Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp2290538pxp; Mon, 21 Mar 2022 16:02:48 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxhR4tIhLPwvIkP5d7r7N5iaKTnw4EiiXQiwR3Gr/u2vKaKLysINeQLde9usQghgBDZEg5b X-Received: by 2002:a17:90a:560a:b0:1bc:72e7:3c13 with SMTP id r10-20020a17090a560a00b001bc72e73c13mr1523930pjf.246.1647903768281; Mon, 21 Mar 2022 16:02:48 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1647903768; cv=none; d=google.com; s=arc-20160816; b=NR9ABUCDcJk4WKP63n841A+1JhFxvs8AjGXDoSAQlFh6c4vTZwraRGpX1BfNupLv3v kJiou8Pp5DuJr/+pAGvaPx3/MB4qtSVu7m0er05qjVPHJQP+EJX5vP0oa9TJl/uUgQQq CsA9olM+trSS/DSyjCK52S6ksHo9jYIs4tpZyhCwzsgS081ObybzVfv5xz4Ke7juWYqW QWvZmGDtVJP8zEASBWnv7TjomGwQU/YXdPhsrLT/27EvtDFIZHlTbzfNEc/xeW/mK58G 6jpaNHVDp7QA5glUvlLE/7TMhdI9ewc/jPN0awhKkkN0Ddofs/87SMftq1+olAMMXNFu rFWg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:message-id:date:content-id:mime-version:subject :cc:to:references:in-reply-to:from:organization:dkim-signature; bh=DJyMtVQ5+0AfNUolDd6Lt5IE2lynsgQekcoq9taq1eE=; b=EQ/ywPYVqk/XSuh3w8KL//dUOFS99ZYQ+rImJbnXu3LZAFTlp1GwWxfND5FoEKaX/v eHy0phXy9P+DCgi/suaMit1UpY1EoRIUXfcI+8N7oj8cbmt/tMM9y0SkebnzpN8oqJKi LNvjRwthvIMVIGxr76n8P6zWz3ymDDLKDLEZlGxW9l95mXpN8r0z+qHpw8jCh6+WXRm6 S9k/UTz4ldb/bLk7SL1lacENG3Cqo2hKfSpj269dG2iB5nzdcgU5PrmaMiRbfKT7hSHx qSNqb7q/H81ozQYgd7d6e3pngqiJ2YktlvkRMduiS4uFqy2QZgCETATLN2KE9M4HThJ4 QUUg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="IOvk/7E/"; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id w21-20020a1709027b9500b00153b2d165f9si11629125pll.513.2022.03.21.16.02.47 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Mar 2022 16:02:48 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@redhat.com header.s=mimecast20190719 header.b="IOvk/7E/"; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=redhat.com Received: from out1.vger.email (out1.vger.email [IPv6:2620:137:e000::1:20]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id DE035409730; Mon, 21 Mar 2022 15:01:41 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1350620AbiCUQFT (ORCPT + 99 others); Mon, 21 Mar 2022 12:05:19 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40992 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1346093AbiCUQFS (ORCPT ); Mon, 21 Mar 2022 12:05:18 -0400 Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.129.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 1314B1B7B6 for ; Mon, 21 Mar 2022 09:03:52 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com; s=mimecast20190719; t=1647878632; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=DJyMtVQ5+0AfNUolDd6Lt5IE2lynsgQekcoq9taq1eE=; b=IOvk/7E/Q5EY/4Ty3aXlbsCfpdRBwSHglMVr7BngFFma4b0kkWfFgVd7uvcKrH7uB6ifYZ VJpy5p5IdKXhLyw9oN3FcAHwwG7eq2VEhKeSKIHtlJfznjm/FNnHLRQld3DCmoigIhQyqF E0cM42Zbtn83cR4Xa2nusKVCLiNxM1s= Received: from mimecast-mx02.redhat.com (mimecast-mx02.redhat.com [66.187.233.88]) by relay.mimecast.com with ESMTP with STARTTLS (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id us-mta-279-tqlhcQEaOwuiuk4cCIL_Kg-1; Mon, 21 Mar 2022 12:03:51 -0400 X-MC-Unique: tqlhcQEaOwuiuk4cCIL_Kg-1 Received: from smtp.corp.redhat.com (int-mx06.intmail.prod.int.rdu2.redhat.com [10.11.54.6]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by mimecast-mx02.redhat.com (Postfix) with ESMTPS id 6ABC8811E84; Mon, 21 Mar 2022 16:03:50 +0000 (UTC) Received: from warthog.procyon.org.uk (unknown [10.33.36.19]) by smtp.corp.redhat.com (Postfix) with ESMTP id 6BC0C2166B40; Mon, 21 Mar 2022 16:03:49 +0000 (UTC) Organization: Red Hat UK Ltd. Registered Address: Red Hat UK Ltd, Amberley Place, 107-111 Peascod Street, Windsor, Berkshire, SI4 1TE, United Kingdom. Registered in England and Wales under Company Registration No. 3798903 From: David Howells In-Reply-To: References: <000000000000778f1005dab1558e@google.com> To: Jann Horn Cc: dhowells@redhat.com, syzbot , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk Subject: Re: [syzbot] possible deadlock in pipe_write MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-ID: <1037988.1647878628.1@warthog.procyon.org.uk> Date: Mon, 21 Mar 2022 16:03:48 +0000 Message-ID: <1037989.1647878628@warthog.procyon.org.uk> X-Scanned-By: MIMEDefang 2.78 on 10.11.54.6 X-Spam-Status: No, score=-3.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Jann Horn wrote: > The syz reproducer is: > > #{"threaded":true,"procs":1,"slowdown":1,"sandbox":"","close_fds":false} > pipe(&(0x7f0000000240)={0xffffffffffffffff, 0xffffffffffffffff}) > pipe2(&(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}, 0x80) > splice(r0, 0x0, r2, 0x0, 0x1ff, 0x0) > vmsplice(r1, &(0x7f00000006c0)=[{&(0x7f0000000080)="b5", 0x1}], 0x1, 0x0) > > That 0x80 is O_NOTIFICATION_PIPE (==O_EXCL). > > It looks like the bug is that when you try to splice between a normal > pipe and a notification pipe, get_pipe_info(..., true) fails, so > splice() falls back to treating the notification pipe like a normal > pipe - so we end up in iter_file_splice_write(), which first locks the > input pipe, then calls vfs_iter_write(), which locks the output pipe. > > I think this probably (?) can't actually lead to deadlocks, since > you'd need another way to nest locking a normal pipe into locking a > watch_queue pipe, but the lockdep annotations don't make that clear. Is this then a bug/feature in iter_file_splice_write() rather than in the watch queue code, per se? David