From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=jIX+=AZ=kvack.org=owner-linux-mm@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.0 required=3.0 tests=BAYES_00,
	FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS autolearn=no autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id B60A1C433E3
	for <linux-mm@archiver.kernel.org>; Tue, 14 Jul 2020 14:09:35 +0000 (UTC)
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by mail.kernel.org (Postfix) with ESMTP id 801F922510
	for <linux-mm@archiver.kernel.org>; Tue, 14 Jul 2020 14:09:35 +0000 (UTC)
DMARC-Filter: OpenDMARC Filter v1.3.2 mail.kernel.org 801F922510
Authentication-Results: mail.kernel.org; dmarc=none (p=none dis=none) header.from=sina.com
Authentication-Results: mail.kernel.org; spf=pass smtp.mailfrom=owner-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix)
	id D52486B0006; Tue, 14 Jul 2020 10:09:34 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id D02188D0001; Tue, 14 Jul 2020 10:09:34 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id BA3B96B000C; Tue, 14 Jul 2020 10:09:34 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from forelay.hostedemail.com (smtprelay0208.hostedemail.com [216.40.44.208])
	by kanga.kvack.org (Postfix) with ESMTP id A13626B0006
	for <linux-mm@kvack.org>; Tue, 14 Jul 2020 10:09:34 -0400 (EDT)
Received: from smtpin14.hostedemail.com (10.5.19.251.rfc1918.com [10.5.19.251])
	by forelay05.hostedemail.com (Postfix) with ESMTP id 4DC5B181AC9BF
	for <linux-mm@kvack.org>; Tue, 14 Jul 2020 14:09:34 +0000 (UTC)
X-FDA: 77036864268.14.chin04_38166ed26ef1
Received: from filter.hostedemail.com (10.5.16.251.rfc1918.com [10.5.16.251])
	by smtpin14.hostedemail.com (Postfix) with ESMTP id 6DBE61800E0EF
	for <linux-mm@kvack.org>; Tue, 14 Jul 2020 14:09:18 +0000 (UTC)
X-HE-Tag: chin04_38166ed26ef1
X-Filterd-Recvd-Size: 5020
Received: from r3-19.sinamail.sina.com.cn (r3-19.sinamail.sina.com.cn [202.108.3.19])
	by imf47.hostedemail.com (Postfix) with SMTP
	for <linux-mm@kvack.org>; Tue, 14 Jul 2020 14:09:15 +0000 (UTC)
Received: from unknown (HELO localhost.localdomain)([123.123.24.222])
	by sina.com with ESMTP
	id 5F0DBC8400014757; Tue, 14 Jul 2020 22:09:12 +0800 (CST)
X-Sender: hdanton@sina.com
X-Auth-ID: hdanton@sina.com
X-SMAIL-MID: 12830715073490
From: Hillf Danton <hdanton@sina.com>
To: Michal Hocko <mhocko@kernel.org>
Cc: Hillf Danton <hdanton@sina.com>,
	Eric Biggers <ebiggers@kernel.org>,
	syzbot <syzbot+7a0d9d0b26efefe61780@syzkaller.appspotmail.com>,
	akpm@linux-foundation.org,
	arve@android.com,
	christian@brauner.io,
	devel@driverdev.osuosl.org,
	gregkh@linuxfoundation.org,
	hughd@google.com,
	joel@joelfernandes.org,
	linux-kernel@vger.kernel.org,
	linux-mm@kvack.org,
	maco@android.com,
	syzkaller-bugs@googlegroups.com,
	tkjos@android.com,
	Markus Elfring <Markus.Elfring@web.de>
Subject: Re: possible deadlock in shmem_fallocate (4)
Date: Tue, 14 Jul 2020 22:08:59 +0800
Message-Id: <20200714140859.15156-1-hdanton@sina.com>
In-Reply-To: <20200714082629.GF24642@dhcp22.suse.cz>
References: <0000000000000b5f9d059aa2037f@google.com> <20200714033252.8748-1-hdanton@sina.com> <20200714053205.15240-1-hdanton@sina.com>
MIME-Version: 1.0
X-Rspamd-Queue-Id: 6DBE61800E0EF
X-Spamd-Result: default: False [0.00 / 100.00]
X-Rspamd-Server: rspam01
Content-Transfer-Encoding: quoted-printable
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>


On Tue, 14 Jul 2020 10:26:29 +0200 Michal Hocko wrote:
> On Tue 14-07-20 13:32:05, Hillf Danton wrote:
> >=20
> > On Mon, 13 Jul 2020 20:41:11 -0700 Eric Biggers wrote:
> > > On Tue, Jul 14, 2020 at 11:32:52AM +0800, Hillf Danton wrote:
> > > >=20
> > > > Add FALLOC_FL_NOBLOCK and on the shmem side try to lock inode upo=
n the
> > > > new flag. And the overall upside is to keep the current gfp eithe=
r in
> > > > the khugepaged context or not.
> > > >=20
> > > > --- a/include/uapi/linux/falloc.h
> > > > +++ b/include/uapi/linux/falloc.h
> > > > @@ -77,4 +77,6 @@
> > > >   */
> > > >  #define FALLOC_FL_UNSHARE_RANGE		0x40
> > > > =20
> > > > +#define FALLOC_FL_NOBLOCK		0x80
> > > > +
> > >=20
> > > You can't add a new UAPI flag to fix a kernel-internal problem like=
 this.
> >=20
> > Sounds fair, see below.
> >=20
> > What the report indicates is a missing PF_MEMALLOC_NOFS and it's
> > checked on the ashmem side and added as an exception before going
> > to filesystem. On shmem side, no more than a best effort is paid
> > on the inteded exception.
> >=20
> > --- a/drivers/staging/android/ashmem.c
> > +++ b/drivers/staging/android/ashmem.c
> > @@ -437,6 +437,7 @@ static unsigned long
> >  ashmem_shrink_scan(struct shrinker *shrink, struct shrink_control *s=
c)
> >  {
> >  	unsigned long freed =3D 0;
> > +	bool nofs;
> > =20
> >  	/* We might recurse into filesystem code, so bail out if necessary =
*/
> >  	if (!(sc->gfp_mask & __GFP_FS))
> > @@ -445,6 +446,11 @@ ashmem_shrink_scan(struct shrinker *shri
> >  	if (!mutex_trylock(&ashmem_mutex))
> >  		return -1;
> > =20
> > +	/* enter filesystem with caution: nonblock on locking */
> > +	nofs =3D current->flags & PF_MEMALLOC_NOFS;
> > +	if (!nofs)
> > +		current->flags |=3D PF_MEMALLOC_NOFS;
> > +
> >  	while (!list_empty(&ashmem_lru_list)) {
> >  		struct ashmem_range *range =3D
> >  			list_first_entry(&ashmem_lru_list, typeof(*range), lru);
>=20
> I do not think this is an appropriate fix. First of all is this a real
> deadlock or a lockdep false positive? Is it possible that ashmem just

The warning matters and we can do something to quiesce it.

> needs to properly annotate its shmem inodes? Or is it possible that
> the internal backing shmem file is visible to the userspace so the writ=
e
> path would be possible?
>=20
> If this a real problem then the proper fix would be to set internal
> shmem mapping's gfp_mask to drop __GFP_FS.

Thanks for the tip, see below.

Can you expand a bit on how it helps direct reclaimers like khugepaged
in the syzbot report wrt deadlock? TBH I have difficult time following
up after staring at the chart below for quite a while.

Possible unsafe locking scenario:

       CPU0                    CPU1
       ----                    ----
  lock(fs_reclaim);
                               lock(&sb->s_type->i_mutex_key#15);
                               lock(fs_reclaim);

  lock(&sb->s_type->i_mutex_key#15);


--- a/drivers/staging/android/ashmem.c
+++ b/drivers/staging/android/ashmem.c
@@ -381,6 +381,7 @@ static int ashmem_mmap(struct file *file
 	if (!asma->file) {
 		char *name =3D ASHMEM_NAME_DEF;
 		struct file *vmfile;
+		gfp_t gfp;
=20
 		if (asma->name[ASHMEM_NAME_PREFIX_LEN] !=3D '\0')
 			name =3D asma->name;
@@ -392,6 +393,10 @@ static int ashmem_mmap(struct file *file
 			goto out;
 		}
 		vmfile->f_mode |=3D FMODE_LSEEK;
+		gfp =3D mapping_gfp_mask(vmfile->f_mapping);
+		if (gfp & __GFP_FS)
+			mapping_set_gfp_mask(vmfile->f_mapping,
+						gfp & ~__GFP_FS);
 		asma->file =3D vmfile;
 	}
 	get_file(asma->file);