Re: [syzbot] [kernfs?] possible deadlock in kernfs_fop_llseek

From: Al Viro
Date: Thu Apr 04 2024 - 04:40:25 EST

Next message: Hans Verkuil: "Re: [PATCH] media: cec: core: remove length check of Timer Status"
Previous message: Kory Maincent: "Re: [PATCH net-next v6 11/17] dt-bindings: net: pse-pd: Add another way of describing several PSE PIs"
In reply to: Al Viro: "Re: [syzbot] [kernfs?] possible deadlock in kernfs_fop_llseek"
Next in thread: Amir Goldstein: "Re: [syzbot] [kernfs?] possible deadlock in kernfs_fop_llseek"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Apr 04, 2024 at 09:21:10AM +0100, Al Viro wrote:

> Similar question applies to ovl_write_iter() - why do you
> need to hold the overlayfs inode locked during the call of
> backing_file_write_iter()?

Consider the scenario when unlink() is called on that sucker
during the write() that triggers that pathwalk. We have

unlink: blocked on overlayfs inode of file, while holding the parent directory.
write: holding the overlayfs inode of file and trying to resolve a pathname
that contains .../power/suspend_stats/../../...; blocked on attempt to lock
parent so we could do a lookup in it.

No llseek involved anywhere, kernfs of->mutex held, but not contended,
deadlock purely on ->i_rwsem of overlayfs inodes.

Holding overlayfs inode locked during the call of lookup_bdev() is really
no-go.

Next message: Hans Verkuil: "Re: [PATCH] media: cec: core: remove length check of Timer Status"
Previous message: Kory Maincent: "Re: [PATCH net-next v6 11/17] dt-bindings: net: pse-pd: Add another way of describing several PSE PIs"
In reply to: Al Viro: "Re: [syzbot] [kernfs?] possible deadlock in kernfs_fop_llseek"
Next in thread: Amir Goldstein: "Re: [syzbot] [kernfs?] possible deadlock in kernfs_fop_llseek"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]