bisecting cause commit starting from f0fddcec6b6254b4b3611388786bbafb703ad257 building syzkaller on 4d1b57d4d1aa7f8938163f8debd9293c062482b0 testing commit f0fddcec6b6254b4b3611388786bbafb703ad257 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 27fcb55e8e0b1469a5c8b08a4419a851420e9c2fa0fc64fd549bff90e7a21627 run #0: crashed: possible deadlock in iter_file_splice_write run #1: crashed: possible deadlock in iter_file_splice_write run #2: crashed: possible deadlock in iter_file_splice_write run #3: crashed: possible deadlock in iter_file_splice_write run #4: crashed: possible deadlock in iter_file_splice_write run #5: crashed: possible deadlock in iter_file_splice_write run #6: crashed: possible deadlock in ovl_write_iter run #7: crashed: possible deadlock in iter_file_splice_write run #8: crashed: possible deadlock in iter_file_splice_write run #9: crashed: possible deadlock in iter_file_splice_write run #10: crashed: possible deadlock in iter_file_splice_write run #11: crashed: possible deadlock in iter_file_splice_write run #12: crashed: possible deadlock in iter_file_splice_write run #13: crashed: possible deadlock in iter_file_splice_write run #14: crashed: possible deadlock in iter_file_splice_write run #15: crashed: possible deadlock in iter_file_splice_write run #16: crashed: possible deadlock in iter_file_splice_write run #17: crashed: possible deadlock in iter_file_splice_write run #18: crashed: possible deadlock in iter_file_splice_write run #19: crashed: possible deadlock in iter_file_splice_write testing release v5.13 testing commit 62fb9874f5da54fdb243003b386128037319b219 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: eaab50170f966c8b3eb39852b91e95d9bc7e454d96827a490e5a435720d1ffbe all runs: crashed: possible deadlock in iter_file_splice_write testing release v5.12 testing commit 9f4ad9e425a1d3b6a34617b8ea226d56a119a717 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: a2c67d0aa4cd9031fb2dccc0e9429d13c38be324308c26aa1ef6b084265ddb79 all runs: crashed: possible deadlock in iter_file_splice_write testing release v5.11 testing commit f40ddce88593482919761f74910f42f4b84c004b compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 760afc9eb3d03287b34ea942b7a411382f5645571be3e022de43df2d69784b74 all runs: crashed: possible deadlock in iter_file_splice_write testing release v5.10 testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: ed87a01106570e960457a093defc61da2463f8df499a22d92a19e05b34bca040 all runs: OK # git bisect start f40ddce88593482919761f74910f42f4b84c004b 2c85ebc57b3e1817b6ce1a6b703928e113a90442 Bisecting: 7761 revisions left to test after this (roughly 13 steps) [538fcf57aaee6ad78a05f52b69a99baa22b33418] Merge branches 'acpi-scan', 'acpi-pnp' and 'acpi-sleep' testing commit 538fcf57aaee6ad78a05f52b69a99baa22b33418 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: d8eb6fa3c0120607a94168e357dd593ee0649fc73a20f7b6a2f6f53f70953735 all runs: OK # git bisect good 538fcf57aaee6ad78a05f52b69a99baa22b33418 Bisecting: 3868 revisions left to test after this (roughly 12 steps) [d64c6f96ba86bd8b97ed8d6762a8c8cc1770d214] Merge tag 'net-5.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit d64c6f96ba86bd8b97ed8d6762a8c8cc1770d214 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 99a2dca2f03a24cd3b7e918ef0cd66c404c0cb87a6f0687f33cd4ad6eaa80d73 all runs: crashed: possible deadlock in iter_file_splice_write # git bisect bad d64c6f96ba86bd8b97ed8d6762a8c8cc1770d214 Bisecting: 1915 revisions left to test after this (roughly 11 steps) [f68e4041ef63f03091e44b4eebf1ab5c5d427e6f] Merge tag 'pinctrl-v5.11-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl testing commit f68e4041ef63f03091e44b4eebf1ab5c5d427e6f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 0fbc852e7a6ec79f7b98adcee568dd3ec9e1d57b42ad1d7f1025faba501d81d8 all runs: OK # git bisect good f68e4041ef63f03091e44b4eebf1ab5c5d427e6f Bisecting: 1037 revisions left to test after this (roughly 10 steps) [9805529ec544ea7a82d891d5239a8ebd3dbb2a3e] Merge tag 'arm-soc-dt-5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 9805529ec544ea7a82d891d5239a8ebd3dbb2a3e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: bf9b2c24c34b11972f9e0d1c23446b8d3e9f2a16f59f09f7bd4f0810e0f65c01 all runs: OK # git bisect good 9805529ec544ea7a82d891d5239a8ebd3dbb2a3e Bisecting: 485 revisions left to test after this (roughly 9 steps) [74f602dc96dd854c7b2034947798c1e2a6b84066] Merge tag 'nfs-for-5.11-1' of git://git.linux-nfs.org/projects/trondmy/linux-nfs testing commit 74f602dc96dd854c7b2034947798c1e2a6b84066 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 8f4631729dff5694540963abcfea8690d0e7f415c3e53494c912d7a3be4e813f all runs: crashed: possible deadlock in iter_file_splice_write # git bisect bad 74f602dc96dd854c7b2034947798c1e2a6b84066 Bisecting: 296 revisions left to test after this (roughly 8 steps) [48c1c40ab40cb087b992e7b77518c3a2926743cc] Merge tag 'arm-soc-drivers-5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 48c1c40ab40cb087b992e7b77518c3a2926743cc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: bd41003513e0f6c3f8667f88f798484dfa7385d35232d176d2956e41d47f8a06 all runs: OK # git bisect good 48c1c40ab40cb087b992e7b77518c3a2926743cc Bisecting: 151 revisions left to test after this (roughly 7 steps) [92dbc9dedccb9759c7f9f2f0ae6242396376988f] Merge tag 'ovl-update-5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs testing commit 92dbc9dedccb9759c7f9f2f0ae6242396376988f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: d9ad53706e1afa1c1799ba932ef68ec48803b0904af685449f8f779212af66a3 run #0: crashed: possible deadlock in iter_file_splice_write run #1: crashed: possible deadlock in ovl_write_iter run #2: crashed: possible deadlock in do_iter_readv_writev run #3: crashed: possible deadlock in iter_file_splice_write run #4: crashed: possible deadlock in iter_file_splice_write run #5: crashed: possible deadlock in iter_file_splice_write run #6: crashed: possible deadlock in iter_file_splice_write run #7: crashed: possible deadlock in iter_file_splice_write run #8: crashed: possible deadlock in iter_file_splice_write run #9: crashed: possible deadlock in iter_file_splice_write # git bisect bad 92dbc9dedccb9759c7f9f2f0ae6242396376988f Bisecting: 71 revisions left to test after this (roughly 6 steps) [b97d4c424e362ebf88fd9aa1b7ad82e3a28c26d3] Merge tag 'for_v5.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs testing commit b97d4c424e362ebf88fd9aa1b7ad82e3a28c26d3 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: a44c04296660b6174976fe24b972e9fbf8cb85cfc12797d0782df3c01ce49e3f all runs: OK # git bisect good b97d4c424e362ebf88fd9aa1b7ad82e3a28c26d3 Bisecting: 35 revisions left to test after this (roughly 5 steps) [75e91c888989cf2df5c78b251b07de1f5052e30e] f2fs: compress: fix compression chksum testing commit 75e91c888989cf2df5c78b251b07de1f5052e30e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 2eae295675c28772cdcc2235cea81eb99977243aacd1147c58853e6a3f80e48c all runs: OK # git bisect good 75e91c888989cf2df5c78b251b07de1f5052e30e Bisecting: 17 revisions left to test after this (roughly 4 steps) [65de0b89d7d5e173d71cb50dfae786133c579308] Merge tag 'fuse-update-5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse testing commit 65de0b89d7d5e173d71cb50dfae786133c579308 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: e7d63dba181d534b580d88e45b4875581a7a5ff59409605ce054cdd277b6af41 all runs: OK # git bisect good 65de0b89d7d5e173d71cb50dfae786133c579308 Bisecting: 8 revisions left to test after this (roughly 3 steps) [3078d85c9a1099405a0463c4d112ba97ee5bd217] vfs: verify source area in vfs_dedupe_file_range_one() testing commit 3078d85c9a1099405a0463c4d112ba97ee5bd217 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 7ad393af5cac0291785ab2767daffad586f116d9f6a1a035b5b4eebed5d3c1a6 all runs: OK # git bisect good 3078d85c9a1099405a0463c4d112ba97ee5bd217 Bisecting: 4 revisions left to test after this (roughly 2 steps) [2d2f2d7322ff43e0fe92bf8cccdc0b09449bf2e1] ovl: user xattr testing commit 2d2f2d7322ff43e0fe92bf8cccdc0b09449bf2e1 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: a0bd86f24ee6b374bf7afebd850726dab4e8e9febb660e3fd5ae7440ba8a1acd all runs: crashed: possible deadlock in iter_file_splice_write # git bisect bad 2d2f2d7322ff43e0fe92bf8cccdc0b09449bf2e1 Bisecting: 1 revision left to test after this (roughly 1 step) [89bdfaf93d9157499c3a0d61f489df66f2dead7f] ovl: make ioctl() safe testing commit 89bdfaf93d9157499c3a0d61f489df66f2dead7f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 82ee180a30d5c08648a8ab7b33e766e87442f520f129566b6c8104b706d1e48f all runs: OK # git bisect good 89bdfaf93d9157499c3a0d61f489df66f2dead7f Bisecting: 0 revisions left to test after this (roughly 0 steps) [82a763e61e2b601309d696d4fa514c77d64ee1be] ovl: simplify file splice testing commit 82a763e61e2b601309d696d4fa514c77d64ee1be compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 04d7b20c626a588d2149ccf200b45efc0ee7395786c44ae3a9361c92bc4a39d1 all runs: crashed: possible deadlock in iter_file_splice_write # git bisect bad 82a763e61e2b601309d696d4fa514c77d64ee1be 82a763e61e2b601309d696d4fa514c77d64ee1be is the first bad commit commit 82a763e61e2b601309d696d4fa514c77d64ee1be Author: Miklos Szeredi Date: Mon Dec 14 15:26:14 2020 +0100 ovl: simplify file splice generic_file_splice_read() and iter_file_splice_write() will call back into f_op->iter_read() and f_op->iter_write() respectively. These already do the real file lookup and cred override. So the code in ovl_splice_read() and ovl_splice_write() is redundant. In addition the ovl_file_accessed() call in ovl_splice_write() is incorrect, though probably harmless. Fix by calling generic_file_splice_read() and iter_file_splice_write() directly. Signed-off-by: Miklos Szeredi fs/overlayfs/file.c | 46 ++-------------------------------------------- 1 file changed, 2 insertions(+), 44 deletions(-) culprit signature: 04d7b20c626a588d2149ccf200b45efc0ee7395786c44ae3a9361c92bc4a39d1 parent signature: 82ee180a30d5c08648a8ab7b33e766e87442f520f129566b6c8104b706d1e48f revisions tested: 19, total time: 4h29m11.208695463s (build: 2h1m18.671193326s, test: 2h25m29.42226148s) first bad commit: 82a763e61e2b601309d696d4fa514c77d64ee1be ovl: simplify file splice recipients (to): ["linux-unionfs@vger.kernel.org" "miklos@szeredi.hu" "mszeredi@redhat.com"] recipients (cc): ["linux-kernel@vger.kernel.org"] crash: possible deadlock in iter_file_splice_write ====================================================== WARNING: possible circular locking dependency detected 5.10.0-rc1-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.4/10282 is trying to acquire lock: ffff888013979c68 (&pipe->mutex/1){+.+.}-{3:3} , at: iter_file_splice_write+0x157/0xaa0 fs/splice.c:635 but task is already holding lock: ffff8880234ec460 (sb_writers#5){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:2759 [inline] ffff8880234ec460 (sb_writers#5){.+.+}-{0:0}, at: do_splice+0xdfe/0x1700 fs/splice.c:1058 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (sb_writers#5){.+.+}-{0:0}: percpu_down_read include/linux/percpu-rwsem.h:51 [inline] __sb_start_write+0x173/0x320 fs/super.c:1674 file_start_write include/linux/fs.h:2759 [inline] ovl_write_iter+0xcca/0x1160 fs/overlayfs/file.c:362 call_write_iter include/linux/fs.h:1887 [inline] do_iter_readv_writev+0x333/0x6d0 fs/read_write.c:740 do_iter_write+0x12a/0x5b0 fs/read_write.c:866 iter_file_splice_write+0x566/0xaa0 fs/splice.c:686 do_splice_from fs/splice.c:764 [inline] do_splice+0x916/0x1700 fs/splice.c:1059 __do_splice+0xf4/0x1b0 fs/splice.c:1137 __do_sys_splice fs/splice.c:1343 [inline] __se_sys_splice fs/splice.c:1325 [inline] __x64_sys_splice+0x14a/0x200 fs/splice.c:1325 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 -> #1 (&ovl_i_mutex_key[depth]){+.+.}-{3:3}: down_write+0x8d/0x150 kernel/locking/rwsem.c:1531 inode_lock include/linux/fs.h:774 [inline] ovl_write_iter+0x152/0x1160 fs/overlayfs/file.c:346 call_write_iter include/linux/fs.h:1887 [inline] do_iter_readv_writev+0x333/0x6d0 fs/read_write.c:740 do_iter_write+0x12a/0x5b0 fs/read_write.c:866 iter_file_splice_write+0x566/0xaa0 fs/splice.c:686 do_splice_from fs/splice.c:764 [inline] do_splice+0x916/0x1700 fs/splice.c:1059 __do_splice+0xf4/0x1b0 fs/splice.c:1137 __do_sys_splice fs/splice.c:1343 [inline] __se_sys_splice fs/splice.c:1325 [inline] __x64_sys_splice+0x14a/0x200 fs/splice.c:1325 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 -> #0 (&pipe->mutex/1){+.+.}-{3:3}: check_prev_add kernel/locking/lockdep.c:2864 [inline] check_prevs_add kernel/locking/lockdep.c:2989 [inline] validate_chain kernel/locking/lockdep.c:3607 [inline] __lock_acquire+0x2853/0x5920 kernel/locking/lockdep.c:4837 lock_acquire kernel/locking/lockdep.c:5442 [inline] lock_acquire+0x2a3/0x910 kernel/locking/lockdep.c:5407 __mutex_lock_common kernel/locking/mutex.c:956 [inline] __mutex_lock+0x134/0x1210 kernel/locking/mutex.c:1103 iter_file_splice_write+0x157/0xaa0 fs/splice.c:635 do_splice_from fs/splice.c:764 [inline] do_splice+0x916/0x1700 fs/splice.c:1059 __do_splice+0xf4/0x1b0 fs/splice.c:1137 __do_sys_splice fs/splice.c:1343 [inline] __se_sys_splice fs/splice.c:1325 [inline] __x64_sys_splice+0x14a/0x200 fs/splice.c:1325 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 other info that might help us debug this: Chain exists of: &pipe->mutex/1 --> &ovl_i_mutex_key[depth] --> sb_writers#5 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(sb_writers#5); lock(&ovl_i_mutex_key[depth]); lock(sb_writers#5); lock(&pipe->mutex/1); *** DEADLOCK *** 1 lock held by syz-executor.4/10282: #0: ffff8880234ec460 (sb_writers#5){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:2759 [inline] #0: ffff8880234ec460 (sb_writers#5){.+.+}-{0:0}, at: do_splice+0xdfe/0x1700 fs/splice.c:1058 stack backtrace: CPU: 0 PID: 10282 Comm: syz-executor.4 Not tainted 5.10.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x9a/0xcc lib/dump_stack.c:118 check_noncircular+0x25f/0x2e0 kernel/locking/lockdep.c:2115 check_prev_add kernel/locking/lockdep.c:2864 [inline] check_prevs_add kernel/locking/lockdep.c:2989 [inline] validate_chain kernel/locking/lockdep.c:3607 [inline] __lock_acquire+0x2853/0x5920 kernel/locking/lockdep.c:4837 lock_acquire kernel/locking/lockdep.c:5442 [inline] lock_acquire+0x2a3/0x910 kernel/locking/lockdep.c:5407 __mutex_lock_common kernel/locking/mutex.c:956 [inline] __mutex_lock+0x134/0x1210 kernel/locking/mutex.c:1103 iter_file_splice_write+0x157/0xaa0 fs/splice.c:635 do_splice_from fs/splice.c:764 [inline] do_splice+0x916/0x1700 fs/splice.c:1059 __do_splice+0xf4/0x1b0 fs/splice.c:1137 __do_sys_splice fs/splice.c:1343 [inline] __se_sys_splice fs/splice.c:1325 [inline] __x64_sys_splice+0x14a/0x200 fs/splice.c:1325 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x4665e9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007fdc3057b188 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 RAX: ffffffffffffffda RBX: 000000000056bf80 RCX: 00000000004665e9 RDX: 0000000000000005 RSI: 0000000000000000 RDI: 0000000000000003 RBP: 00000000004bfcc4 R08: 000000000004ffdc R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056bf80 R13: 00007ffc19a4d82f R14: 00007fdc3057b300 R15: 0000000000022000