148
vma_start_write include/linux/mmap_lock.h:303 [inline]
mprotect_fixup+0x5eb/0xa80 mm/mprotect.c:768
setup_arg_pages+0x565/0xac0 fs/exec.c:670
load_elf_binary+0xc5e/0x2980 fs/binfmt_elf.c:1029
search_binary_handler fs/exec.c:1664 [inline]
exec_binprm fs/exec.c:1696 [inline]
bprm_execve+0x949/0x1470 fs/exec.c:1748
kernel_execve+0x844/0x930 fs/exec.c:1892
try_to_run_init_process+0x13/0x60 init/main.c:1514
kernel_init+0xad/0x1d0 init/main.c:1642
ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
-> #0 (&mm->mmap_lock){++++}-{4:4}:
check_prev_add kernel/locking/lockdep.c:3165 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain kernel/locking/lockdep.c:3908 [inline]
__lock_acquire+0x15a5/0x2cf0 kernel/locking/lockdep.c:5237
lock_acquire+0xf0/0x2e0 kernel/locking/lockdep.c:5868
__might_fault+0xcb/0x130 mm/memory.c:7249
userfaultfd_continue fs/userfaultfd.c:1813 [inline]
userfaultfd_ioctl+0x2372/0x4c70 fs/userfaultfd.c:2071
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
other info that might help us debug this:
Chain exists of:
&mm->mmap_lock --> vm_lock --> &ctx->map_changing_lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
rlock(&ctx->map_changing_lock);
lock(vm_lock);
lock(&ctx->map_changing_lock);
rlock(&mm->mmap_lock);
*** DEADLOCK ***
2 locks held by syz.0.17/5990:
#0: ffff88807c119d08 (vm_lock){++++}-{0:0}, at: lock_vma_under_rcu+0x1d1/0x500 mm/mmap_lock.c:310
#1: ffff88807cdbccf0 (&ctx->map_changing_lock){.+.+}-{4:4}, at: mfill_get_vma+0x162/0x660 mm/userfaultfd.c:226
stack backtrace:
CPU: 0 UID: 0 PID: 5990 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_circular_bug+0x2e1/0x300 kernel/locking/lockdep.c:2043
check_noncircular+0x12e/0x150 kernel/locking/lockdep.c:2175
check_prev_add kernel/locking/lockdep.c:3165 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain kernel/locking/lockdep.c:3908 [inline]
__lock_acquire+0x15a5/0x2cf0 kernel/locking/lockdep.c:5237
lock_acquire+0xf0/0x2e0 kernel/locking/lockdep.c:5868
__might_fault+0xcb/0x130 mm/memory.c:7249
userfaultfd_continue fs/userfaultfd.c:1813 [inline]
userfaultfd_ioctl+0x2372/0x4c70 fs/userfaultfd.c:2071
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f478759c799
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcc2bbac28 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f4787815fa0 RCX: 00007f478759c799
RDX: 0000200000000080 RSI: 00000000c020aa07 RDI: 0000000000000003
RBP: 00007f4787632c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f4787815fac R14: 00007f4787815fa0 R15: 00007f4787815fa0
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
syzbot found the following issue on:
HEAD commit: b84a0ebe421c Add linux-next specific files for 20260313
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=131ab8da580000
kernel config: https://syzkaller.appspot.com/x/.config?x=e7280ad1f68b2dce
dashboard link: https://syzkaller.appspot.com/bug?extid=c473aa669b5e8a6f48d2
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=126c98ba580000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1644a2d6580000
Downloadable assets:
disk image: https://storage.googleapis.com/syzbot-assets/09145161a8a9/disk-b84a0ebe.raw.xz
vmlinux: https://storage.googleapis.com/syzbot-assets/b64c254e474c/vmlinux-b84a0ebe.xz
kernel image: https://storage.googleapis.com/syzbot-assets/a7c33f5f7f45/bzImage-b84a0ebe.xz
IMPORTANT: if you fix the issue, please add the following tag to the commit:
Reported-by: syzbot+c473aa...@syzkaller.appspotmail.com
======================================================
WARNING: possible circular locking dependency detected
syzkaller #0 Not tainted
------------------------------------------------------
syz.0.17/5990 is trying to acquire lock:
ffff88802caef3b8 (&mm->mmap_lock){++++}-{4:4}, at: __might_fault+0xaf/0x130 mm/memory.c:7249
but task is already holding lock:
ffff88807cdbccf0 (&ctx->map_changing_lock){.+.+}-{4:4}, at: mfill_get_vma+0x162/0x660 mm/userfaultfd.c:226
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (&ctx->map_changing_lock){.+.+}-{4:4}:
down_read+0x47/0x2e0 kernel/locking/rwsem.c:1568
mfill_get_vma+0x162/0x660 mm/userfaultfd.c:226
mfill_atomic mm/userfaultfd.c:900 [inline]
mfill_atomic_continue+0x189/0x12c0 mm/userfaultfd.c:974
userfaultfd_continue fs/userfaultfd.c:1806 [inline]
userfaultfd_ioctl+0x232d/0x4c70 fs/userfaultfd.c:2071
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
-> #1 (vm_lock){++++}-{0:0}:
__vma_start_exclude_readers+0x28a/0x940 mm/mmap_lock.c:125
__vma_start_write+0xdc/0x290 mm/mmap_lock.c:148
vma_start_write include/linux/mmap_lock.h:303 [inline]
mprotect_fixup+0x5eb/0xa80 mm/mprotect.c:768
setup_arg_pages+0x565/0xac0 fs/exec.c:670
load_elf_binary+0xc5e/0x2980 fs/binfmt_elf.c:1029
search_binary_handler fs/exec.c:1664 [inline]
exec_binprm fs/exec.c:1696 [inline]
bprm_execve+0x949/0x1470 fs/exec.c:1748
kernel_execve+0x844/0x930 fs/exec.c:1892
try_to_run_init_process+0x13/0x60 init/main.c:1514
kernel_init+0xad/0x1d0 init/main.c:1642
ret_from_fork+0x51e/0xb90 arch/x86/kernel/process.c:158
ret_from_fork_asm+0x1a/0x30 arch/x86/entry/entry_64.S:245
-> #0 (&mm->mmap_lock){++++}-{4:4}:
check_prev_add kernel/locking/lockdep.c:3165 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain kernel/locking/lockdep.c:3908 [inline]
__lock_acquire+0x15a5/0x2cf0 kernel/locking/lockdep.c:5237
lock_acquire+0xf0/0x2e0 kernel/locking/lockdep.c:5868
__might_fault+0xcb/0x130 mm/memory.c:7249
userfaultfd_continue fs/userfaultfd.c:1813 [inline]
userfaultfd_ioctl+0x2372/0x4c70 fs/userfaultfd.c:2071
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
other info that might help us debug this:
Chain exists of:
&mm->mmap_lock --> vm_lock --> &ctx->map_changing_lock
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
rlock(&ctx->map_changing_lock);
lock(vm_lock);
lock(&ctx->map_changing_lock);
rlock(&mm->mmap_lock);
*** DEADLOCK ***
2 locks held by syz.0.17/5990:
#0: ffff88807c119d08 (vm_lock){++++}-{0:0}, at: lock_vma_under_rcu+0x1d1/0x500 mm/mmap_lock.c:310
#1: ffff88807cdbccf0 (&ctx->map_changing_lock){.+.+}-{4:4}, at: mfill_get_vma+0x162/0x660 mm/userfaultfd.c:226
stack backtrace:
CPU: 0 UID: 0 PID: 5990 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_circular_bug+0x2e1/0x300 kernel/locking/lockdep.c:2043
check_noncircular+0x12e/0x150 kernel/locking/lockdep.c:2175
check_prev_add kernel/locking/lockdep.c:3165 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain kernel/locking/lockdep.c:3908 [inline]
__lock_acquire+0x15a5/0x2cf0 kernel/locking/lockdep.c:5237
lock_acquire+0xf0/0x2e0 kernel/locking/lockdep.c:5868
__might_fault+0xcb/0x130 mm/memory.c:7249
userfaultfd_continue fs/userfaultfd.c:1813 [inline]
userfaultfd_ioctl+0x2372/0x4c70 fs/userfaultfd.c:2071
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f478759c799
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007ffcc2bbac28 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f4787815fa0 RCX: 00007f478759c799
RDX: 0000200000000080 RSI: 00000000c020aa07 RDI: 0000000000000003
RBP: 00007f4787632c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f4787815fac R14: 00007f4787815fa0 R15: 00007f4787815fa0
</TASK>
---
This report is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzk...@googlegroups.com.
syzbot will keep track of this issue. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
If the report is already addressed, let syzbot know by replying with:
#syz fix: exact-commit-title
If you want syzbot to run the reproducer, reply with:
#syz test: git://repo/address.git branch-or-commit-hash
If you attach or paste a git patch, syzbot will apply it before testing.
If you want to overwrite report's subsystems, reply with:
#syz set subsystems: new-subsystem
(See the list of subsystem names on the web dashboard)
If the report is a duplicate of another one, reply with:
#syz dup: exact-subject-of-another-report
If you want to undo deduplication, reply with:
#syz undup
Edward Adam Davis
Mar 15, 2026, 8:57:38āÆPMĀ (5 hours ago)Ā Mar 15
to syzbot+c473aa...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
#syz test
diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
index 9ffc80d0a51b..ccfadea3dc79 100644
--- a/mm/userfaultfd.c
+++ b/mm/userfaultfd.c
@@ -197,7 +197,6 @@ static void mfill_put_vma(struct mfill_state *state)
if (!state->vma)
return;
- up_read(&state->ctx->map_changing_lock);
uffd_mfill_unlock(state->vma);
state->vma = NULL;
}
@@ -261,6 +260,7 @@ static int mfill_get_vma(struct mfill_state *state)
return 0;
out_unlock:
+ up_read(&state->ctx->map_changing_lock);
mfill_put_vma(state);
return err;
}
diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
index 9ffc80d0a51b..ccfadea3dc79 100644
--- a/mm/userfaultfd.c
+++ b/mm/userfaultfd.c
@@ -197,7 +197,6 @@ static void mfill_put_vma(struct mfill_state *state)
if (!state->vma)
return;
- up_read(&state->ctx->map_changing_lock);
uffd_mfill_unlock(state->vma);
state->vma = NULL;
}
@@ -261,6 +260,7 @@ static int mfill_get_vma(struct mfill_state *state)
return 0;
out_unlock:
+ up_read(&state->ctx->map_changing_lock);
mfill_put_vma(state);
return err;
}
Hillf Danton
Mar 15, 2026, 9:19:36āÆPMĀ (4 hours ago)Ā Mar 15
to syzbot, linux-...@vger.kernel.org, syzkall...@googlegroups.com
> Date: Sun, 15 Mar 2026 11:37:28 -0700 [thread overview]
--- x/mm/userfaultfd.c
+++ y/mm/userfaultfd.c
@@ -217,6 +217,7 @@ static int mfill_get_vma(struct mfill_st
dst_vma = uffd_mfill_lock(ctx->mm, state->dst_start, state->len);
if (IS_ERR(dst_vma))
return PTR_ERR(dst_vma);
+ state->vma = dst_vma;
/*
* If memory mappings are changing because of non-cooperative
--
> Hello,
>
> syzbot found the following issue on:
>
> HEAD commit: b84a0ebe421c Add linux-next specific files for 20260313
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=131ab8da580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=e7280ad1f68b2dce
> dashboard link: https://syzkaller.appspot.com/bug?extid=c473aa669b5e8a6f48d2
> compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=126c98ba580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1644a2d6580000
#syz test
>
> syzbot found the following issue on:
>
> HEAD commit: b84a0ebe421c Add linux-next specific files for 20260313
> git tree: linux-next
> console output: https://syzkaller.appspot.com/x/log.txt?x=131ab8da580000
> kernel config: https://syzkaller.appspot.com/x/.config?x=e7280ad1f68b2dce
> dashboard link: https://syzkaller.appspot.com/bug?extid=c473aa669b5e8a6f48d2
> compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=126c98ba580000
> C reproducer: https://syzkaller.appspot.com/x/repro.c?x=1644a2d6580000
--- x/mm/userfaultfd.c
+++ y/mm/userfaultfd.c
@@ -217,6 +217,7 @@ static int mfill_get_vma(struct mfill_st
dst_vma = uffd_mfill_lock(ctx->mm, state->dst_start, state->len);
if (IS_ERR(dst_vma))
return PTR_ERR(dst_vma);
+ state->vma = dst_vma;
/*
* If memory mappings are changing because of non-cooperative
--
syzbot
Mar 15, 2026, 9:35:06āÆPMĀ (4 hours ago)Ā Mar 15
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
possible deadlock in lock_vma_under_rcu
======================================================
WARNING: possible circular locking dependency detected
syzkaller #0 Not tainted
------------------------------------------------------
syz.0.17/6543 is trying to acquire lock:
ffff8880342d8338 (&mm->mmap_lock){++++}-{4:4}, at: __might_fault+0xaf/0x130 mm/memory.c:7249
but task is already holding lock:
ffff88802c19fbc8 (vm_lock){++++}-{0:0}, at: lock_vma_under_rcu+0x1d1/0x500 mm/mmap_lock.c:310
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
lock(&mm->mmap_lock);
lock(vm_lock);
#0: ffff88802c19fbc8 (vm_lock){++++}-{0:0}, at: lock_vma_under_rcu+0x1d1/0x500 mm/mmap_lock.c:310
stack backtrace:
CPU: 0 UID: 0 PID: 6543 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
RAX: ffffffffffffffda RBX: 00007fab11815fa0 RCX: 00007fab1159c799
</TASK>
Tested on:
commit: b84a0ebe Add linux-next specific files for 20260313
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=148f44da580000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
possible deadlock in lock_vma_under_rcu
======================================================
WARNING: possible circular locking dependency detected
syzkaller #0 Not tainted
------------------------------------------------------
ffff8880342d8338 (&mm->mmap_lock){++++}-{4:4}, at: __might_fault+0xaf/0x130 mm/memory.c:7249
but task is already holding lock:
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
rlock(vm_lock);
CPU0 CPU1
---- ----
lock(&mm->mmap_lock);
lock(vm_lock);
rlock(&mm->mmap_lock);
*** DEADLOCK ***
1 lock held by syz.0.17/6543:
*** DEADLOCK ***
#0: ffff88802c19fbc8 (vm_lock){++++}-{0:0}, at: lock_vma_under_rcu+0x1d1/0x500 mm/mmap_lock.c:310
stack backtrace:
CPU: 0 UID: 0 PID: 6543 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_circular_bug+0x2e1/0x300 kernel/locking/lockdep.c:2043
check_noncircular+0x12e/0x150 kernel/locking/lockdep.c:2175
check_prev_add kernel/locking/lockdep.c:3165 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain kernel/locking/lockdep.c:3908 [inline]
__lock_acquire+0x15a5/0x2cf0 kernel/locking/lockdep.c:5237
lock_acquire+0xf0/0x2e0 kernel/locking/lockdep.c:5868
__might_fault+0xcb/0x130 mm/memory.c:7249
userfaultfd_continue fs/userfaultfd.c:1813 [inline]
userfaultfd_ioctl+0x2372/0x4c70 fs/userfaultfd.c:2071
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7fab1159c799
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_circular_bug+0x2e1/0x300 kernel/locking/lockdep.c:2043
check_noncircular+0x12e/0x150 kernel/locking/lockdep.c:2175
check_prev_add kernel/locking/lockdep.c:3165 [inline]
check_prevs_add kernel/locking/lockdep.c:3284 [inline]
validate_chain kernel/locking/lockdep.c:3908 [inline]
__lock_acquire+0x15a5/0x2cf0 kernel/locking/lockdep.c:5237
lock_acquire+0xf0/0x2e0 kernel/locking/lockdep.c:5868
__might_fault+0xcb/0x130 mm/memory.c:7249
userfaultfd_continue fs/userfaultfd.c:1813 [inline]
userfaultfd_ioctl+0x2372/0x4c70 fs/userfaultfd.c:2071
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007fab12535028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007fab11815fa0 RCX: 00007fab1159c799
RDX: 0000200000000080 RSI: 00000000c020aa07 RDI: 0000000000000003
RBP: 00007fab11632c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007fab11816038 R14: 00007fab11815fa0 R15: 00007ffcb27f4f28
</TASK>
Tested on:
commit: b84a0ebe Add linux-next specific files for 20260313
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=148f44da580000
kernel config: https://syzkaller.appspot.com/x/.config?x=e7280ad1f68b2dce
dashboard link: https://syzkaller.appspot.com/bug?extid=c473aa669b5e8a6f48d2
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=130228da580000
dashboard link: https://syzkaller.appspot.com/bug?extid=c473aa669b5e8a6f48d2
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Edward Adam Davis
Mar 15, 2026, 9:49:32āÆPMĀ (4 hours ago)Ā Mar 15
to syzbot+c473aa...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
#syz test
diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
index 9ffc80d0a51b..7ee4f7b9e299 100644
diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
--- a/mm/userfaultfd.c
+++ b/mm/userfaultfd.c
@@ -197,7 +197,6 @@ static void mfill_put_vma(struct mfill_state *state)
if (!state->vma)
return;
- up_read(&state->ctx->map_changing_lock);
uffd_mfill_unlock(state->vma);
state->vma = NULL;
}
@@ -261,7 +260,9 @@ static int mfill_get_vma(struct mfill_state *state)
+++ b/mm/userfaultfd.c
@@ -197,7 +197,6 @@ static void mfill_put_vma(struct mfill_state *state)
if (!state->vma)
return;
- up_read(&state->ctx->map_changing_lock);
uffd_mfill_unlock(state->vma);
state->vma = NULL;
}
return 0;
out_unlock:
- mfill_put_vma(state);
+ up_read(&state->ctx->map_changing_lock);
+ mmap_read_unlock(dst_vma->vm_mm);
+ state->vma = NULL;
return err;
}
syzbot
Mar 15, 2026, 9:56:08āÆPMĀ (4 hours ago)Ā Mar 15
to hda...@sina.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+c473aa...@syzkaller.appspotmail.com
Tested-by: syzbot+c473aa...@syzkaller.appspotmail.com
Tested on:
commit: b84a0ebe Add linux-next specific files for 20260313
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=15445602580000
Note: testing is done by a robot and is best-effort only.
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+c473aa...@syzkaller.appspotmail.com
Tested-by: syzbot+c473aa...@syzkaller.appspotmail.com
Tested on:
commit: b84a0ebe Add linux-next specific files for 20260313
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=15445602580000
kernel config: https://syzkaller.appspot.com/x/.config?x=e7280ad1f68b2dce
dashboard link: https://syzkaller.appspot.com/bug?extid=c473aa669b5e8a6f48d2
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=147798ba580000
dashboard link: https://syzkaller.appspot.com/bug?extid=c473aa669b5e8a6f48d2
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Note: testing is done by a robot and is best-effort only.
syzbot
Mar 15, 2026, 10:20:05āÆPMĀ (3 hours ago)Ā Mar 15
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING: bad unlock balance in mfill_get_vma
=====================================
WARNING: bad unlock balance detected!
syzkaller #0 Not tainted
-------------------------------------
syz.0.17/6492 is trying to release lock (&mm->mmap_lock) at:
[<ffffffff823cd29e>] mmap_read_unlock include/linux/mmap_lock.h:619 [inline]
[<ffffffff823cd29e>] mfill_get_vma+0x1ee/0x560 mm/userfaultfd.c:264
but there are no more locks to release!
other info that might help us debug this:
1 lock held by syz.0.17/6492:
#0: ffff888077c73948 (vm_lock){++++}-{0:0}, at: lock_vma_under_rcu+0x1d1/0x500 mm/mmap_lock.c:310
stack backtrace:
CPU: 1 UID: 0 PID: 6492 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
__lock_release kernel/locking/lockdep.c:5537 [inline]
lock_release+0x248/0x3d0 kernel/locking/lockdep.c:5889
up_read+0x16/0x20 kernel/locking/rwsem.c:1670
mmap_read_unlock include/linux/mmap_lock.h:619 [inline]
mfill_get_vma+0x1ee/0x560 mm/userfaultfd.c:264
mfill_atomic mm/userfaultfd.c:901 [inline]
mfill_atomic_continue+0x189/0x12b0 mm/userfaultfd.c:975
userfaultfd_continue fs/userfaultfd.c:1806 [inline]
userfaultfd_ioctl+0x232d/0x4c70 fs/userfaultfd.c:2071
RAX: ffffffffffffffda RBX: 00007f2ea9215fa0 RCX: 00007f2ea8f9c799
</TASK>
------------[ cut here ]------------
DEBUG_RWSEMS_WARN_ON(!is_rwsem_reader_owned(sem)): count = 0x0, magic = 0xffff888034691bd0, owner = 0x0, curr 0xffff888035dfdb80, list not empty
WARNING: kernel/locking/rwsem.c:1384 at __up_read+0x52e/0x6b0 kernel/locking/rwsem.c:1384, CPU#1: syz.0.17/6492
Modules linked in:
CPU: 1 UID: 0 PID: 6492 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Code: f4 ec 8b 49 c7 c2 e0 f3 ec 8b 4c 0f 44 d0 48 8b 7c 24 28 48 c7 c6 a0 f3 ec 8b 48 89 da 48 8b 4c 24 20 4d 89 f0 4d 89 f9 41 52 <67> 48 0f b9 3a 48 83 c4 08 e8 5e 1f 15 03 4c 8b 7c 24 18 e9 38 fb
RSP: 0018:ffffc90003127698 EFLAGS: 00010246
RAX: ffffffff8becf400 RBX: 0000000000000000 RCX: ffff888034691bd0
RDX: 0000000000000000 RSI: ffffffff8becf3a0 RDI: ffffffff90579f30
RBP: ffffc90003127768 R08: 0000000000000000 R09: ffff888035dfdb80
R10: ffffffff8becf400 R11: ffffed10068d237c R12: ffff888034691c28
R13: 1ffff92000624edc R14: 0000000000000000 R15: ffff888035dfdb80
FS: 00007f2ea9e4f6c0(0000) GS:ffff888124ee0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2ea904eddd CR3: 0000000079298000 CR4: 00000000003526f0
Call Trace:
<TASK>
mmap_read_unlock include/linux/mmap_lock.h:619 [inline]
mfill_get_vma+0x1ee/0x560 mm/userfaultfd.c:264
mfill_atomic mm/userfaultfd.c:901 [inline]
mfill_atomic_continue+0x189/0x12b0 mm/userfaultfd.c:975
userfaultfd_continue fs/userfaultfd.c:1806 [inline]
userfaultfd_ioctl+0x232d/0x4c70 fs/userfaultfd.c:2071
RAX: ffffffffffffffda RBX: 00007f2ea9215fa0 RCX: 00007f2ea8f9c799
</TASK>
----------------
Code disassembly (best guess), 3 bytes skipped:
0: 49 c7 c2 e0 f3 ec 8b mov $0xffffffff8becf3e0,%r10
7: 4c 0f 44 d0 cmove %rax,%r10
b: 48 8b 7c 24 28 mov 0x28(%rsp),%rdi
10: 48 c7 c6 a0 f3 ec 8b mov $0xffffffff8becf3a0,%rsi
17: 48 89 da mov %rbx,%rdx
1a: 48 8b 4c 24 20 mov 0x20(%rsp),%rcx
1f: 4d 89 f0 mov %r14,%r8
22: 4d 89 f9 mov %r15,%r9
25: 41 52 push %r10
* 27: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction
2c: 48 83 c4 08 add $0x8,%rsp
30: e8 5e 1f 15 03 call 0x3151f93
35: 4c 8b 7c 24 18 mov 0x18(%rsp),%r15
3a: e9 .byte 0xe9
3b: 38 fb cmp %bh,%bl
Tested on:
commit: b84a0ebe Add linux-next specific files for 20260313
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=138bdd52580000
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
=====================================
WARNING: bad unlock balance detected!
syzkaller #0 Not tainted
-------------------------------------
syz.0.17/6492 is trying to release lock (&mm->mmap_lock) at:
[<ffffffff823cd29e>] mmap_read_unlock include/linux/mmap_lock.h:619 [inline]
[<ffffffff823cd29e>] mfill_get_vma+0x1ee/0x560 mm/userfaultfd.c:264
but there are no more locks to release!
other info that might help us debug this:
#0: ffff888077c73948 (vm_lock){++++}-{0:0}, at: lock_vma_under_rcu+0x1d1/0x500 mm/mmap_lock.c:310
stack backtrace:
CPU: 1 UID: 0 PID: 6492 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_unlock_imbalance_bug+0xdc/0xf0 kernel/locking/lockdep.c:5298
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
__lock_release kernel/locking/lockdep.c:5537 [inline]
lock_release+0x248/0x3d0 kernel/locking/lockdep.c:5889
up_read+0x16/0x20 kernel/locking/rwsem.c:1670
mmap_read_unlock include/linux/mmap_lock.h:619 [inline]
mfill_get_vma+0x1ee/0x560 mm/userfaultfd.c:264
mfill_atomic mm/userfaultfd.c:901 [inline]
mfill_atomic_continue+0x189/0x12b0 mm/userfaultfd.c:975
userfaultfd_continue fs/userfaultfd.c:1806 [inline]
userfaultfd_ioctl+0x232d/0x4c70 fs/userfaultfd.c:2071
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2ea8f9c799
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2ea9e4f028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f2ea9215fa0 RCX: 00007f2ea8f9c799
RDX: 0000200000000080 RSI: 00000000c020aa07 RDI: 0000000000000003
RBP: 00007f2ea9032c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f2ea9216038 R14: 00007f2ea9215fa0 R15: 00007ffc924a90f8
</TASK>
------------[ cut here ]------------
DEBUG_RWSEMS_WARN_ON(!is_rwsem_reader_owned(sem)): count = 0x0, magic = 0xffff888034691bd0, owner = 0x0, curr 0xffff888035dfdb80, list not empty
WARNING: kernel/locking/rwsem.c:1384 at __up_read+0x52e/0x6b0 kernel/locking/rwsem.c:1384, CPU#1: syz.0.17/6492
Modules linked in:
CPU: 1 UID: 0 PID: 6492 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:__up_read+0x614/0x6b0 kernel/locking/rwsem.c:1384
Code: f4 ec 8b 49 c7 c2 e0 f3 ec 8b 4c 0f 44 d0 48 8b 7c 24 28 48 c7 c6 a0 f3 ec 8b 48 89 da 48 8b 4c 24 20 4d 89 f0 4d 89 f9 41 52 <67> 48 0f b9 3a 48 83 c4 08 e8 5e 1f 15 03 4c 8b 7c 24 18 e9 38 fb
RSP: 0018:ffffc90003127698 EFLAGS: 00010246
RAX: ffffffff8becf400 RBX: 0000000000000000 RCX: ffff888034691bd0
RDX: 0000000000000000 RSI: ffffffff8becf3a0 RDI: ffffffff90579f30
RBP: ffffc90003127768 R08: 0000000000000000 R09: ffff888035dfdb80
R10: ffffffff8becf400 R11: ffffed10068d237c R12: ffff888034691c28
R13: 1ffff92000624edc R14: 0000000000000000 R15: ffff888035dfdb80
FS: 00007f2ea9e4f6c0(0000) GS:ffff888124ee0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2ea904eddd CR3: 0000000079298000 CR4: 00000000003526f0
Call Trace:
<TASK>
mmap_read_unlock include/linux/mmap_lock.h:619 [inline]
mfill_get_vma+0x1ee/0x560 mm/userfaultfd.c:264
mfill_atomic mm/userfaultfd.c:901 [inline]
mfill_atomic_continue+0x189/0x12b0 mm/userfaultfd.c:975
userfaultfd_continue fs/userfaultfd.c:1806 [inline]
userfaultfd_ioctl+0x232d/0x4c70 fs/userfaultfd.c:2071
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2ea8f9c799
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2ea9e4f028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f2ea9215fa0 RCX: 00007f2ea8f9c799
RDX: 0000200000000080 RSI: 00000000c020aa07 RDI: 0000000000000003
RBP: 00007f2ea9032c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f2ea9216038 R14: 00007f2ea9215fa0 R15: 00007ffc924a90f8
</TASK>
----------------
Code disassembly (best guess), 3 bytes skipped:
0: 49 c7 c2 e0 f3 ec 8b mov $0xffffffff8becf3e0,%r10
7: 4c 0f 44 d0 cmove %rax,%r10
b: 48 8b 7c 24 28 mov 0x28(%rsp),%rdi
10: 48 c7 c6 a0 f3 ec 8b mov $0xffffffff8becf3a0,%rsi
17: 48 89 da mov %rbx,%rdx
1a: 48 8b 4c 24 20 mov 0x20(%rsp),%rcx
1f: 4d 89 f0 mov %r14,%r8
22: 4d 89 f9 mov %r15,%r9
25: 41 52 push %r10
* 27: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction
2c: 48 83 c4 08 add $0x8,%rsp
30: e8 5e 1f 15 03 call 0x3151f93
35: 4c 8b 7c 24 18 mov 0x18(%rsp),%r15
3a: e9 .byte 0xe9
3b: 38 fb cmp %bh,%bl
Tested on:
commit: b84a0ebe Add linux-next specific files for 20260313
git tree: linux-next
kernel config: https://syzkaller.appspot.com/x/.config?x=e7280ad1f68b2dce
dashboard link: https://syzkaller.appspot.com/bug?extid=c473aa669b5e8a6f48d2
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=15c078da580000
dashboard link: https://syzkaller.appspot.com/bug?extid=c473aa669b5e8a6f48d2
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Edward Adam Davis
Mar 15, 2026, 10:21:19āÆPMĀ (3 hours ago)Ā Mar 15
to syzbot+c473aa...@syzkaller.appspotmail.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
#syz test
diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
index 9ffc80d0a51b..a3333d5c6454 100644
diff --git a/mm/userfaultfd.c b/mm/userfaultfd.c
--- a/mm/userfaultfd.c
+++ b/mm/userfaultfd.c
@@ -218,6 +218,7 @@ static int mfill_get_vma(struct mfill_state *state)
if (IS_ERR(dst_vma))
return PTR_ERR(dst_vma);
+ state->vma = dst_vma;
/*
* If memory mappings are changing because of non-cooperative
* operation (e.g. mremap) running in parallel, bail out and
return PTR_ERR(dst_vma);
+ state->vma = dst_vma;
/*
* If memory mappings are changing because of non-cooperative
@@ -257,7 +258,6 @@ static int mfill_get_vma(struct mfill_state *state)
goto out_unlock;
out:
- state->vma = dst_vma;
return 0;
out_unlock:
syzbot
Mar 15, 2026, 11:07:03āÆPMĀ (3 hours ago)Ā Mar 15
to ead...@qq.com, linux-...@vger.kernel.org, syzkall...@googlegroups.com
Hello,
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+c473aa...@syzkaller.appspotmail.com
Tested-by: syzbot+c473aa...@syzkaller.appspotmail.com
syzbot has tested the proposed patch and the reproducer did not trigger any issue:
Reported-by: syzbot+c473aa...@syzkaller.appspotmail.com
Tested-by: syzbot+c473aa...@syzkaller.appspotmail.com
Tested on:
commit: b84a0ebe Add linux-next specific files for 20260313
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=129ba2d6580000
commit: b84a0ebe Add linux-next specific files for 20260313
git tree: linux-next
kernel config: https://syzkaller.appspot.com/x/.config?x=e7280ad1f68b2dce
dashboard link: https://syzkaller.appspot.com/bug?extid=c473aa669b5e8a6f48d2
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=15f24216580000
dashboard link: https://syzkaller.appspot.com/bug?extid=c473aa669b5e8a6f48d2
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
Edward Adam Davis
Mar 15, 2026, 11:11:12āÆPMĀ (3 hours ago)Ā Mar 15
to syzbot+c473aa...@syzkaller.appspotmail.com, ak...@linux-foundation.org, linux-...@vger.kernel.org, linu...@kvack.org, pet...@redhat.com, rp...@kernel.org, syzkall...@googlegroups.com
A deadlock [1] occurs in mfill_get_vma() because the locks mmap_lock
and map_changing_lock are not released; the failure to release them
properly stems from the assignment of the vma variable occurring at
an inappropriate stage.
Moving the vma assignment operation within mfill_get_vma() to after
the vma has been got.
[1]
Fixes: 7d4d4de3ac3e ("userfaultfd: introduce mfill_get_vma() and mfill_put_vma()")
Reported-by: syzbot+c473aa...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c473aa669b5e8a6f48d2
Tested-by: syzbot+c473aa...@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
mm/userfaultfd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--
2.43.0
and map_changing_lock are not released; the failure to release them
properly stems from the assignment of the vma variable occurring at
an inappropriate stage.
Moving the vma assignment operation within mfill_get_vma() to after
the vma has been got.
[1]
Reported-by: syzbot+c473aa...@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=c473aa669b5e8a6f48d2
Tested-by: syzbot+c473aa...@syzkaller.appspotmail.com
Signed-off-by: Edward Adam Davis <ead...@qq.com>
---
mm/userfaultfd.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
2.43.0
Reply all
Reply to author
Forward
0 new messages