bisecting cause commit starting from 8cae8cd89f05f6de223d63e6d15e31c8ba9cf53b building syzkaller on 1b201b48c59d619af21de7fcc5face22824c0285 testing commit 8cae8cd89f05f6de223d63e6d15e31c8ba9cf53b compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 2db6c0d72d7bfdb45502b7d1fc3f94b9990a457dd420db628c17fb6de8693671 all runs: crashed: possible deadlock in iter_file_splice_write testing release v5.13 testing commit 62fb9874f5da54fdb243003b386128037319b219 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 909f5b513362d755e99068620c19525cb2afd91ca8725228219fd46574a48866 all runs: crashed: possible deadlock in iter_file_splice_write testing release v5.12 testing commit 9f4ad9e425a1d3b6a34617b8ea226d56a119a717 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: bb4e26dd8f4a005b0fd76547575ef29621d4d502b5251ddaf0a5696974104629 all runs: crashed: possible deadlock in iter_file_splice_write testing release v5.11 testing commit f40ddce88593482919761f74910f42f4b84c004b compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 3222e6ed80513dd888ba5df1ed0bb0fed90b38311471a07f8ebfef14f678fd42 all runs: crashed: possible deadlock in iter_file_splice_write testing release v5.10 testing commit 2c85ebc57b3e1817b6ce1a6b703928e113a90442 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 35c88fb67e0626f0232c5254d6e9f188ff33bdc5ecf75a2e20b39b0354577e82 all runs: OK # git bisect start f40ddce88593482919761f74910f42f4b84c004b 2c85ebc57b3e1817b6ce1a6b703928e113a90442 Bisecting: 7761 revisions left to test after this (roughly 13 steps) [538fcf57aaee6ad78a05f52b69a99baa22b33418] Merge branches 'acpi-scan', 'acpi-pnp' and 'acpi-sleep' testing commit 538fcf57aaee6ad78a05f52b69a99baa22b33418 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 1ef6b345e5c596086feb8b12cc4c95c17a8b186b8865c838c98c3e922de4d325 all runs: OK # git bisect good 538fcf57aaee6ad78a05f52b69a99baa22b33418 Bisecting: 3868 revisions left to test after this (roughly 12 steps) [d64c6f96ba86bd8b97ed8d6762a8c8cc1770d214] Merge tag 'net-5.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net testing commit d64c6f96ba86bd8b97ed8d6762a8c8cc1770d214 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 3455be25f61fd64cb9dbb3d6ef3bd6988ec12585b238347e362ffb7c45f0720e all runs: crashed: possible deadlock in iter_file_splice_write # git bisect bad d64c6f96ba86bd8b97ed8d6762a8c8cc1770d214 Bisecting: 1915 revisions left to test after this (roughly 11 steps) [f68e4041ef63f03091e44b4eebf1ab5c5d427e6f] Merge tag 'pinctrl-v5.11-1' of git://git.kernel.org/pub/scm/linux/kernel/git/linusw/linux-pinctrl testing commit f68e4041ef63f03091e44b4eebf1ab5c5d427e6f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 48c76e528dd45d3cdc3f3c8690b0d59b4fcc12e96564db0ad07a012de66333c8 all runs: OK # git bisect good f68e4041ef63f03091e44b4eebf1ab5c5d427e6f Bisecting: 1037 revisions left to test after this (roughly 10 steps) [9805529ec544ea7a82d891d5239a8ebd3dbb2a3e] Merge tag 'arm-soc-dt-5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 9805529ec544ea7a82d891d5239a8ebd3dbb2a3e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 24bdfaa456199bd11340c24f2d861624a89ab030d3fa46c3cfa622bc696a0d55 all runs: OK # git bisect good 9805529ec544ea7a82d891d5239a8ebd3dbb2a3e Bisecting: 485 revisions left to test after this (roughly 9 steps) [74f602dc96dd854c7b2034947798c1e2a6b84066] Merge tag 'nfs-for-5.11-1' of git://git.linux-nfs.org/projects/trondmy/linux-nfs testing commit 74f602dc96dd854c7b2034947798c1e2a6b84066 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 5c2a65dff353c206478e4a101ac737a70e54ba621c0851bb4e8438b6d564e44d all runs: crashed: possible deadlock in iter_file_splice_write # git bisect bad 74f602dc96dd854c7b2034947798c1e2a6b84066 Bisecting: 296 revisions left to test after this (roughly 8 steps) [48c1c40ab40cb087b992e7b77518c3a2926743cc] Merge tag 'arm-soc-drivers-5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/soc/soc testing commit 48c1c40ab40cb087b992e7b77518c3a2926743cc compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 52b5191d057a8fab44f16e0c47168b5793da6c3d1d471b645a76673793868f68 all runs: OK # git bisect good 48c1c40ab40cb087b992e7b77518c3a2926743cc Bisecting: 151 revisions left to test after this (roughly 7 steps) [92dbc9dedccb9759c7f9f2f0ae6242396376988f] Merge tag 'ovl-update-5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/vfs testing commit 92dbc9dedccb9759c7f9f2f0ae6242396376988f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 5c08aff365a99a38e41370d3be60ae5c6895107c1c98b310150b9acd99918722 all runs: crashed: possible deadlock in iter_file_splice_write # git bisect bad 92dbc9dedccb9759c7f9f2f0ae6242396376988f Bisecting: 71 revisions left to test after this (roughly 6 steps) [b97d4c424e362ebf88fd9aa1b7ad82e3a28c26d3] Merge tag 'for_v5.11-rc1' of git://git.kernel.org/pub/scm/linux/kernel/git/jack/linux-fs testing commit b97d4c424e362ebf88fd9aa1b7ad82e3a28c26d3 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: bd233b5df4e317f97e81b43dc868eceae231d2c2a944384dca9e5c71dc214baa all runs: OK # git bisect good b97d4c424e362ebf88fd9aa1b7ad82e3a28c26d3 Bisecting: 35 revisions left to test after this (roughly 5 steps) [75e91c888989cf2df5c78b251b07de1f5052e30e] f2fs: compress: fix compression chksum testing commit 75e91c888989cf2df5c78b251b07de1f5052e30e compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: e7690c04412c627387432d3f668e7d0fec94a4c2da7ab04676cb54930e8b1e4b all runs: OK # git bisect good 75e91c888989cf2df5c78b251b07de1f5052e30e Bisecting: 17 revisions left to test after this (roughly 4 steps) [65de0b89d7d5e173d71cb50dfae786133c579308] Merge tag 'fuse-update-5.11' of git://git.kernel.org/pub/scm/linux/kernel/git/mszeredi/fuse testing commit 65de0b89d7d5e173d71cb50dfae786133c579308 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 7f14c4a08b9a24562707209e18f34dd3f8fe279fc5a070e7ab70f89a6fc57a47 all runs: OK # git bisect good 65de0b89d7d5e173d71cb50dfae786133c579308 Bisecting: 8 revisions left to test after this (roughly 3 steps) [3078d85c9a1099405a0463c4d112ba97ee5bd217] vfs: verify source area in vfs_dedupe_file_range_one() testing commit 3078d85c9a1099405a0463c4d112ba97ee5bd217 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 84dbd847ee07595ca1ffeb93b827c4ca367a4eb80081cd302a8da992402f7d3b all runs: OK # git bisect good 3078d85c9a1099405a0463c4d112ba97ee5bd217 Bisecting: 4 revisions left to test after this (roughly 2 steps) [2d2f2d7322ff43e0fe92bf8cccdc0b09449bf2e1] ovl: user xattr testing commit 2d2f2d7322ff43e0fe92bf8cccdc0b09449bf2e1 compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 092bee4695d820c23c1ed66f15a9170162e45bc73caefab9d3d28717a8215b98 all runs: crashed: possible deadlock in iter_file_splice_write # git bisect bad 2d2f2d7322ff43e0fe92bf8cccdc0b09449bf2e1 Bisecting: 1 revision left to test after this (roughly 1 step) [89bdfaf93d9157499c3a0d61f489df66f2dead7f] ovl: make ioctl() safe testing commit 89bdfaf93d9157499c3a0d61f489df66f2dead7f compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: 5a56a13c66fdd4a3c585af27ee4e02bc7fe0c537ac43155856a95b4d4ee01647 all runs: OK # git bisect good 89bdfaf93d9157499c3a0d61f489df66f2dead7f Bisecting: 0 revisions left to test after this (roughly 0 steps) [82a763e61e2b601309d696d4fa514c77d64ee1be] ovl: simplify file splice testing commit 82a763e61e2b601309d696d4fa514c77d64ee1be compiler: gcc (GCC) 10.2.1 20210217, GNU ld (GNU Binutils for Debian) 2.35.1 kernel signature: c7dcb452a29b6342bec4976869672d59862e2c0c084859fdc51ffbb39b2839a3 all runs: crashed: possible deadlock in iter_file_splice_write # git bisect bad 82a763e61e2b601309d696d4fa514c77d64ee1be 82a763e61e2b601309d696d4fa514c77d64ee1be is the first bad commit commit 82a763e61e2b601309d696d4fa514c77d64ee1be Author: Miklos Szeredi Date: Mon Dec 14 15:26:14 2020 +0100 ovl: simplify file splice generic_file_splice_read() and iter_file_splice_write() will call back into f_op->iter_read() and f_op->iter_write() respectively. These already do the real file lookup and cred override. So the code in ovl_splice_read() and ovl_splice_write() is redundant. In addition the ovl_file_accessed() call in ovl_splice_write() is incorrect, though probably harmless. Fix by calling generic_file_splice_read() and iter_file_splice_write() directly. Signed-off-by: Miklos Szeredi fs/overlayfs/file.c | 46 ++-------------------------------------------- 1 file changed, 2 insertions(+), 44 deletions(-) culprit signature: c7dcb452a29b6342bec4976869672d59862e2c0c084859fdc51ffbb39b2839a3 parent signature: 5a56a13c66fdd4a3c585af27ee4e02bc7fe0c537ac43155856a95b4d4ee01647 revisions tested: 19, total time: 4h40m3.122682585s (build: 2h11m21.856280504s, test: 2h26m3.833323715s) first bad commit: 82a763e61e2b601309d696d4fa514c77d64ee1be ovl: simplify file splice recipients (to): ["linux-unionfs@vger.kernel.org" "miklos@szeredi.hu" "mszeredi@redhat.com"] recipients (cc): ["linux-kernel@vger.kernel.org"] crash: possible deadlock in iter_file_splice_write ====================================================== WARNING: possible circular locking dependency detected 5.10.0-rc1-syzkaller #0 Not tainted ------------------------------------------------------ syz-executor.4/13098 is trying to acquire lock: ffff88803119d868 (&pipe->mutex/1){+.+.}-{3:3}, at: iter_file_splice_write+0x157/0xaa0 fs/splice.c:635 but task is already holding lock: ffff888149886460 (sb_writers#5){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:2759 [inline] ffff888149886460 (sb_writers#5){.+.+}-{0:0}, at: do_splice+0xdfe/0x1700 fs/splice.c:1058 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #2 (sb_writers#5){.+.+}-{0:0}: percpu_down_read include/linux/percpu-rwsem.h:51 [inline] __sb_start_write+0x173/0x320 fs/super.c:1674 file_start_write include/linux/fs.h:2759 [inline] ovl_write_iter+0xcca/0x1160 fs/overlayfs/file.c:362 call_write_iter include/linux/fs.h:1887 [inline] do_iter_readv_writev+0x333/0x6d0 fs/read_write.c:740 do_iter_write+0x12a/0x5b0 fs/read_write.c:866 iter_file_splice_write+0x566/0xaa0 fs/splice.c:686 do_splice_from fs/splice.c:764 [inline] do_splice+0x916/0x1700 fs/splice.c:1059 __do_splice+0xf4/0x1b0 fs/splice.c:1137 __do_sys_splice fs/splice.c:1343 [inline] __se_sys_splice fs/splice.c:1325 [inline] __x64_sys_splice+0x14a/0x200 fs/splice.c:1325 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 -> #1 (&ovl_i_mutex_key[depth]){+.+.}-{3:3}: down_write+0x8d/0x150 kernel/locking/rwsem.c:1531 inode_lock include/linux/fs.h:774 [inline] ovl_write_iter+0x152/0x1160 fs/overlayfs/file.c:346 call_write_iter include/linux/fs.h:1887 [inline] do_iter_readv_writev+0x333/0x6d0 fs/read_write.c:740 do_iter_write+0x12a/0x5b0 fs/read_write.c:866 iter_file_splice_write+0x566/0xaa0 fs/splice.c:686 do_splice_from fs/splice.c:764 [inline] do_splice+0x916/0x1700 fs/splice.c:1059 __do_splice+0xf4/0x1b0 fs/splice.c:1137 __do_sys_splice fs/splice.c:1343 [inline] __se_sys_splice fs/splice.c:1325 [inline] __x64_sys_splice+0x14a/0x200 fs/splice.c:1325 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 -> #0 (&pipe->mutex/1){+.+.}-{3:3}: check_prev_add kernel/locking/lockdep.c:2864 [inline] check_prevs_add kernel/locking/lockdep.c:2989 [inline] validate_chain kernel/locking/lockdep.c:3607 [inline] __lock_acquire+0x2853/0x5920 kernel/locking/lockdep.c:4837 lock_acquire kernel/locking/lockdep.c:5442 [inline] lock_acquire+0x2a3/0x910 kernel/locking/lockdep.c:5407 __mutex_lock_common kernel/locking/mutex.c:956 [inline] __mutex_lock+0x134/0x1210 kernel/locking/mutex.c:1103 iter_file_splice_write+0x157/0xaa0 fs/splice.c:635 do_splice_from fs/splice.c:764 [inline] do_splice+0x916/0x1700 fs/splice.c:1059 __do_splice+0xf4/0x1b0 fs/splice.c:1137 __do_sys_splice fs/splice.c:1343 [inline] __se_sys_splice fs/splice.c:1325 [inline] __x64_sys_splice+0x14a/0x200 fs/splice.c:1325 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 other info that might help us debug this: Chain exists of: &pipe->mutex/1 --> &ovl_i_mutex_key[depth] --> sb_writers#5 Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(sb_writers#5); lock(&ovl_i_mutex_key[depth]); lock(sb_writers#5); lock(&pipe->mutex/1); *** DEADLOCK *** 1 lock held by syz-executor.4/13098: #0: ffff888149886460 (sb_writers#5){.+.+}-{0:0}, at: file_start_write include/linux/fs.h:2759 [inline] #0: ffff888149886460 (sb_writers#5){.+.+}-{0:0}, at: do_splice+0xdfe/0x1700 fs/splice.c:1058 stack backtrace: CPU: 0 PID: 13098 Comm: syz-executor.4 Not tainted 5.10.0-rc1-syzkaller #0 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 Call Trace: __dump_stack lib/dump_stack.c:77 [inline] dump_stack+0x9a/0xcc lib/dump_stack.c:118 check_noncircular+0x25f/0x2e0 kernel/locking/lockdep.c:2115 check_prev_add kernel/locking/lockdep.c:2864 [inline] check_prevs_add kernel/locking/lockdep.c:2989 [inline] validate_chain kernel/locking/lockdep.c:3607 [inline] __lock_acquire+0x2853/0x5920 kernel/locking/lockdep.c:4837 lock_acquire kernel/locking/lockdep.c:5442 [inline] lock_acquire+0x2a3/0x910 kernel/locking/lockdep.c:5407 __mutex_lock_common kernel/locking/mutex.c:956 [inline] __mutex_lock+0x134/0x1210 kernel/locking/mutex.c:1103 iter_file_splice_write+0x157/0xaa0 fs/splice.c:635 do_splice_from fs/splice.c:764 [inline] do_splice+0x916/0x1700 fs/splice.c:1059 __do_splice+0xf4/0x1b0 fs/splice.c:1137 __do_sys_splice fs/splice.c:1343 [inline] __se_sys_splice fs/splice.c:1325 [inline] __x64_sys_splice+0x14a/0x200 fs/splice.c:1325 do_syscall_64+0x2d/0x70 arch/x86/entry/common.c:46 entry_SYSCALL_64_after_hwframe+0x44/0xa9 RIP: 0033:0x4665e9 Code: ff ff c3 66 2e 0f 1f 84 00 00 00 00 00 0f 1f 40 00 48 89 f8 48 89 f7 48 89 d6 48 89 ca 4d 89 c2 4d 89 c8 4c 8b 4c 24 08 0f 05 <48> 3d 01 f0 ff ff 73 01 c3 48 c7 c1 bc ff ff ff f7 d8 64 89 01 48 RSP: 002b:00007f6752b6e188 EFLAGS: 00000246 ORIG_RAX: 0000000000000113 RAX: ffffffffffffffda RBX: 000000000056c038 RCX: 00000000004665e9 RDX: 0000000000000006 RSI: 0000000000000000 RDI: 0000000000000004 RBP: 00000000004bfcc4 R08: 000000000004ffdc R09: 0000000000000000 R10: 0000000000000000 R11: 0000000000000246 R12: 000000000056c038 R13: 00007fff8b65b44f R14: 00007f6752b6e300 R15: 0000000000022000 overlayfs: upperdir is in-use as upperdir/workdir of another mount, mount with '-o index=off' to override exclusive upperdir protection.