From: Deepanshu Kartikey <kartikey406@gmail.com>
To: viro@zeniv.linux.org.uk, brauner@kernel.org, jack@suse.cz
Cc: linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org,
Deepanshu Kartikey <kartikey406@gmail.com>,
syzbot+d31a3b77e5cba96b9f69@syzkaller.appspotmail.com,
Deepanshu Kartikey <Kartikey406@gmail.com>
Subject: [PATCH] splice: prevent deadlock when splicing a file to itself
Date: Fri, 20 Mar 2026 18:36:15 +0530 [thread overview]
Message-ID: <20260320130615.1109449-1-kartikey406@gmail.com> (raw)
When do_splice_direct_actor() is called with the same inode
for both input and output files (either via the same fd or a
dup'd fd), it causes a hung task in blkdev_write_iter().
The deadlock occurs because sendfile() calls do_splice_direct()
which tries to acquire inode_lock_shared() for reading, while
the write side already holds the same inode lock, causing the
task to block indefinitely in rwsem_down_read_slowpath().
Fix this by checking if the input and output files share the
same inode before proceeding, returning -EINVAL if they do.
This mirrors the existing check in do_splice() for the
pipe-to-pipe case where ipipe == opipe.
Reported-by: syzbot+d31a3b77e5cba96b9f69@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=d31a3b77e5cba96b9f69
Tested-by: syzbot+d31a3b77e5cba96b9f69@syzkaller.appspotmail.com
Signed-off-by: Deepanshu Kartikey <Kartikey406@gmail.com>
---
fs/splice.c | 3 +++
1 file changed, 3 insertions(+)
diff --git a/fs/splice.c b/fs/splice.c
index 9d8f63e2fd1a..c0ad1859de34 100644
--- a/fs/splice.c
+++ b/fs/splice.c
@@ -1199,6 +1199,9 @@ static ssize_t do_splice_direct_actor(struct file *in, loff_t *ppos,
if (unlikely(out->f_flags & O_APPEND))
return -EINVAL;
+ /* Prevent deadlock when splicing a file to itself */
+ if (file_inode(in) == file_inode(out))
+ return -EINVAL;
ret = splice_direct_to_actor(in, &sd, actor);
if (ret > 0)
*ppos = sd.pos;
--
2.43.0
next reply other threads:[~2026-03-20 13:06 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-20 13:06 Deepanshu Kartikey [this message]
2026-03-31 8:51 ` [PATCH] splice: prevent deadlock when splicing a file to itself Deepanshu Kartikey
2026-03-31 9:33 ` Christian Brauner
2026-03-31 13:32 ` Jens Axboe
2026-03-31 15:10 ` Christoph Hellwig
2026-03-31 15:15 ` Jens Axboe
2026-03-31 15:21 ` Christoph Hellwig
2026-03-31 15:24 ` Jens Axboe
2026-04-01 8:08 ` Jan Kara
2026-04-01 8:32 ` Deepanshu Kartikey
2026-04-01 10:47 ` Jan Kara
2026-04-01 10:59 ` Deepanshu Kartikey
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260320130615.1109449-1-kartikey406@gmail.com \
--to=kartikey406@gmail.com \
--cc=brauner@kernel.org \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+d31a3b77e5cba96b9f69@syzkaller.appspotmail.com \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.