Re: [PATCH] splice: prevent deadlock when splicing a file to itself

Next message: Hungyu Lin: "[PATCH] staging: sm750fb: constify fix_id array"
Previous message: Danilo Krummrich: "Re: [PATCH] gpu: nova-core: bitfield: fix broken Default implementation"
In reply to: Christian Brauner: "Re: [PATCH] splice: prevent deadlock when splicing a file to itself"
Next in thread: Christoph Hellwig: "Re: [PATCH] splice: prevent deadlock when splicing a file to itself"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Jens Axboe

Date: Tue Mar 31 2026 - 09:37:23 EST

On 3/31/26 3:33 AM, Christian Brauner wrote:
> On Fri, Mar 20, 2026 at 06:36:15PM +0530, Deepanshu Kartikey wrote:
>>
>> When do_splice_direct_actor() is called with the same inode
>> for both input and output files (either via the same fd or a
>> dup'd fd), it causes a hung task in blkdev_write_iter().
>>
>> The deadlock occurs because sendfile() calls do_splice_direct()
>> which tries to acquire inode_lock_shared() for reading, while
>> the write side already holds the same inode lock, causing the
>> task to block indefinitely in rwsem_down_read_slowpath().
>>
>> Fix this by checking if the input and output files share the
>> same inode before proceeding, returning -EINVAL if they do.
>> This mirrors the existing check in do_splice() for the
>> pipe-to-pipe case where ipipe == opipe.
>>
>> Reported-by: syzbot+d31a3b77e5cba96b9f69@xxxxxxxxxxxxxxxxxxxxxxxxx
>> Closes: https://syzkaller.appspot.com/bug?extid=d31a3b77e5cba96b9f69
>> Tested-by: syzbot+d31a3b77e5cba96b9f69@xxxxxxxxxxxxxxxxxxxxxxxxx
>> Signed-off-by: Deepanshu Kartikey <Kartikey406@xxxxxxxxx>
>> ---
>
> @Jens?

Fix looks reasonable to me.

--
Jens Axboe