From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S932297AbcLHOrl (ORCPT ); Thu, 8 Dec 2016 09:47:41 -0500 Received: from mail-wm0-f51.google.com ([74.125.82.51]:38845 "EHLO mail-wm0-f51.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S932090AbcLHOri (ORCPT ); Thu, 8 Dec 2016 09:47:38 -0500 MIME-Version: 1.0 From: Dmitry Vyukov Date: Thu, 8 Dec 2016 15:47:11 +0100 Message-ID: Subject: fs, net: deadlock between bind/splice on af_unix To: Al Viro , "linux-fsdevel@vger.kernel.org" , LKML , David Miller , Rainer Weikusat , Hannes Frederic Sowa , Cong Wang , netdev , Eric Dumazet Cc: syzkaller Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hello, I am getting the following deadlock reports while running syzkaller fuzzer on 318c8932ddec5c1c26a4af0f3c053784841c598e (Dec 7). [ INFO: possible circular locking dependency detected ] 4.9.0-rc8+ #77 Not tainted ------------------------------------------------------- syz-executor0/3155 is trying to acquire lock: (&u->bindlock){+.+.+.}, at: [] unix_autobind.isra.26+0xca/0x8a0 net/unix/af_unix.c:852 but task is already holding lock: (&pipe->mutex/1){+.+.+.}, at: [< inline >] pipe_lock_nested fs/pipe.c:66 (&pipe->mutex/1){+.+.+.}, at: [] pipe_lock+0x5b/0x70 fs/pipe.c:74 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: [ 202.103497] [< inline >] validate_chain kernel/locking/lockdep.c:2265 [ 202.103497] [] __lock_acquire+0x2156/0x3380 kernel/locking/lockdep.c:3338 [ 202.103497] [] lock_acquire+0x2a2/0x790 kernel/locking/lockdep.c:3749 [ 202.103497] [< inline >] __mutex_lock_common kernel/locking/mutex.c:521 [ 202.103497] [] mutex_lock_nested+0x23f/0xf20 kernel/locking/mutex.c:621 [ 202.103497] [< inline >] pipe_lock_nested fs/pipe.c:66 [ 202.103497] [] pipe_lock+0x5b/0x70 fs/pipe.c:74 [ 202.103497] [] iter_file_splice_write+0x267/0xfa0 fs/splice.c:717 [ 202.103497] [< inline >] do_splice_from fs/splice.c:869 [ 202.103497] [< inline >] do_splice fs/splice.c:1160 [ 202.103497] [< inline >] SYSC_splice fs/splice.c:1410 [ 202.103497] [] SyS_splice+0x7d7/0x16a0 fs/splice.c:1393 [ 202.103497] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 202.103497] [< inline >] validate_chain kernel/locking/lockdep.c:2265 [ 202.103497] [] __lock_acquire+0x2156/0x3380 kernel/locking/lockdep.c:3338 [ 202.103497] [] lock_acquire+0x2a2/0x790 kernel/locking/lockdep.c:3749 [ 202.103497] [< inline >] percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:35 [ 202.103497] [< inline >] percpu_down_read include/linux/percpu-rwsem.h:58 [ 202.103497] [] __sb_start_write+0x193/0x2a0 fs/super.c:1252 [ 202.103497] [< inline >] sb_start_write include/linux/fs.h:1549 [ 202.103497] [] mnt_want_write+0x44/0xb0 fs/namespace.c:389 [ 202.103497] [] filename_create+0x156/0x620 fs/namei.c:3598 [ 202.103497] [] kern_path_create+0x38/0x50 fs/namei.c:3644 [ 202.103497] [< inline >] unix_mknod net/unix/af_unix.c:967 [ 202.103497] [] unix_bind+0x4d1/0xe60 net/unix/af_unix.c:1035 [ 202.103497] [] SYSC_bind+0x20e/0x4c0 net/socket.c:1382 [ 202.103497] [] SyS_bind+0x29/0x30 net/socket.c:1368 [ 202.103497] [] entry_SYSCALL_64_fastpath+0x23/0xc6 [ 202.103497] [< inline >] check_prev_add kernel/locking/lockdep.c:1828 [ 202.103497] [] check_prevs_add+0xaab/0x1c20 kernel/locking/lockdep.c:1938 [ 202.103497] [< inline >] validate_chain kernel/locking/lockdep.c:2265 [ 202.103497] [] __lock_acquire+0x2156/0x3380 kernel/locking/lockdep.c:3338 [ 202.103497] [] lock_acquire+0x2a2/0x790 kernel/locking/lockdep.c:3749 [ 202.103497] [< inline >] __mutex_lock_common kernel/locking/mutex.c:521 [ 202.103497] [] mutex_lock_interruptible_nested+0x2d2/0x11d0 kernel/locking/mutex.c:650 [ 202.103497] [] unix_autobind.isra.26+0xca/0x8a0 net/unix/af_unix.c:852 [ 202.103497] [] unix_dgram_sendmsg+0x105d/0x1730 net/unix/af_unix.c:1667 [ 202.103497] [] unix_seqpacket_sendmsg+0xf8/0x170 net/unix/af_unix.c:2071 [ 202.103497] [< inline >] sock_sendmsg_nosec net/socket.c:621 [ 202.103497] [] sock_sendmsg+0xcf/0x110 net/socket.c:631 [ 202.103497] [] kernel_sendmsg+0x4c/0x60 net/socket.c:639 [ 202.103497] [] sock_no_sendpage+0x20d/0x310 net/core/sock.c:2321 [ 202.103497] [] kernel_sendpage+0x95/0xf0 net/socket.c:3289 [ 202.103497] [] sock_sendpage+0xa2/0xd0 net/socket.c:775 [ 202.103497] [] pipe_to_sendpage+0x2ae/0x390 fs/splice.c:469 [ 202.103497] [< inline >] splice_from_pipe_feed fs/splice.c:520 [ 202.103497] [] __splice_from_pipe+0x31f/0x750 fs/splice.c:644 [ 202.103497] [] splice_from_pipe+0x1dc/0x300 fs/splice.c:679 [ 202.103497] [] generic_splice_sendpage+0x45/0x60 fs/splice.c:850 [ 202.103497] [< inline >] do_splice_from fs/splice.c:869 [ 202.103497] [< inline >] do_splice fs/splice.c:1160 [ 202.103497] [< inline >] SYSC_splice fs/splice.c:1410 [ 202.103497] [] SyS_splice+0x7d7/0x16a0 fs/splice.c:1393 [ 202.103497] [] entry_SYSCALL_64_fastpath+0x23/0xc6 other info that might help us debug this: Chain exists of: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&pipe->mutex/1); lock(sb_writers#5); lock(&pipe->mutex/1); lock(&u->bindlock); *** DEADLOCK *** 1 lock held by syz-executor0/3155: #0: (&pipe->mutex/1){+.+.+.}, at: [< inline >] pipe_lock_nested fs/pipe.c:66 #0: (&pipe->mutex/1){+.+.+.}, at: [] pipe_lock+0x5b/0x70 fs/pipe.c:74 stack backtrace: CPU: 3 PID: 3155 Comm: syz-executor0 Not tainted 4.9.0-rc8+ #77 Hardware name: Google Google/Google, BIOS Google 01/01/2011 ffff88004b1fe288 ffffffff834c44f9 ffffffff00000003 1ffff1000963fbe4 ffffed000963fbdc 0000000041b58ab3 ffffffff895816f0 ffffffff834c420b 0000000000000000 0000000000000000 0000000000000000 0000000000000000 Call Trace: [< inline >] __dump_stack lib/dump_stack.c:15 [] dump_stack+0x2ee/0x3f5 lib/dump_stack.c:51 [] print_circular_bug+0x310/0x3c0 kernel/locking/lockdep.c:1202 [< inline >] check_prev_add kernel/locking/lockdep.c:1828 [] check_prevs_add+0xaab/0x1c20 kernel/locking/lockdep.c:1938 [< inline >] validate_chain kernel/locking/lockdep.c:2265 [] __lock_acquire+0x2156/0x3380 kernel/locking/lockdep.c:3338 [] lock_acquire+0x2a2/0x790 kernel/locking/lockdep.c:3749 [< inline >] __mutex_lock_common kernel/locking/mutex.c:521 [] mutex_lock_interruptible_nested+0x2d2/0x11d0 kernel/locking/mutex.c:650 [] unix_autobind.isra.26+0xca/0x8a0 net/unix/af_unix.c:852 [] unix_dgram_sendmsg+0x105d/0x1730 net/unix/af_unix.c:1667 [] unix_seqpacket_sendmsg+0xf8/0x170 net/unix/af_unix.c:2071 [< inline >] sock_sendmsg_nosec net/socket.c:621 [] sock_sendmsg+0xcf/0x110 net/socket.c:631 [] kernel_sendmsg+0x4c/0x60 net/socket.c:639 [] sock_no_sendpage+0x20d/0x310 net/core/sock.c:2321 [] kernel_sendpage+0x95/0xf0 net/socket.c:3289 [] sock_sendpage+0xa2/0xd0 net/socket.c:775 [] pipe_to_sendpage+0x2ae/0x390 fs/splice.c:469 [< inline >] splice_from_pipe_feed fs/splice.c:520 [] __splice_from_pipe+0x31f/0x750 fs/splice.c:644 [] splice_from_pipe+0x1dc/0x300 fs/splice.c:679 [] generic_splice_sendpage+0x45/0x60 fs/splice.c:850 [< inline >] do_splice_from fs/splice.c:869 [< inline >] do_splice fs/splice.c:1160 [< inline >] SYSC_splice fs/splice.c:1410 [] SyS_splice+0x7d7/0x16a0 fs/splice.c:1393 [] entry_SYSCALL_64_fastpath+0x23/0xc6