linux-mm.kvack.org archive mirror
 help / color / mirror / Atom feed
From: Michal Hocko <mhocko@suse.com>
To: Shakeel Butt <shakeelb@google.com>
Cc: Mike Kravetz <mike.kravetz@oracle.com>,
	syzbot <syzbot+506c8a2a115201881d45@syzkaller.appspotmail.com>,
	Andrew Morton <akpm@linux-foundation.org>,
	LKML <linux-kernel@vger.kernel.org>,
	Linux MM <linux-mm@kvack.org>,
	syzkaller-bugs <syzkaller-bugs@googlegroups.com>,
	Eric Dumazet <edumazet@google.com>,
	Mina Almasry <almasrymina@google.com>
Subject: Re: possible deadlock in sk_clone_lock
Date: Mon, 1 Mar 2021 13:11:57 +0100	[thread overview]
Message-ID: <YDzaAWK41K4gD35V@dhcp22.suse.cz> (raw)
In-Reply-To: <CALvZod5qODDSxqHqQ=_1roYVGVVvEvP3FnYMnAPQZgvUjxotsw@mail.gmail.com>

On Fri 26-02-21 16:00:30, Shakeel Butt wrote:
> On Fri, Feb 26, 2021 at 3:14 PM Mike Kravetz <mike.kravetz@oracle.com> wrote:
> >
> > Cc: Michal
> >
> > On 2/26/21 2:44 PM, Shakeel Butt wrote:
> > > On Fri, Feb 26, 2021 at 2:09 PM syzbot
> > > <syzbot+506c8a2a115201881d45@syzkaller.appspotmail.com> wrote:
> > <snip>
> > >> other info that might help us debug this:
> > >>
> > >>  Possible interrupt unsafe locking scenario:
> > >>
> > >>        CPU0                    CPU1
> > >>        ----                    ----
> > >>   lock(hugetlb_lock);
> > >>                                local_irq_disable();
> > >>                                lock(slock-AF_INET);
> > >>                                lock(hugetlb_lock);
> > >>   <Interrupt>
> > >>     lock(slock-AF_INET);
> > >>
> > >>  *** DEADLOCK ***
> > >
> > > This has been reproduced on 4.19 stable kernel as well [1] and there
> > > is a reproducer as well.
> > >
> > > It seems like sendmsg(MSG_ZEROCOPY) from a buffer backed by hugetlb. I
> > > wonder if we just need to make hugetlb_lock softirq-safe.
> > >
> > > [1] https://syzkaller.appspot.com/bug?extid=6383ce4b0b8ec575ad93
> >
> > Thanks Shakeel,
> >
> > Commit c77c0a8ac4c5 ("mm/hugetlb: defer freeing of huge pages if in non-task
> > context") attempted to address this issue.  It uses a work queue to
> > acquire hugetlb_lock if the caller is !in_task().
> >
> > In another recent thread, there was the suggestion to change the
> > !in_task to in_atomic.
> >
> > I need to do some research on the subtle differences between in_task,
> > in_atomic, etc.  TBH, I 'thought' !in_task would prevent the issue
> > reported here.  But, that obviously is not the case.
> 
> I think the freeing is happening in the process context in this report
> but it is creating the lock chain from softirq-safe slock to
> irq-unsafe hugetlb_lock. So, two solutions I can think of are: (1)
> always defer the freeing of hugetlb pages to a work queue or (2) make
> hugetlb_lock softirq-safe.

There is __do_softirq so this should be in the soft IRQ context no?
Is this really reproducible with kernels which have c77c0a8ac4c5
applied?

Btw. making hugetlb lock irq safe has been already discussed and it
seems to be much harder than expected as some heavy operations are done
under the lock. This is really bad. Postponing the whole freeing
operation into a worker context is certainly possible but I would
consider it rather unfortunate. We would have to add some sync mechanism
to wait for hugetlb pages in flight to prevent from external
observability to the userspace. E.g. when shrinking the pool.
-- 
Michal Hocko
SUSE Labs


  reply	other threads:[~2021-03-01 12:12 UTC|newest]

Thread overview: 16+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-02-26 21:08 possible deadlock in sk_clone_lock syzbot
2021-02-26 22:44 ` Shakeel Butt
2021-02-26 23:14   ` Mike Kravetz
2021-02-27  0:00     ` Shakeel Butt
2021-03-01 12:11       ` Michal Hocko [this message]
2021-03-01 15:10         ` Shakeel Butt
2021-03-01 15:57           ` Michal Hocko
2021-03-01 16:39             ` Shakeel Butt
2021-03-01 17:23               ` Michal Hocko
2021-03-02  1:16                 ` Mike Kravetz
2021-03-02  9:44                   ` Michal Hocko
     [not found]                     ` <CALvZod7XHbjfoGGVH=h17u8-FruMaiPMWxXJz5JBmeJkNHBqNQ@mail.gmail.com>
     [not found]                       ` <YD5L1K3EWVWh1ULr@dhcp22.suse.cz>
     [not found]                         ` <06edda9a-dce9-accd-11a3-97f6d5243ed1@oracle.com>
2021-03-03  3:59                           ` Shakeel Butt
2021-03-05  9:09                             ` Michal Hocko
2021-03-03  8:03                           ` Michal Hocko
2021-03-03 17:59                             ` Paul E. McKenney
2021-03-04  9:58                               ` Michal Hocko

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=YDzaAWK41K4gD35V@dhcp22.suse.cz \
    --to=mhocko@suse.com \
    --cc=akpm@linux-foundation.org \
    --cc=almasrymina@google.com \
    --cc=edumazet@google.com \
    --cc=linux-kernel@vger.kernel.org \
    --cc=linux-mm@kvack.org \
    --cc=mike.kravetz@oracle.com \
    --cc=shakeelb@google.com \
    --cc=syzbot+506c8a2a115201881d45@syzkaller.appspotmail.com \
    --cc=syzkaller-bugs@googlegroups.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).