On January 31, 2017 5:32 PM Kirill A. Shutemov wrote: > On Tue, Jan 31, 2017 at 09:27:41AM +0100, Dmitry Vyukov wrote: > > Hello, > > > > I've got the following report while running syzkaller fuzzer on > > fd694aaa46c7ed811b72eb47d5eb11ce7ab3f7f1: > > This should help: > > From fb85b3fe273decb11c558d56257193424b8f071a Mon Sep 17 00:00:00 2001 > From: "Kirill A. Shutemov" <kirill.shute...@linux.intel.com> > Date: Tue, 31 Jan 2017 12:22:26 +0300 > Subject: [PATCH] shmem: fix sleeping from atomic context > > Syzkaller fuzzer managed to trigger this: > > BUG: sleeping function called from invalid context at mm/shmem.c:852 > in_atomic(): 1, irqs_disabled(): 0, pid: 529, name: khugepaged > 3 locks held by khugepaged/529: > #0: (shrinker_rwsem){++++..}, at: [<ffffffff818d7ef1>] > shrink_slab.part.59+0x121/0xd30 mm/vmscan.c:451 > #1: (&type->s_umount_key#29){++++..}, at: [<ffffffff81a63630>] > trylock_super+0x20/0x100 fs/super.c:392 > #2: (&(&sbinfo->shrinklist_lock)->rlock){+.+.-.}, at: > [<ffffffff818fd83e>] spin_lock include/linux/spinlock.h:302 [inline] > #2: (&(&sbinfo->shrinklist_lock)->rlock){+.+.-.}, at: > [<ffffffff818fd83e>] shmem_unused_huge_shrink+0x28e/0x1490 > mm/shmem.c:427 > CPU: 2 PID: 529 Comm: khugepaged Not tainted 4.10.0-rc5+ #201 > Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 > Call Trace: > __dump_stack lib/dump_stack.c:15 [inline] > dump_stack+0x2ee/0x3ef lib/dump_stack.c:51 > ___might_sleep+0x47e/0x650 kernel/sched/core.c:7780 > shmem_undo_range+0xb20/0x2710 mm/shmem.c:852 > shmem_truncate_range+0x27/0xa0 mm/shmem.c:939 > shmem_evict_inode+0x35f/0xca0 mm/shmem.c:1030 > evict+0x46e/0x980 fs/inode.c:553 > iput_final fs/inode.c:1515 [inline] > iput+0x589/0xb20 fs/inode.c:1542 > shmem_unused_huge_shrink+0xbad/0x1490 mm/shmem.c:446 > shmem_unused_huge_scan+0x10c/0x170 mm/shmem.c:512 > super_cache_scan+0x376/0x450 fs/super.c:106 > do_shrink_slab mm/vmscan.c:378 [inline] > shrink_slab.part.59+0x543/0xd30 mm/vmscan.c:481 > shrink_slab mm/vmscan.c:2592 [inline] > shrink_node+0x2c7/0x870 mm/vmscan.c:2592 > shrink_zones mm/vmscan.c:2734 [inline] > do_try_to_free_pages+0x369/0xc80 mm/vmscan.c:2776 > try_to_free_pages+0x3c6/0x900 mm/vmscan.c:2982 > __perform_reclaim mm/page_alloc.c:3301 [inline] > __alloc_pages_direct_reclaim mm/page_alloc.c:3322 [inline] > __alloc_pages_slowpath+0xa24/0x1c30 mm/page_alloc.c:3683 > __alloc_pages_nodemask+0x544/0xae0 mm/page_alloc.c:3848 > __alloc_pages include/linux/gfp.h:426 [inline] > __alloc_pages_node include/linux/gfp.h:439 [inline] > khugepaged_alloc_page+0xc2/0x1b0 mm/khugepaged.c:750 > collapse_huge_page+0x182/0x1fe0 mm/khugepaged.c:955 > khugepaged_scan_pmd+0xfdf/0x12a0 mm/khugepaged.c:1208 > khugepaged_scan_mm_slot mm/khugepaged.c:1727 [inline] > khugepaged_do_scan mm/khugepaged.c:1808 [inline] > khugepaged+0xe9b/0x1590 mm/khugepaged.c:1853 > kthread+0x326/0x3f0 kernel/kthread.c:227 > ret_from_fork+0x31/0x40 arch/x86/entry/entry_64.S:430 > > The iput() from atomic context was a bad idea: if after igrab() somebody > else calls iput() and we left with the last inode reference, our iput() > would lead to inode eviction and therefore sleeping. > > This patch should fix the situation. > > Signed-off-by: Kirill A. Shutemov <kirill.shute...@linux.intel.com> > Reported-by: Dmitry Vyukov <dvyu...@google.com> > --- Acked-by: Hillf Danton <hillf...@alibaba-inc.com>