Re: [syzbot] [mm?] possible deadlock in mfill_get_vma
From: syzbot
Date: Sun Mar 15 2026 - 22:24:29 EST
Hello,
syzbot has tested the proposed patch but the reproducer is still triggering an issue:
WARNING: bad unlock balance in mfill_get_vma
=====================================
WARNING: bad unlock balance detected!
syzkaller #0 Not tainted
-------------------------------------
syz.0.17/6492 is trying to release lock (&mm->mmap_lock) at:
[<ffffffff823cd29e>] mmap_read_unlock include/linux/mmap_lock.h:619 [inline]
[<ffffffff823cd29e>] mfill_get_vma+0x1ee/0x560 mm/userfaultfd.c:264
but there are no more locks to release!
other info that might help us debug this:
1 lock held by syz.0.17/6492:
#0: ffff888077c73948 (vm_lock){++++}-{0:0}, at: lock_vma_under_rcu+0x1d1/0x500 mm/mmap_lock.c:310
stack backtrace:
CPU: 1 UID: 0 PID: 6492 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
Call Trace:
<TASK>
dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120
print_unlock_imbalance_bug+0xdc/0xf0 kernel/locking/lockdep.c:5298
__lock_release kernel/locking/lockdep.c:5537 [inline]
lock_release+0x248/0x3d0 kernel/locking/lockdep.c:5889
up_read+0x16/0x20 kernel/locking/rwsem.c:1670
mmap_read_unlock include/linux/mmap_lock.h:619 [inline]
mfill_get_vma+0x1ee/0x560 mm/userfaultfd.c:264
mfill_atomic mm/userfaultfd.c:901 [inline]
mfill_atomic_continue+0x189/0x12b0 mm/userfaultfd.c:975
userfaultfd_continue fs/userfaultfd.c:1806 [inline]
userfaultfd_ioctl+0x232d/0x4c70 fs/userfaultfd.c:2071
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2ea8f9c799
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2ea9e4f028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f2ea9215fa0 RCX: 00007f2ea8f9c799
RDX: 0000200000000080 RSI: 00000000c020aa07 RDI: 0000000000000003
RBP: 00007f2ea9032c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f2ea9216038 R14: 00007f2ea9215fa0 R15: 00007ffc924a90f8
</TASK>
------------[ cut here ]------------
DEBUG_RWSEMS_WARN_ON(!is_rwsem_reader_owned(sem)): count = 0x0, magic = 0xffff888034691bd0, owner = 0x0, curr 0xffff888035dfdb80, list not empty
WARNING: kernel/locking/rwsem.c:1384 at __up_read+0x52e/0x6b0 kernel/locking/rwsem.c:1384, CPU#1: syz.0.17/6492
Modules linked in:
CPU: 1 UID: 0 PID: 6492 Comm: syz.0.17 Not tainted syzkaller #0 PREEMPT(full)
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 02/12/2026
RIP: 0010:__up_read+0x614/0x6b0 kernel/locking/rwsem.c:1384
Code: f4 ec 8b 49 c7 c2 e0 f3 ec 8b 4c 0f 44 d0 48 8b 7c 24 28 48 c7 c6 a0 f3 ec 8b 48 89 da 48 8b 4c 24 20 4d 89 f0 4d 89 f9 41 52 <67> 48 0f b9 3a 48 83 c4 08 e8 5e 1f 15 03 4c 8b 7c 24 18 e9 38 fb
RSP: 0018:ffffc90003127698 EFLAGS: 00010246
RAX: ffffffff8becf400 RBX: 0000000000000000 RCX: ffff888034691bd0
RDX: 0000000000000000 RSI: ffffffff8becf3a0 RDI: ffffffff90579f30
RBP: ffffc90003127768 R08: 0000000000000000 R09: ffff888035dfdb80
R10: ffffffff8becf400 R11: ffffed10068d237c R12: ffff888034691c28
R13: 1ffff92000624edc R14: 0000000000000000 R15: ffff888035dfdb80
FS: 00007f2ea9e4f6c0(0000) GS:ffff888124ee0000(0000) knlGS:0000000000000000
CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033
CR2: 00007f2ea904eddd CR3: 0000000079298000 CR4: 00000000003526f0
Call Trace:
<TASK>
mmap_read_unlock include/linux/mmap_lock.h:619 [inline]
mfill_get_vma+0x1ee/0x560 mm/userfaultfd.c:264
mfill_atomic mm/userfaultfd.c:901 [inline]
mfill_atomic_continue+0x189/0x12b0 mm/userfaultfd.c:975
userfaultfd_continue fs/userfaultfd.c:1806 [inline]
userfaultfd_ioctl+0x232d/0x4c70 fs/userfaultfd.c:2071
vfs_ioctl fs/ioctl.c:51 [inline]
__do_sys_ioctl fs/ioctl.c:597 [inline]
__se_sys_ioctl+0xfc/0x170 fs/ioctl.c:583
do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
do_syscall_64+0x14d/0xf80 arch/x86/entry/syscall_64.c:94
entry_SYSCALL_64_after_hwframe+0x77/0x7f
RIP: 0033:0x7f2ea8f9c799
Code: ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 44 00 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 e8 ff ff ff f7 d8 64 89 01 48
RSP: 002b:00007f2ea9e4f028 EFLAGS: 00000246 ORIG_RAX: 0000000000000010
RAX: ffffffffffffffda RBX: 00007f2ea9215fa0 RCX: 00007f2ea8f9c799
RDX: 0000200000000080 RSI: 00000000c020aa07 RDI: 0000000000000003
RBP: 00007f2ea9032c99 R08: 0000000000000000 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 0000000000000000
R13: 00007f2ea9216038 R14: 00007f2ea9215fa0 R15: 00007ffc924a90f8
</TASK>
----------------
Code disassembly (best guess), 3 bytes skipped:
0: 49 c7 c2 e0 f3 ec 8b mov $0xffffffff8becf3e0,%r10
7: 4c 0f 44 d0 cmove %rax,%r10
b: 48 8b 7c 24 28 mov 0x28(%rsp),%rdi
10: 48 c7 c6 a0 f3 ec 8b mov $0xffffffff8becf3a0,%rsi
17: 48 89 da mov %rbx,%rdx
1a: 48 8b 4c 24 20 mov 0x20(%rsp),%rcx
1f: 4d 89 f0 mov %r14,%r8
22: 4d 89 f9 mov %r15,%r9
25: 41 52 push %r10
* 27: 67 48 0f b9 3a ud1 (%edx),%rdi <-- trapping instruction
2c: 48 83 c4 08 add $0x8,%rsp
30: e8 5e 1f 15 03 call 0x3151f93
35: 4c 8b 7c 24 18 mov 0x18(%rsp),%r15
3a: e9 .byte 0xe9
3b: 38 fb cmp %bh,%bl
Tested on:
commit: b84a0ebe Add linux-next specific files for 20260313
git tree: linux-next
console output: https://syzkaller.appspot.com/x/log.txt?x=138bdd52580000
kernel config: https://syzkaller.appspot.com/x/.config?x=e7280ad1f68b2dce
dashboard link: https://syzkaller.appspot.com/bug?extid=c473aa669b5e8a6f48d2
compiler: Debian clang version 21.1.8 (++20251221033036+2078da43e25a-1~exp1~20251221153213.50), Debian LLD 21.1.8
patch: https://syzkaller.appspot.com/x/patch.diff?x=15c078da580000