padata: Is padata_find_next() thread-safe?

Next message: Ritesh Kumar: "[PATCH v3 1/2] dt-bindings: phy: qcom-edp: Add eDP ref clk for sa8775p"
Previous message: Luis Henriques: "Re: [RFC] Another take at restarting FUSE servers"
Next in thread: Herbert Xu: "Re: padata: Is padata_find_next() thread-safe?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Tetsuo Handa

Date: Tue Nov 04 2025 - 06:45:30 EST

syzbot is reporting possibility of recursive locking at
https://syzkaller.appspot.com/bug?extid=bd936ccd4339cea66e6b .
If this is a false positive report, the fix will be as simple as

--- a/kernel/padata.c
+++ b/kernel/padata.c
@@ -253,7 +253,7 @@ static struct padata_priv *padata_find_next(struct parallel_data *pd, int cpu,

reorder = per_cpu_ptr(pd->reorder_list, cpu);

- spin_lock(&reorder->lock);
+ spin_lock_nested(&reorder->lock, 1);
if (list_empty(&reorder->list))
goto notfound;

. But I don't know if there is a possibility of AB-BA deadlock.

Can a sequence shown below possible? If it is possible, how is calling
padata_find_next() with a spinlock already held by caller introduced by
commit 71203f68c774 ("padata: Fix pd UAF once and for all") thread-safe?

struct padata_list list[2];

CPU 0: CPU 1:

spin_lock(&list[0].lock);
spin_lock(&list[1].lock);
spin_lock_nested(&list[1].lock, 1);
spin_lock_nested(&list[0].lock, 1);
do_something();
do_something();
spin_unlock(&list[1].lock);
spin_unlock(&list[0].lock);
spin_unlock(&list[0].lock);
spin_unlock(&list[1].lock);