Received: by 2002:a05:6a10:413:0:0:0:0 with SMTP id 19csp2304585pxp; Mon, 21 Mar 2022 16:24:53 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyGqnjXGbPAynVzgTvYYsNlla+YMol7k7dLIIN7dxrgpUWZA8RxaupxGaCCUsqCttnulapb X-Received: by 2002:a17:902:b602:b0:14f:e42b:d547 with SMTP id b2-20020a170902b60200b0014fe42bd547mr14950915pls.91.1647905092944; Mon, 21 Mar 2022 16:24:52 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1647905092; cv=none; d=google.com; s=arc-20160816; b=Dtf5AXqjzvD6S+ijGufHULaxPWHu/r8lX/uVwDREzKsXFiQXz5/ef2pPZ1TF8CQCY3 EaQQJRQHEKRc4w9d2uH2wYduyx+npDX4ivaX4Zn7mTGo1LLBYnBVkcQZbtfPHECt8Uje 0b4PuEJJ2PR7v62uIw1ixw/08aMQahsnZ3FSaDH/jGGATPA3Ydm+FQ/vlDY7MJrwDnSC YjZIiUmhupbKhoC2PUIB2Nubny0dJw8wzFfEjP6eQ+GaUXulvvFVK8wOoANUWubzGxaJ LtvfzGMscpXtI+UJYjVt9pw6gI2IG2wf1XuTVqgZr5i5iFUAIgsSqsf7+OdCu+BiLkx0 GZ9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:cc:to:subject:message-id:date:from:in-reply-to :references:mime-version:dkim-signature; bh=zAwJj3uBpRqWwRFnZtOEH00g+2pzmN/+iR2r7Fyi43w=; b=UDZHT9lBfjUl2y440KUF/IRlXvydZ+iWgPa5VLwa9PGFUZ3KOjA3hftmLnXIQvNH7+ a+84OeH/wdcUfvmqpodkTRgek/E6j+QNE7h0P8mNzh3MYwDF3yjyntCeYg4PbuUdU54c EwfLoznp83fGlF8FsmTnEbj02J51dutFzH5f0913tDedkzAcOABVa6aRktwEk/yiZOqz T9BkEHVXqxqVf8YW/yc0wa0g2OL6aCV5Ym/wS4+ZgQFZg4UIs2Ss2yks9WzV3EejQHqQ wK492RmjuDH/6CeNEFoLqTmM5yPY0D4uDDWWO7SNEVUVUbqzeFhA20XvIJumAx0S8Bsw Ry+Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=npnsPZkn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [2620:137:e000::1:18]) by mx.google.com with ESMTPS id g12-20020a170902c38c00b00153b2d1647bsi11219572plg.131.2022.03.21.16.24.52 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 21 Mar 2022 16:24:52 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) client-ip=2620:137:e000::1:18; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20210112 header.b=npnsPZkn; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 35D374006EB; Mon, 21 Mar 2022 15:15:19 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1351017AbiCUQUH (ORCPT + 99 others); Mon, 21 Mar 2022 12:20:07 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46514 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1351010AbiCUQUC (ORCPT ); Mon, 21 Mar 2022 12:20:02 -0400 Received: from mail-lj1-x22f.google.com (mail-lj1-x22f.google.com [IPv6:2a00:1450:4864:20::22f]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 4F1C73FDA9 for ; Mon, 21 Mar 2022 09:18:36 -0700 (PDT) Received: by mail-lj1-x22f.google.com with SMTP id b5so1974673ljf.13 for ; Mon, 21 Mar 2022 09:18:35 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20210112; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=zAwJj3uBpRqWwRFnZtOEH00g+2pzmN/+iR2r7Fyi43w=; b=npnsPZknEPPCA45ZcQMieO3nPxTHnfJ+SZKn+zyF9w/G5oeqPhWo3zvNoHMyhUV1x1 S3y313aNJRqBf04W6W1iddLKIgELoERWv2Uct6pkx1MaSUoQCW1xYUqqIjQEV4U+J/Ql 3EIShK/igFDv4XwN7OSpYFN8v5m9LLxqgaCLLkVWGmHL7FO0oknD0DZ0C599I8BCgfqF 6K5EqVyNnlzS+dnCm9HuiZ5uSKXOz6YE5KjmutX7dL9sIICHywyuy1od0hvU/Pvh5NeI XIxocn+fc49b5/NZQqGHjWilvg1sly6yqTezlWvF+EyKNqeWvdv390jYdc/bl9JJ35T8 pA8w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=zAwJj3uBpRqWwRFnZtOEH00g+2pzmN/+iR2r7Fyi43w=; b=nWEwi/tJaV3Z4LR7SJJD0uEffCFAIkN1SmzinMBjndiOEGIIx1u6FoYMlZbmeuepsu 6OVGyUWMxMez4pmz9bbTA6OvVLxefQ8cfwsI+g8NhcYZZ6QtzipVmGzIdPDtcFYf8uS9 aTGTOGK5tu9mh381QUgjiDj7NeQRYKSp2FOSqrT5oTbQmroaNTVh4lwOrqmql6bJXAmm QsCn2vx8BSicaVDZKtjkc5rWKOYMxwFILFYLweDkBFh2MvaLPr8nl6cD1Vj0c8u8lOHd 501TFf2hO5kf5ZOM1V64H7emfohcq30hBN6/mI42HuT2NwQrPnd2bDDCILjss5feKWzq fjlw== X-Gm-Message-State: AOAM5314H1T6aqdYQnRxmRcC/K0h25AQjiZjIBqT3mrDT1ZHMeH3Rtng wu3p5zrvvP+6phLbw7QXjWf02rZj1yLzZS24RQ2BbQ== X-Received: by 2002:a2e:b942:0:b0:249:8cd0:2848 with SMTP id 2-20020a2eb942000000b002498cd02848mr1184656ljs.188.1647879511392; Mon, 21 Mar 2022 09:18:31 -0700 (PDT) MIME-Version: 1.0 References: <000000000000778f1005dab1558e@google.com> <1037989.1647878628@warthog.procyon.org.uk> In-Reply-To: <1037989.1647878628@warthog.procyon.org.uk> From: Jann Horn Date: Mon, 21 Mar 2022 17:17:54 +0100 Message-ID: Subject: Re: [syzbot] possible deadlock in pipe_write To: David Howells Cc: syzbot , linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk Content-Type: text/plain; charset="UTF-8" X-Spam-Status: No, score=-9.5 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE, USER_IN_DEF_DKIM_WL autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Mon, Mar 21, 2022 at 5:03 PM David Howells wrote: > Jann Horn wrote: > > > The syz reproducer is: > > > > #{"threaded":true,"procs":1,"slowdown":1,"sandbox":"","close_fds":false} > > pipe(&(0x7f0000000240)={0xffffffffffffffff, 0xffffffffffffffff}) > > pipe2(&(0x7f00000001c0)={0xffffffffffffffff, 0xffffffffffffffff}, 0x80) > > splice(r0, 0x0, r2, 0x0, 0x1ff, 0x0) > > vmsplice(r1, &(0x7f00000006c0)=[{&(0x7f0000000080)="b5", 0x1}], 0x1, 0x0) > > > > That 0x80 is O_NOTIFICATION_PIPE (==O_EXCL). > > > > It looks like the bug is that when you try to splice between a normal > > pipe and a notification pipe, get_pipe_info(..., true) fails, so > > splice() falls back to treating the notification pipe like a normal > > pipe - so we end up in iter_file_splice_write(), which first locks the > > input pipe, then calls vfs_iter_write(), which locks the output pipe. > > > > I think this probably (?) can't actually lead to deadlocks, since > > you'd need another way to nest locking a normal pipe into locking a > > watch_queue pipe, but the lockdep annotations don't make that clear. > > Is this then a bug/feature in iter_file_splice_write() rather than in the > watch queue code, per se? I think at least when you call splice() on two normal pipes from userspace, it'll never go through this codepath for real pipes, because pipe-to-pipe splicing is special-cased? And sendfile() bails out in that case because pipes don't have a .splice_read() handler. And with notification pipes, we don't take that special path in splice(), and so we hit the lockdep warning. But I don't know whether that makes it the fault of notification pipes... Maybe it would be enough to just move the "if (pipe->watch_queue)" check in pipe_write() up above the __pipe_lock(pipe)?