)]}' { "commit": "1b1e2b01ac575e6ecc5a3a83615620cc2fd27c45", "tree": "4e1ad32a429298966ab37ca86de62954459968f4", "parents": [ "783b0a82b31debe930ab76e5b0a391ccbfe16c2b" ], "author": { "name": "Matthew Wilcox (Oracle)", "email": "willy@infradead.org", "time": "Fri Jan 09 04:13:42 2026 +0000" }, "committer": { "name": "Miri Amarilio", "email": "mirilio@google.com", "time": "Mon Feb 09 10:39:27 2026 -0800" }, "message": "migrate: correct lock ordering for hugetlb file folios\n\ncommit b7880cb166ab62c2409046b2347261abf701530e upstream.\n\nSyzbot has found a deadlock (analyzed by Lance Yang):\n\n1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock).\n2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire\nfolio_lock.\n\nmigrate_pages()\n -\u003e migrate_hugetlbs()\n -\u003e unmap_and_move_huge_page() \u003c- Takes folio_lock!\n -\u003e remove_migration_ptes()\n -\u003e __rmap_walk_file()\n -\u003e i_mmap_lock_read() \u003c- Waits for i_mmap_rwsem(read lock)!\n\nhugetlbfs_fallocate()\n -\u003e hugetlbfs_punch_hole() \u003c- Takes i_mmap_rwsem(write lock)!\n -\u003e hugetlbfs_zero_partial_page()\n -\u003e filemap_lock_hugetlb_folio()\n -\u003e filemap_lock_folio()\n -\u003e __filemap_get_folio \u003c- Waits for folio_lock!\n\nThe migration path is the one taking locks in the wrong order according to\nthe documentation at the top of mm/rmap.c. So expand the scope of the\nexisting i_mmap_lock to cover the calls to remove_migration_ptes() too.\n\nThis is (mostly) how it used to be after commit c0d0381ade79. That was\nremoved by 336bf30eb765 for both file \u0026 anon hugetlb pages when it should\nonly have been removed for anon hugetlb pages.\n\nBUG\u003db/482088543\nTEST\u003dpresubmit\nRELEASE_NOTE\u003dFixed CVE-2026-23097 in the Linux kernel.\n\ncos-patch: security-moderate\nLink: https://lkml.kernel.org/r/20260109041345.3863089-2-willy@infradead.org\nChange-Id: I4e238739c3a57b3fc9619ea4ea07e6d7223474bd\nSigned-off-by: Matthew Wilcox (Oracle) \u003cwilly@infradead.org\u003e\nFixes: 336bf30eb765 (\"hugetlbfs: fix anon huge page migration race\")\nReported-by: syzbot+2d9c96466c978346b55f@syzkaller.appspotmail.com\nLink: https://lore.kernel.org/all/68e9715a.050a0220.1186a4.000d.GAE@google.com\nDebugged-by: Lance Yang \u003clance.yang@linux.dev\u003e\nAcked-by: David Hildenbrand (Red Hat) \u003cdavid@kernel.org\u003e\nAcked-by: Zi Yan \u003cziy@nvidia.com\u003e\nCc: Alistair Popple \u003capopple@nvidia.com\u003e\nCc: Byungchul Park \u003cbyungchul@sk.com\u003e\nCc: Gregory Price \u003cgourry@gourry.net\u003e\nCc: Jann Horn \u003cjannh@google.com\u003e\nCc: Joshua Hahn \u003cjoshua.hahnjy@gmail.com\u003e\nCc: Liam Howlett \u003cliam.howlett@oracle.com\u003e\nCc: Lorenzo Stoakes \u003clorenzo.stoakes@oracle.com\u003e\nCc: Matthew Brost \u003cmatthew.brost@intel.com\u003e\nCc: Rakie Kim \u003crakie.kim@sk.com\u003e\nCc: Rik van Riel \u003criel@surriel.com\u003e\nCc: Vlastimil Babka \u003cvbabka@suse.cz\u003e\nCc: Ying Huang \u003cying.huang@linux.alibaba.com\u003e\nCc: \u003cstable@vger.kernel.org\u003e\nSigned-off-by: Andrew Morton \u003cakpm@linux-foundation.org\u003e\nSigned-off-by: Greg Kroah-Hartman \u003cgregkh@linuxfoundation.org\u003e\nSigned-off-by: Kernel CVE Triage Automation \u003ccloud-image-kernel-cve-triage-automation@prod.google.com\u003e\nReviewed-on: https://cos-review.googlesource.com/c/third_party/kernel/+/130202\nTested-by: Cusky Presubmit Bot \u003cpresubmit@cos-infra-prod.iam.gserviceaccount.com\u003e\nReviewed-by: Chenglong Tang \u003cchenglongtang@google.com\u003e\nReviewed-by: Miri Amarilio \u003cmirilio@google.com\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "bc6d5aeec718f7a7518a7b3e4d448759fcbe6318", "old_mode": 33188, "old_path": "mm/migrate.c", "new_id": "6247317d6600d1c0ba0a242c7f862945005d67b0", "new_mode": 33188, "new_path": "mm/migrate.c" } ] }