possible deadlock in pipe_lock (3)
From: syzbot
Date: Thu Dec 26 2019 - 16:25:28 EST
Hello,
syzbot found the following crash on:
HEAD commit: 46cf053e Linux 5.5-rc3
git tree: upstream
console output: https://syzkaller.appspot.com/x/log.txt?x=167281c1e00000
kernel config: https://syzkaller.appspot.com/x/.config?x=ed9d672709340e35
dashboard link: https://syzkaller.appspot.com/bug?extid=217d60b447573313b211
compiler: gcc (GCC) 9.0.0 20181231 (experimental)
syz repro: https://syzkaller.appspot.com/x/repro.syz?x=116496c1e00000
C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10104649e00000
Bisection is inconclusive: the first bad commit could be any of:
9211bfbf netfilter: add missing IS_ENABLED(CONFIG_BRIDGE_NETFILTER) checks
to header-file.
47e640af netfilter: add missing IS_ENABLED(CONFIG_NF_TABLES) check to
header-file.
a1b2f04e netfilter: add missing includes to a number of header-files.
0abc8bf4 netfilter: add missing IS_ENABLED(CONFIG_NF_CONNTRACK) checks to
some header-files.
bd96b4c7 netfilter: inline four headers files into another one.
43dd16ef netfilter: nf_tables: store data in offload context registers
78458e3e netfilter: add missing IS_ENABLED(CONFIG_NETFILTER) checks to some
header-files.
20a9379d netfilter: remove "#ifdef __KERNEL__" guards from some headers.
bd8699e9 netfilter: nft_bitwise: add offload support
2a475c40 kbuild: remove all netfilter headers from header-test blacklist.
7e59b3fe netfilter: remove unnecessary spaces
1b90af29 ipvs: Improve robustness to the ipvs sysctl
5785cf15 netfilter: nf_tables: add missing prototypes.
0a30ba50 netfilter: nf_nat_proto: make tables static
e84fb4b3 netfilter: conntrack: use shared sysctl constants
10533343 netfilter: connlabels: prefer static lock initialiser
8c0bb787 netfilter: synproxy: rename mss synproxy_options field
c162610c Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next
bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=114c96c1e00000
IMPORTANT: if you fix the bug, please add the following tag to the commit:
Reported-by: syzbot+217d60b447573313b211@xxxxxxxxxxxxxxxxxxxxxxxxx
======================================================
WARNING: possible circular locking dependency detected
5.5.0-rc3-syzkaller #0 Not tainted
------------------------------------------------------
syz-executor691/10028 is trying to acquire lock:
ffff88809643c460 (&pipe->mutex/1){+.+.}, at: pipe_lock_nested fs/pipe.c:65
[inline]
ffff88809643c460 (&pipe->mutex/1){+.+.}, at: pipe_lock+0x65/0x80
fs/pipe.c:73
but task is already holding lock:
ffff888099382428 (sb_writers#4){.+.+}, at: file_start_write
include/linux/fs.h:2885 [inline]
ffff888099382428 (sb_writers#4){.+.+}, at: do_splice+0xf48/0x1680
fs/splice.c:1169
which lock already depends on the new lock.
the existing dependency chain (in reverse order) is:
-> #2 (sb_writers#4){.+.+}:
percpu_down_read include/linux/percpu-rwsem.h:40 [inline]
__sb_start_write+0x241/0x460 fs/super.c:1674
file_start_write include/linux/fs.h:2885 [inline]
ovl_write_iter+0x91b/0xc20 fs/overlayfs/file.c:277
call_write_iter include/linux/fs.h:1902 [inline]
new_sync_write+0x4d3/0x770 fs/read_write.c:483
__vfs_write+0xe1/0x110 fs/read_write.c:496
__kernel_write+0x11b/0x3b0 fs/read_write.c:515
write_pipe_buf+0x15d/0x1f0 fs/splice.c:809
splice_from_pipe_feed fs/splice.c:512 [inline]
__splice_from_pipe+0x3ee/0x7c0 fs/splice.c:636
splice_from_pipe+0x108/0x170 fs/splice.c:671
default_file_splice_write+0x3c/0x90 fs/splice.c:821
do_splice_from fs/splice.c:863 [inline]
do_splice+0xba4/0x1680 fs/splice.c:1170
__do_sys_splice fs/splice.c:1447 [inline]
__se_sys_splice fs/splice.c:1427 [inline]
__x64_sys_splice+0x2c6/0x330 fs/splice.c:1427
do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #1 (&ovl_i_mutex_key[depth]){+.+.}:
down_write+0x93/0x150 kernel/locking/rwsem.c:1534
inode_lock include/linux/fs.h:791 [inline]
ovl_write_iter+0x148/0xc20 fs/overlayfs/file.c:265
call_write_iter include/linux/fs.h:1902 [inline]
new_sync_write+0x4d3/0x770 fs/read_write.c:483
__vfs_write+0xe1/0x110 fs/read_write.c:496
__kernel_write+0x11b/0x3b0 fs/read_write.c:515
write_pipe_buf+0x15d/0x1f0 fs/splice.c:809
splice_from_pipe_feed fs/splice.c:512 [inline]
__splice_from_pipe+0x3ee/0x7c0 fs/splice.c:636
splice_from_pipe+0x108/0x170 fs/splice.c:671
default_file_splice_write+0x3c/0x90 fs/splice.c:821
do_splice_from fs/splice.c:863 [inline]
do_splice+0xba4/0x1680 fs/splice.c:1170
__do_sys_splice fs/splice.c:1447 [inline]
__se_sys_splice fs/splice.c:1427 [inline]
__x64_sys_splice+0x2c6/0x330 fs/splice.c:1427
do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
-> #0 (&pipe->mutex/1){+.+.}:
check_prev_add kernel/locking/lockdep.c:2476 [inline]
check_prevs_add kernel/locking/lockdep.c:2581 [inline]
validate_chain kernel/locking/lockdep.c:2971 [inline]
__lock_acquire+0x2596/0x4a00 kernel/locking/lockdep.c:3955
lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485
__mutex_lock_common kernel/locking/mutex.c:956 [inline]
__mutex_lock+0x156/0x13c0 kernel/locking/mutex.c:1103
mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1118
pipe_lock_nested fs/pipe.c:65 [inline]
pipe_lock+0x65/0x80 fs/pipe.c:73
iter_file_splice_write+0x18b/0xc10 fs/splice.c:709
do_splice_from fs/splice.c:863 [inline]
do_splice+0xba4/0x1680 fs/splice.c:1170
__do_sys_splice fs/splice.c:1447 [inline]
__se_sys_splice fs/splice.c:1427 [inline]
__x64_sys_splice+0x2c6/0x330 fs/splice.c:1427
do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
other info that might help us debug this:
Chain exists of:
&pipe->mutex/1 --> &ovl_i_mutex_key[depth] --> sb_writers#4
Possible unsafe locking scenario:
CPU0 CPU1
---- ----
lock(sb_writers#4);
lock(&ovl_i_mutex_key[depth]);
lock(sb_writers#4);
lock(&pipe->mutex/1);
*** DEADLOCK ***
1 lock held by syz-executor691/10028:
#0: ffff888099382428 (sb_writers#4){.+.+}, at: file_start_write
include/linux/fs.h:2885 [inline]
#0: ffff888099382428 (sb_writers#4){.+.+}, at: do_splice+0xf48/0x1680
fs/splice.c:1169
stack backtrace:
CPU: 1 PID: 10028 Comm: syz-executor691 Not tainted 5.5.0-rc3-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS
Google 01/01/2011
Call Trace:
__dump_stack lib/dump_stack.c:77 [inline]
dump_stack+0x197/0x210 lib/dump_stack.c:118
print_circular_bug.isra.0.cold+0x163/0x172 kernel/locking/lockdep.c:1685
check_noncircular+0x32e/0x3e0 kernel/locking/lockdep.c:1809
check_prev_add kernel/locking/lockdep.c:2476 [inline]
check_prevs_add kernel/locking/lockdep.c:2581 [inline]
validate_chain kernel/locking/lockdep.c:2971 [inline]
__lock_acquire+0x2596/0x4a00 kernel/locking/lockdep.c:3955
lock_acquire+0x190/0x410 kernel/locking/lockdep.c:4485
__mutex_lock_common kernel/locking/mutex.c:956 [inline]
__mutex_lock+0x156/0x13c0 kernel/locking/mutex.c:1103
mutex_lock_nested+0x16/0x20 kernel/locking/mutex.c:1118
pipe_lock_nested fs/pipe.c:65 [inline]
pipe_lock+0x65/0x80 fs/pipe.c:73
iter_file_splice_write+0x18b/0xc10 fs/splice.c:709
do_splice_from fs/splice.c:863 [inline]
do_splice+0xba4/0x1680 fs/splice.c:1170
__do_sys_splice fs/splice.c:1447 [inline]
__se_sys_splice fs/splice.c:1427 [inline]
__x64_sys_splice+0x2c6/0x330 fs/splice.c:1427
do_syscall_64+0xfa/0x790 arch/x86/entry/common.c:294
entry_SYSCALL_64_after_hwframe+0x49/0xbe
RIP: 0033:0x448059
Code: e8 6c e7 ff ff 48 83 c4 18 c3 0f 1f 80 00 00 00 00 48 89 f8 48 89 f7
48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff
ff 0f 83 db 07 fc ff c3 66 2e 0f 1f 84 00 00 00 00
RSP: 002b:00007f6e364e9da8 EFLAGS: 00000246 ORIG_RAX: 0000000000000113
RAX: ffffffffffffffda RBX: 00000000006ddc28 RCX: 0000000000448059
RDX: 0000000000000004 RSI: 0000000000000000 RDI: 0000000000000003
RBP: 00000000006ddc20 R08: 0000000100000002 R09: 0000000000000000
R10: 0000000000000000 R11: 0000000000000246 R12: 00000000006ddc2c
R13: 00007ffdf34111cf R14: 00007f6e364ea9c0 R15: 00000000006ddc2c
---
This bug is generated by a bot. It may contain errors.
See https://goo.gl/tpsmEJ for more information about syzbot.
syzbot engineers can be reached at syzkaller@xxxxxxxxxxxxxxxxx
syzbot will keep track of this bug report. See:
https://goo.gl/tpsmEJ#status for how to communicate with syzbot.
For information about bisection process see: https://goo.gl/tpsmEJ#bisection
syzbot can test patches for this bug, for details see:
https://goo.gl/tpsmEJ#testing-patches