From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1751094AbdAPJdF (ORCPT ); Mon, 16 Jan 2017 04:33:05 -0500 Received: from mail-lf0-f53.google.com ([209.85.215.53]:35913 "EHLO mail-lf0-f53.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750874AbdAPJdC (ORCPT ); Mon, 16 Jan 2017 04:33:02 -0500 MIME-Version: 1.0 In-Reply-To: <20161209064144.GZ1555@ZenIV.linux.org.uk> References:

<20161209013208.GW1555@ZenIV.linux.org.uk> <20161209064144.GZ1555@ZenIV.linux.org.uk> From: Dmitry Vyukov Date: Mon, 16 Jan 2017 10:32:40 +0100 Message-ID: Subject: Re: fs, net: deadlock between bind/splice on af_unix To: Al Viro Cc: Cong Wang , "linux-fsdevel@vger.kernel.org" , LKML , David Miller , Rainer Weikusat , Hannes Frederic Sowa , netdev , Eric Dumazet , syzkaller Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Fri, Dec 9, 2016 at 7:41 AM, Al Viro wrote: > On Thu, Dec 08, 2016 at 10:32:00PM -0800, Cong Wang wrote: > >> > Why do we do autobind there, anyway, and why is it conditional on >> > SOCK_PASSCRED? Note that e.g. for SOCK_STREAM we can bloody well get >> > to sending stuff without autobind ever done - just use socketpair() >> > to create that sucker and we won't be going through the connect() >> > at all. >> >> In the case Dmitry reported, unix_dgram_sendmsg() calls unix_autobind(), >> not SOCK_STREAM. > > Yes, I've noticed. What I'm asking is what in there needs autobind triggered > on sendmsg and why doesn't the same need affect the SOCK_STREAM case? > >> I guess some lock, perhaps the u->bindlock could be dropped before >> acquiring the next one (sb_writer), but I need to double check. > > Bad idea, IMO - do you *want* autobind being able to come through while > bind(2) is busy with mknod? Ping. This is still happening on HEAD. [ INFO: possible circular locking dependency detected ] 4.9.0 #1 Not tainted ------------------------------------------------------- syz-executor6/25491 is trying to acquire lock: (&u->bindlock){+.+.+.}, at: [] unix_autobind.isra.28+0xc5/0x880 net/unix/af_unix.c:852 but task is already holding lock: (&pipe->mutex/1){+.+.+.}, at: [] pipe_lock_nested fs/pipe.c:66 [inline] (&pipe->mutex/1){+.+.+.}, at: [] pipe_lock+0x56/0x70 fs/pipe.c:74 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: [ 836.500536] [] validate_chain kernel/locking/lockdep.c:2265 [inline] [ 836.500536] [] __lock_acquire+0x2149/0x3430 kernel/locking/lockdep.c:3338 [ 836.508456] [] lock_acquire+0x2a1/0x630 kernel/locking/lockdep.c:3753 [ 836.516117] [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [ 836.516117] [] mutex_lock_nested+0x24e/0xff0 kernel/locking/mutex.c:621 [ 836.524139] [] pipe_lock_nested fs/pipe.c:66 [inline] [ 836.524139] [] pipe_lock+0x56/0x70 fs/pipe.c:74 [ 836.531287] [] iter_file_splice_write+0x262/0xf80 fs/splice.c:717 [ 836.539720] [] do_splice_from fs/splice.c:869 [inline] [ 836.539720] [] do_splice fs/splice.c:1160 [inline] [ 836.539720] [] SYSC_splice fs/splice.c:1410 [inline] [ 836.539720] [] SyS_splice+0x7c0/0x1690 fs/splice.c:1393 [ 836.547273] [] entry_SYSCALL_64_fastpath+0x1f/0xc2 [ 836.560730] [] validate_chain kernel/locking/lockdep.c:2265 [inline] [ 836.560730] [] __lock_acquire+0x2149/0x3430 kernel/locking/lockdep.c:3338 [ 836.568655] [] lock_acquire+0x2a1/0x630 kernel/locking/lockdep.c:3753 [ 836.576230] [] percpu_down_read_preempt_disable include/linux/percpu-rwsem.h:35 [inline] [ 836.576230] [] percpu_down_read include/linux/percpu-rwsem.h:58 [inline] [ 836.576230] [] __sb_start_write+0x19a/0x2b0 fs/super.c:1252 [ 836.584168] [] sb_start_write include/linux/fs.h:1554 [inline] [ 836.584168] [] mnt_want_write+0x3f/0xb0 fs/namespace.c:389 [ 836.591744] [] filename_create+0x151/0x610 fs/namei.c:3598 [ 836.599574] [] kern_path_create+0x33/0x40 fs/namei.c:3644 [ 836.607328] [] unix_mknod net/unix/af_unix.c:967 [inline] [ 836.607328] [] unix_bind+0x4c3/0xe00 net/unix/af_unix.c:1035 [ 836.614634] [] SYSC_bind+0x20e/0x4a0 net/socket.c:1382 [ 836.621950] [] SyS_bind+0x24/0x30 net/socket.c:1368 [ 836.629015] [] entry_SYSCALL_64_fastpath+0x1f/0xc2 [ 836.642405] [] check_prev_add kernel/locking/lockdep.c:1828 [inline] [ 836.642405] [] check_prevs_add+0xa8d/0x1c00 kernel/locking/lockdep.c:1938 [ 836.650348] [] validate_chain kernel/locking/lockdep.c:2265 [inline] [ 836.650348] [] __lock_acquire+0x2149/0x3430 kernel/locking/lockdep.c:3338 [ 836.658315] [] lock_acquire+0x2a1/0x630 kernel/locking/lockdep.c:3753 [ 836.665928] [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [ 836.665928] [] mutex_lock_interruptible_nested+0x2e1/0x12a0 kernel/locking/mutex.c:650 [ 836.675287] [] unix_autobind.isra.28+0xc5/0x880 net/unix/af_unix.c:852 [ 836.683571] [] unix_dgram_sendmsg+0x104c/0x1720 net/unix/af_unix.c:1667 [ 836.691870] [] unix_seqpacket_sendmsg+0xf3/0x160 net/unix/af_unix.c:2071 [ 836.700261] [] sock_sendmsg_nosec net/socket.c:621 [inline] [ 836.700261] [] sock_sendmsg+0xca/0x110 net/socket.c:631 [ 836.707758] [] kernel_sendmsg+0x47/0x60 net/socket.c:639 [ 836.715327] [] sock_no_sendpage+0x216/0x300 net/core/sock.c:2321 [ 836.723278] [] kernel_sendpage+0x90/0xe0 net/socket.c:3289 [ 836.730944] [] sock_sendpage+0x8c/0xc0 net/socket.c:775 [ 836.738421] [] pipe_to_sendpage+0x29d/0x3e0 fs/splice.c:469 [ 836.746374] [] splice_from_pipe_feed fs/splice.c:520 [inline] [ 836.746374] [] __splice_from_pipe+0x328/0x760 fs/splice.c:644 [ 836.754487] [] splice_from_pipe+0x1d7/0x2f0 fs/splice.c:679 [ 836.762451] [] generic_splice_sendpage+0x40/0x50 fs/splice.c:850 [ 836.770826] [] do_splice_from fs/splice.c:869 [inline] [ 836.770826] [] do_splice fs/splice.c:1160 [inline] [ 836.770826] [] SYSC_splice fs/splice.c:1410 [inline] [ 836.770826] [] SyS_splice+0x7c0/0x1690 fs/splice.c:1393 [ 836.778307] [] entry_SYSCALL_64_fastpath+0x1f/0xc2 other info that might help us debug this: Chain exists of: Possible unsafe locking scenario: CPU0 CPU1 ---- ---- lock(&pipe->mutex/1); lock(sb_writers#5); lock(&pipe->mutex/1); lock(&u->bindlock); *** DEADLOCK *** 1 lock held by syz-executor6/25491: #0: (&pipe->mutex/1){+.+.+.}, at: [] pipe_lock_nested fs/pipe.c:66 [inline] #0: (&pipe->mutex/1){+.+.+.}, at: [] pipe_lock+0x56/0x70 fs/pipe.c:74 stack backtrace: CPU: 0 PID: 25491 Comm: syz-executor6 Not tainted 4.9.0 #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801cacc6248 ffffffff8234654f ffffffff00000000 1ffff10039598bdc ffffed0039598bd4 0000000041b58ab3 ffffffff84b37a60 ffffffff82346261 0000000000000000 0000000000000000 0000000000000000 0000000000000000 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x2ee/0x3ef lib/dump_stack.c:51 [] print_circular_bug+0x307/0x3b0 kernel/locking/lockdep.c:1202 [] check_prev_add kernel/locking/lockdep.c:1828 [inline] [] check_prevs_add+0xa8d/0x1c00 kernel/locking/lockdep.c:1938 [] validate_chain kernel/locking/lockdep.c:2265 [inline] [] __lock_acquire+0x2149/0x3430 kernel/locking/lockdep.c:3338 [] lock_acquire+0x2a1/0x630 kernel/locking/lockdep.c:3753 [] __mutex_lock_common kernel/locking/mutex.c:521 [inline] [] mutex_lock_interruptible_nested+0x2e1/0x12a0 kernel/locking/mutex.c:650 [] unix_autobind.isra.28+0xc5/0x880 net/unix/af_unix.c:852 [] unix_dgram_sendmsg+0x104c/0x1720 net/unix/af_unix.c:1667 [] unix_seqpacket_sendmsg+0xf3/0x160 net/unix/af_unix.c:2071 [] sock_sendmsg_nosec net/socket.c:621 [inline] [] sock_sendmsg+0xca/0x110 net/socket.c:631 [] kernel_sendmsg+0x47/0x60 net/socket.c:639 [] sock_no_sendpage+0x216/0x300 net/core/sock.c:2321 [] kernel_sendpage+0x90/0xe0 net/socket.c:3289 [] sock_sendpage+0x8c/0xc0 net/socket.c:775 [] pipe_to_sendpage+0x29d/0x3e0 fs/splice.c:469 [] splice_from_pipe_feed fs/splice.c:520 [inline] [] __splice_from_pipe+0x328/0x760 fs/splice.c:644 [] splice_from_pipe+0x1d7/0x2f0 fs/splice.c:679 [] generic_splice_sendpage+0x40/0x50 fs/splice.c:850 [] do_splice_from fs/splice.c:869 [inline] [] do_splice fs/splice.c:1160 [inline] [] SYSC_splice fs/splice.c:1410 [inline] [] SyS_splice+0x7c0/0x1690 fs/splice.c:1393 [] entry_SYSCALL_64_fastpath+0x1f/0xc2 QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl FAULT_FLAG_ALLOW_RETRY missing 30 CPU: 1 PID: 25716 Comm: syz-executor3 Not tainted 4.9.0 #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801b6a274a8 ffffffff8234654f ffffffff00000001 1ffff10036d44e28 ffffed0036d44e20 0000000041b58ab3 ffffffff84b37a60 ffffffff82346261 0000000000000000 ffff8801dc122980 ffff8801a36c2800 1ffff10036d44e2a Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x2ee/0x3ef lib/dump_stack.c:51 [] handle_userfault+0x115d/0x1fc0 fs/userfaultfd.c:381 [] do_anonymous_page mm/memory.c:2800 [inline] [] handle_pte_fault mm/memory.c:3560 [inline] [] __handle_mm_fault mm/memory.c:3652 [inline] [] handle_mm_fault+0x24f2/0x2890 mm/memory.c:3689 [] __do_page_fault+0x4f6/0xb60 arch/x86/mm/fault.c:1397 [] do_page_fault+0x54/0x70 arch/x86/mm/fault.c:1460 [] page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] getname_flags+0x10e/0x580 fs/namei.c:148 [] user_path_at_empty+0x2d/0x50 fs/namei.c:2556 [] user_path_at include/linux/namei.h:55 [inline] [] vfs_fstatat+0xf1/0x1a0 fs/stat.c:106 [] vfs_lstat fs/stat.c:129 [inline] [] SYSC_newlstat+0xab/0x140 fs/stat.c:283 [] SyS_newlstat+0x1d/0x30 fs/stat.c:277 [] entry_SYSCALL_64_fastpath+0x1f/0xc2 FAULT_FLAG_ALLOW_RETRY missing 30 QAT: Invalid ioctl QAT: Invalid ioctl QAT: Invalid ioctl CPU: 1 PID: 25716 Comm: syz-executor3 Not tainted 4.9.0 #1 Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/01/2011 ffff8801b6a27360 ffffffff8234654f ffffffff00000001 1ffff10036d44dff ffffed0036d44df7 0000000041b58ab3 ffffffff84b37a60 ffffffff82346261 0000000000000082 ffff8801dc122980 ffff8801da622540 1ffff10036d44e01 Call Trace: [] __dump_stack lib/dump_stack.c:15 [inline] [] dump_stack+0x2ee/0x3ef lib/dump_stack.c:51 [] handle_userfault+0x115d/0x1fc0 fs/userfaultfd.c:381 [] do_anonymous_page mm/memory.c:2800 [inline] [] handle_pte_fault mm/memory.c:3560 [inline] [] __handle_mm_fault mm/memory.c:3652 [inline] [] handle_mm_fault+0x24f2/0x2890 mm/memory.c:3689 [] __do_page_fault+0x4f6/0xb60 arch/x86/mm/fault.c:1397 [] trace_do_page_fault+0x141/0x6c0 arch/x86/mm/fault.c:1490 [] trace_page_fault+0x28/0x30 arch/x86/entry/entry_64.S:1012 [] getname_flags+0x10e/0x580 fs/namei.c:148 [] user_path_at_empty+0x2d/0x50 fs/namei.c:2556 [] user_path_at include/linux/namei.h:55 [inline] [] vfs_fstatat+0xf1/0x1a0 fs/stat.c:106 [] vfs_lstat fs/stat.c:129 [inline] [] SYSC_newlstat+0xab/0x140 fs/stat.c:283 [] SyS_newlstat+0x1d/0x30 fs/stat.c:277 [] entry_SYSCALL_64_fastpath+0x1f/0xc2