From patchwork Wed Mar  5 09:16:38 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Alexey Panov <apanov@astralinux.ru>
X-Patchwork-Id: 14003162
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 2661CC19F32
	for <linux-mm@archiver.kernel.org>; Wed,  5 Mar 2025 18:44:05 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 341A928001E; Wed,  5 Mar 2025 13:44:03 -0500 (EST)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 2F00328000B; Wed,  5 Mar 2025 13:44:03 -0500 (EST)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 1BDC728001E; Wed,  5 Mar 2025 13:44:03 -0500 (EST)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com
 [216.40.44.13])
	by kanga.kvack.org (Postfix) with ESMTP id F238028000B
	for <linux-mm@kvack.org>; Wed,  5 Mar 2025 13:44:02 -0500 (EST)
Received: from smtpin14.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay04.hostedemail.com (Postfix) with ESMTP id C35181A02DD
	for <linux-mm@kvack.org>; Wed,  5 Mar 2025 09:17:27 +0000 (UTC)
X-FDA: 83186944134.14.DA344C1
Received: from mail-gw01.astralinux.ru (mail-gw01.astralinux.ru
 [37.230.196.243])
	by imf21.hostedemail.com (Postfix) with ESMTP id C43DD1C0008
	for <linux-mm@kvack.org>; Wed,  5 Mar 2025 09:17:24 +0000 (UTC)
Authentication-Results: imf21.hostedemail.com;
	dkim=none;
	spf=pass (imf21.hostedemail.com: domain of apanov@astralinux.ru designates
 37.230.196.243 as permitted sender) smtp.mailfrom=apanov@astralinux.ru;
	dmarc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1741166245;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:references; bh=EOj7yk2RyHTkCUM1/dD3lmDxWb6LfOIliQSwyCpKMzE=;
	b=oY6+YxmIK29bR5n8i0MYvH9Vpp7bggjXuHbPWgBoE+Lj8LAG9FEpcAZwVaglmW5fUVJxq7
	XdP2n4WDtAxQwWm3pnrOmF7SKGYkR8NsnJ4XdfLOEaWmGWntKUWPif7QxLdqEY5e7hfKj3
	7CSRgOmXQXr7WoUAXC1abnTanieZQ1I=
ARC-Authentication-Results: i=1;
	imf21.hostedemail.com;
	dkim=none;
	spf=pass (imf21.hostedemail.com: domain of apanov@astralinux.ru designates
 37.230.196.243 as permitted sender) smtp.mailfrom=apanov@astralinux.ru;
	dmarc=none
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1741166245; a=rsa-sha256;
	cv=none;
	b=tL/GodtpYeWxvnWCZuT4AICcG2yr+/Bf50ZsNOJaLoHdUmF/3Fy8PzJxFL4LbhYJYHdUGU
	LnlyJHuoaKCoJoyyvdD69ZPs1aRLjHoUimrvdOkFXqJzCXWNkF7vZBd1eeJfCeGoC4wUAn
	Au+2JAVQFgbOATNSJ4qo1opqCtdlwII=
Received: from gca-sc-a-srv-ksmg01.astralinux.ru (localhost [127.0.0.1])
	by mail-gw01.astralinux.ru (Postfix) with ESMTP id AE35E24E82;
	Wed,  5 Mar 2025 12:17:21 +0300 (MSK)
Received: from new-mail.astralinux.ru (gca-yc-ruca-srv-mail03.astralinux.ru
 [10.177.185.108])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest
 SHA256)
	(No client certificate requested)
	by mail-gw01.astralinux.ru (Postfix) with ESMTPS;
	Wed,  5 Mar 2025 12:17:19 +0300 (MSK)
Received: from rbta-msk-lt-156703.astralinux.ru (unknown [10.198.62.40])
	by new-mail.astralinux.ru (Postfix) with ESMTPA id 4Z76Q60Qsjz1h0Bc;
	Wed,  5 Mar 2025 12:17:17 +0300 (MSK)
From: Alexey Panov <apanov@astralinux.ru>
To: stable@vger.kernel.org,
	Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	Andrew Morton <akpm@linux-foundation.org>
Cc: Alexey Panov <apanov@astralinux.ru>,
	Christoph Lameter <cl@linux.com>,
	"Liam R. Howlett" <Liam.Howlett@Oracle.com>,
	David Hildenbrand <david@redhat.com>,
	Sasha Levin <sashal@kernel.org>,
	linux-mm@kvack.org,
	linux-kernel@vger.kernel.org,
	lvc-project@linuxtesting.org
Subject: [PATCH 6.6] mm/mempolicy: fix unbalanced unlock in backported VMA
 check
Date: Wed,  5 Mar 2025 12:16:38 +0300
Message-Id: <20250305091638.19691-1-apanov@astralinux.ru>
X-Mailer: git-send-email 2.30.2
MIME-Version: 1.0
X-KSMG-AntiPhishing: NotDetected
X-KSMG-AntiSpam-Auth: dkim=none
X-KSMG-AntiSpam-Envelope-From: apanov@astralinux.ru
X-KSMG-AntiSpam-Info: LuaCore: 51 0.3.51
 68896fb0083a027476849bf400a331a2d5d94398, {Tracking_internal2},
 {Tracking_from_domain_doesnt_match_to},
 astralinux.ru:7.1.1;127.0.0.199:7.1.2;new-mail.astralinux.ru:7.1.1;d41d8cd98f00b204e9800998ecf8427e.com:7.1.1,
 FromAlignment: s
X-KSMG-AntiSpam-Interceptor-Info: scan successful
X-KSMG-AntiSpam-Lua-Profiles: 191497 [Mar 05 2025]
X-KSMG-AntiSpam-Method: none
X-KSMG-AntiSpam-Rate: 0
X-KSMG-AntiSpam-Status: not_detected
X-KSMG-AntiSpam-Version: 6.1.1.11
X-KSMG-AntiVirus: Kaspersky Secure Mail Gateway, version 2.1.0.7854,
 bases: 2025/03/05 06:08:00 #27609135
X-KSMG-AntiVirus-Status: NotDetected, skipped
X-KSMG-LinksScanning: NotDetected
X-KSMG-Message-Action: skipped
X-KSMG-Rule-ID: 1
X-Rspam-User: 
X-Rspamd-Queue-Id: C43DD1C0008
X-Rspamd-Server: rspam09
X-Stat-Signature: 7tf4fipwgrxmjteubug4nzdo361k51au
X-HE-Tag: 1741166244-345686
X-HE-Meta: 
 U2FsdGVkX1/kj7Vz5TZHkCdP/itYgkWBZWoXUeUn+OA/IsNvkOrfxi4eCvKDO6uDqjQHrhAzruv6XF+Tr9PVmZEdWsCczFmMh2mAkFn4uZclCi5VDLO8Kgz7nk18gkcIYd6j9Q9VMTr0+eI+AnNe91VwpOIlfwIPeKCgpX73r/EKOkVGNsuEKZ5Sv5QC1tj80uJvlOqHTLPmbvCoF7QC+OTyDBnJ0+7floEuSiH6DUAA2E6q7h0pS7FycHXKzIYita9RI8Du6OWMm/bRxUTGLS5q33DU/pkDKJUlNmOkoUZWGI63yhh02jeXMdgfVRxui/b1/kRcLxuPBYFKoyejoiVDqiCugIHzqxOOMjbrbETqjgrqOFOoRr1s70tZuDtkq87TfhRaMx30SRxzycv2J+zohoYNn+vkvQiCOxQApKMCCEe5GwYHzCzRaf97cXQFzbCPI644G1U2frOUwq+lAT0U+g4gQVbUGeo3SBdqNRAOnCqP1nUCIPoCzz7iKHyGnGSHZsMYeV8P7jL+v8qa6vJSpQvvzfBqDkCmfS0JZ+FDJwbP6B5vrH/cJxZXuB1+scYXpdF4A9pdLxGrkZy41K1re0Kqf5NGGei44iTcQXPdgcwPag1zKpBDxSPznJhdTtzsx+WkdGVbDs359xXADZMpG6RdTlH534Q3oF3QVjMr/pXhPU0wZxukTB++XvD9sAzdEdt/veEIrq++ctSfmEgq7K8Hc9/pMxHnoD+MvPap/vQpnc18ppGU1EFKhqsXQEAMlMINXawZrAkDhwX3rSTYQWGpbTwgzRYcP0Qo+ucdtmzg9sDUmLGBXhDY7W4Jdg6UemeOv29FcTE3FeHFxYkJNDMxrIfJ3NONHB85ssYTmpLUskn/yLOP9oOR4LJZhR7ltuXM/xi+6h+gDy7nuNWVULeRek0MEL3TS8MhZy+4E+O1ZvlL4cFhoyev5ZZ8sEQmZFCsIEVvP1divVB
 5LfLTx2V
 ZSJSYWSUwf0rJRomrSUQ2AzLRm3+mK9/CBuIraYX/wpvNlw+gA5SOebSb/YJDizRudTO+2qF9SJgPf7UmnninU9dAdJiftGJ9ymawLbnPT68+P1jzL5hhQyfmmUrYKvhpwfBl54hcslF8eOmC5ABq0heZFWYzD6qs7WDdK6EISKcJRE+mmpE0iMb5yuzd+4EYLZiytFntJihxPIONzlxcH8MUUaOlbQloR9jNj5TQLOGABTTcNAz1RalsULIcv8PJO56t0r/8Fd/GKhg0AMqYDu9G7RYRoPnPDky1054Qz1IrvZ8=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

No upstream commit exists for this commit.

The issue was introduced with backporting upstream commit 091c1dd2d4df
("mm/mempolicy: fix migrate_to_node() assuming there is at least one VMA
in a MM").

The backport incorrectly added unlock logic to a path where
mmap_read_lock() wasn't acquired, creating lock imbalance when no VMAs
are found.

This fixes the report:

WARNING: bad unlock balance detected!
6.6.79 #1 Not tainted
-------------------------------------
repro/9655 is trying to release lock (&mm->mmap_lock) at:
[<ffffffff81daa36f>] mmap_read_unlock include/linux/mmap_lock.h:173 [inline]
[<ffffffff81daa36f>] do_migrate_pages+0x59f/0x700 mm/mempolicy.c:1196
but there are no more locks to release!

other info that might help us debug this:
no locks held by repro/9655.

stack backtrace:
CPU: 1 PID: 9655 Comm: a Not tainted 6.6.79 #1
Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.16.2-debian-1.16.2-1 04/01/2014
Call Trace:
 <TASK>
 __dump_stack lib/dump_stack.c:88 [inline]
 dump_stack_lvl+0xd5/0x1b0 lib/dump_stack.c:106
 __lock_release kernel/locking/lockdep.c:5431 [inline]
 lock_release+0x4b1/0x680 kernel/locking/lockdep.c:5774
 up_read+0x12/0x20 kernel/locking/rwsem.c:1615
 mmap_read_unlock include/linux/mmap_lock.h:173 [inline]
 do_migrate_pages+0x59f/0x700 mm/mempolicy.c:1196
 kernel_migrate_pages+0x59b/0x780 mm/mempolicy.c:1665
 __do_sys_migrate_pages mm/mempolicy.c:1684 [inline]
 __se_sys_migrate_pages mm/mempolicy.c:1680 [inline]
 __x64_sys_migrate_pages+0x92/0xf0 mm/mempolicy.c:1680
 do_syscall_x64 arch/x86/entry/common.c:51 [inline]
 do_syscall_64+0x34/0xb0 arch/x86/entry/common.c:81
 entry_SYSCALL_64_after_hwframe+0x68/0xd2

Found by Linux Verification Center (linuxtesting.org) with Syzkaller.

Fixes: a13b2b9b0b0b ("mm/mempolicy: fix migrate_to_node() assuming there is at least one VMA in a MM")
Signed-off-by: Alexey Panov <apanov@astralinux.ru>
---
 mm/mempolicy.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/mm/mempolicy.c b/mm/mempolicy.c
index 94c74c594d10..1eccbed2fd06 100644
--- a/mm/mempolicy.c
+++ b/mm/mempolicy.c
@@ -1072,7 +1072,6 @@ static long migrate_to_node(struct mm_struct *mm, int source, int dest,
 	VM_BUG_ON(!(flags & (MPOL_MF_MOVE | MPOL_MF_MOVE_ALL)));
 	vma = find_vma(mm, 0);
 	if (unlikely(!vma)) {
-		mmap_read_unlock(mm);
 		return 0;
 	}