Received: by 2002:a05:6359:322:b0:b3:69d0:12d8 with SMTP id ef34csp158637rwb; Wed, 10 Aug 2022 16:57:54 -0700 (PDT) X-Google-Smtp-Source: AA6agR46c4cC/QQcJXypV+jtkjDGjCx76rM86ebXGXHFXTLoRx8UaD0sHoI4lnEhssIuE/9G8Kk6 X-Received: by 2002:a63:c108:0:b0:41d:6bf3:6807 with SMTP id w8-20020a63c108000000b0041d6bf36807mr14203781pgf.157.1660175874721; Wed, 10 Aug 2022 16:57:54 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1660175874; cv=none; d=google.com; s=arc-20160816; b=xjJcZuqGtgxXJ8408bgWJrB7AGDXvNalvVSnWj/gCyp0Ru/qxckfwjLm+YMriCPrl3 AxEcVRKwqZpj3judRjLWrYj2zx2fTHU7f/hIccbt46FEhAJbxYJAQAgglyJokoLZuMjK llGXSSBxhXgA2QQbui6ZwF/Jq4wjTuigAc99nTcDx/oWr4kdsndSpu2NAfsD1yFr6DVY 0itn/YhLk2CL9q+SPHV7MkocxSQwenS8Z1ASEi3AH7hDaN01wHp6bVZlgGICVD3x46yF 7NCXDLPlDyLcEU9YqIODikR9P2ggKpOIOilBhNhn0X5YqKZfg8KRA29OUFI1tV9QQL9b JYPw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-disposition:mime-version :references:message-id:subject:cc:to:from:date; bh=OZQGI5kf5ICPy/3Zq9T4MjH0StmguPxu+bWHItotoio=; b=OEMADO7aX778UfseKjPZxdVEW+PVZ+hxVjSFhNcIfOhwSU0sq8E5nFKjYjEgkVpXUE SRIb55hA0Ptf632z8lCNmCdYNTnOuiq8bBhBV/fV1aBn2/56ORX7tB7QaP0PvPYSPOn/ 0ZJF6/Gp8PVfumOOYOZlbKcKK3GbM11lLpBgEjSyo0eIRIRPcseOWMetRq9TeEsRdh+9 UKt6VpfTsx3nvt+P1K4GdAShaKNm+epW6whh85dUlv4CgEpI9YWCy4aW4Owwai98/TGf OLTGi3jeiIE0s+CJMlyM4AhUA7lxtHrGMXGyH6Fily6Fzr6sxOwBLgoDxyrHjyZw2Yj8 jvnA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id w6-20020a170902e88600b0016efe88f625si5063288plg.72.2022.08.10.16.57.40; Wed, 10 Aug 2022 16:57:54 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233414AbiHJXk6 (ORCPT + 99 others); Wed, 10 Aug 2022 19:40:58 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37066 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233060AbiHJXks (ORCPT ); Wed, 10 Aug 2022 19:40:48 -0400 Received: from mail104.syd.optusnet.com.au (mail104.syd.optusnet.com.au [211.29.132.246]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 73753E14; Wed, 10 Aug 2022 16:40:45 -0700 (PDT) Received: from dread.disaster.area (pa49-181-193-158.pa.nsw.optusnet.com.au [49.181.193.158]) by mail104.syd.optusnet.com.au (Postfix) with ESMTPS id C9A1E62D0EF; Thu, 11 Aug 2022 09:40:43 +1000 (AEST) Received: from dave by dread.disaster.area with local (Exim 4.92.3) (envelope-from ) id 1oLvJZ-00BcME-R5; Thu, 11 Aug 2022 09:40:41 +1000 Date: Thu, 11 Aug 2022 09:40:41 +1000 From: Dave Chinner To: syzbot Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, viro@zeniv.linux.org.uk Subject: Re: [syzbot] INFO: task hung in __generic_file_fsync (3) Message-ID: <20220810234041.GL3861211@dread.disaster.area> References: <00000000000096592405e5dcaa9f@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <00000000000096592405e5dcaa9f@google.com> X-Optus-CM-Score: 0 X-Optus-CM-Analysis: v=2.4 cv=VuxAv86n c=1 sm=1 tr=0 ts=62f441fc a=SeswVvpAPK2RnNNwqI8AaA==:117 a=SeswVvpAPK2RnNNwqI8AaA==:17 a=kj9zAlcOel0A:10 a=biHskzXt2R4A:10 a=edf1wS77AAAA:8 a=7-415B0cAAAA:8 a=SbdPs6kyW9B9Yl0RobsA:9 a=CjuIK1q_8ugA:10 a=igBNqPyMv6gA:10 a=DcSpbTIhAlouE1Uv7lRv:22 a=biEYGPWJfzWAr4FL6Ov7:22 X-Spam-Status: No, score=-2.6 required=5.0 tests=BAYES_00,RCVD_IN_DNSWL_LOW, SPF_HELO_PASS,SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Aug 09, 2022 at 10:53:21PM -0700, syzbot wrote: > Hello, > > syzbot found the following issue on: > > HEAD commit: 200e340f2196 Merge tag 'pull-work.dcache' of git://git.ker.. > git tree: upstream > console output: https://syzkaller.appspot.com/x/log.txt?x=13d08412080000 > kernel config: https://syzkaller.appspot.com/x/.config?x=a3f4d6985d3164cd > dashboard link: https://syzkaller.appspot.com/bug?extid=ed920a72fd23eb735158 > compiler: gcc (Debian 10.2.1-6) 10.2.1 20210110, GNU ld (GNU Binutils for Debian) 2.35.2 > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=15dd033e080000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=16dbfa46080000 > > Bisection is inconclusive: the issue happens on the oldest tested release. tl;dr: Well known problem. Don't do O_DSYNC direct IO writes on vfat. Basically, vfat uses __generic_file_sync() which takes the inode_lock(). It's not valid to take the inode_lock() in DIO completion callbacks as we do for O_DSYNC/O_SYNC writes because setattr needs to do: inode_lock() inode_dio_wait() i_dio_count to go to zero> to wait for all pending direct IO to drain before it can proceed. Hence: i_dio_count reference> dio_complete generic_write_sync vfs_fsync_range fat_file_fsync __generic_file_fsync inode_lock O_DSYNC DIO completion will attempt to lock the inode with an elevated inode->i_dio_count (as is always the case when dio_complete() is called) and hence we have a trivial ABBA deadlock vector via truncate, hole punching, etc. > INFO: task kworker/0:1:14 blocked for more than 143 seconds. > Not tainted 5.19.0-syzkaller-02972-g200e340f2196 #0 > "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. > task:kworker/0:1 state:D stack:26544 pid: 14 ppid: 2 flags:0x00004000 > Workqueue: dio/loop5 dio_aio_complete_work > Call Trace: > > context_switch kernel/sched/core.c:5178 [inline] > __schedule+0xa00/0x4c10 kernel/sched/core.c:6490 > schedule+0xda/0x1b0 kernel/sched/core.c:6566 > rwsem_down_write_slowpath+0x697/0x11e0 kernel/locking/rwsem.c:1182 > __down_write_common kernel/locking/rwsem.c:1297 [inline] > __down_write_common kernel/locking/rwsem.c:1294 [inline] > __down_write kernel/locking/rwsem.c:1306 [inline] > down_write+0x135/0x150 kernel/locking/rwsem.c:1553 > inode_lock include/linux/fs.h:760 [inline] > __generic_file_fsync+0xb0/0x1f0 fs/libfs.c:1119 > fat_file_fsync+0x73/0x200 fs/fat/file.c:191 > vfs_fsync_range+0x13a/0x220 fs/sync.c:188 > generic_write_sync include/linux/fs.h:2861 [inline] > dio_complete+0x6dd/0x950 fs/direct-io.c:310 > process_one_work+0x996/0x1610 kernel/workqueue.c:2289 > worker_thread+0x665/0x1080 kernel/workqueue.c:2436 > kthread+0x2e9/0x3a0 kernel/kthread.c:376 > ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306 > There's dio completion. > INFO: task syz-executor775:3664 blocked for more than 144 seconds. > Not tainted 5.19.0-syzkaller-02972-g200e340f2196 #0 > "echo 0 > /proc/sys/kernel/hung_task_timeout_secs" disables this message. > task:syz-executor775 state:D stack:26128 pid: 3664 ppid: 3656 flags:0x00004004 > Call Trace: > > context_switch kernel/sched/core.c:5178 [inline] > __schedule+0xa00/0x4c10 kernel/sched/core.c:6490 > schedule+0xda/0x1b0 kernel/sched/core.c:6566 > __inode_dio_wait fs/inode.c:2381 [inline] > inode_dio_wait+0x22a/0x270 fs/inode.c:2399 > fat_setattr+0x3de/0x13c0 fs/fat/file.c:509 > notify_change+0xcd0/0x1440 fs/attr.c:418 > do_truncate+0x13c/0x200 fs/open.c:65 > do_sys_ftruncate+0x536/0x730 fs/open.c:193 > do_syscall_x64 arch/x86/entry/common.c:50 [inline] > do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80 > entry_SYSCALL_64_after_hwframe+0x63/0xcd There's truncate waiting on dio completion holding the inode lock. So, as expected, any filesystem that supports DIO and calls into __generic_file_fsync() for fsync functionality can easily deadlock truncate against O_DSYNC DIO writes... -Dave. -- Dave Chinner david@fromorbit.com