From: Al Viro <viro@zeniv.linux.org.uk>
To: Amir Goldstein <amir73il@gmail.com>
Cc: syzbot <syzbot+9a5b0ced8b1bfb238b56@syzkaller.appspotmail.com>,
gregkh@linuxfoundation.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com,
tj@kernel.org, valesini@yandex-team.ru,
Christoph Hellwig <hch@lst.de>,
Christian Brauner <brauner@kernel.org>, Jan Kara <jack@suse.cz>,
Miklos Szeredi <miklos@szeredi.hu>
Subject: Re: [syzbot] [kernfs?] possible deadlock in kernfs_fop_llseek
Date: Thu, 4 Apr 2024 23:01:08 +0100 [thread overview]
Message-ID: <20240404220108.GT538574@ZenIV> (raw)
In-Reply-To: <CAOQ4uximHfK78KFabJA3Hf4R0En6-GfJ3eF96Lzmc94PGuGayA@mail.gmail.com>
On Thu, Apr 04, 2024 at 12:33:40PM +0300, Amir Goldstein wrote:
> This specifically cannot happen because sysfs is not allowed as an
> upper layer only as a lower layer, so overlayfs itself will not be writing to
> /sys/power/resume.
Then how could you possibly get a deadlock there? What would your minimal
deadlocked set look like?
1. Something is blocked in lookup_bdev() called from resume_store(), called
from sysfs_kf_write(), called from kernfs_write_iter(), which has acquired
->mutex of struct kernfs_open_file that had been allocated by
kernfs_fop_open() back when the file had been opened. Note that each
struct file instance gets a separate struct kernfs_open_file. Since we are
calling ->write_iter(), the file *MUST* have been opened for write.
2. Something is blocked in kernfs_fop_llseek() on the same of->mutex,
i.e. using the same struct file as (1). That something is holding an
overlayfs inode lock, which is what the next thread is blocked on.
+ at least one more thread, to complete the cycle.
Right? How could that possibly happen without overlayfs opening /sys/power/resume
for write? Again, each struct file instance gets a separate of->mutex;
for a deadlock you need a cycle of threads and a cycle of locks, such
that each thread is holding the corresponding lock and is blocked on
attempt to get the lock that comes next in the cyclic order.
If overlayfs never writes to that sucker, it can't participate in that
cycle. Sure, you can get overlayfs llseek grabbing of->mutex of *ANOTHER*
struct file opened for the same sysfs file. Since it's not the same
struct file and since each struct file there gets a separate kernfs_open_file
instance, the mutex won't be the same.
Unless I'm missing something else, that can't deadlock. For a quick and
dirty experiment, try to give of->mutex on r/o opens a class separate from
that on r/w and w/o opens (mutex_init() in kernfs_fop_open()) and see
if lockdep warnings persist.
Something like
if (has_mmap)
mutex_init(&of->mutex);
else if (file->f_mode & FMODE_WRITE)
mutex_init(&of->mutex);
else
mutex_init(&of->mutex);
circa fs/kernfs/file.c:642.
next prev parent reply other threads:[~2024-04-04 22:01 UTC|newest]
Thread overview: 40+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-04-03 18:23 [syzbot] [kernfs?] possible deadlock in kernfs_fop_llseek syzbot
2024-04-03 23:51 ` syzbot
2024-04-04 6:54 ` Amir Goldstein
2024-04-04 8:11 ` Al Viro
2024-04-04 8:21 ` Al Viro
2024-04-04 8:40 ` Al Viro
2024-04-04 9:33 ` Amir Goldstein
2024-04-04 22:01 ` Al Viro [this message]
2024-04-05 10:34 ` Amir Goldstein
2024-04-05 6:51 ` Christoph Hellwig
2024-04-05 11:19 ` Christian Brauner
2024-04-05 13:48 ` Christian Brauner
2024-04-05 14:52 ` Christoph Hellwig
2024-04-05 15:41 ` Tejun Heo
2024-04-06 3:54 ` Al Viro
2024-04-05 10:47 ` Christian Brauner
2024-04-05 14:48 ` Amir Goldstein
2024-04-06 4:09 ` Al Viro
2024-04-06 5:25 ` Amir Goldstein
2024-04-05 15:08 ` Amir Goldstein
2024-04-05 15:37 ` syzbot
2024-04-05 16:23 ` Al Viro
2024-04-06 5:34 ` Amir Goldstein
2024-04-06 7:05 ` syzbot
2024-04-06 7:11 ` Al Viro
2024-04-06 8:23 ` Hillf Danton
2024-04-07 0:48 ` Al Viro
2024-04-06 8:57 ` Amir Goldstein
2024-04-07 0:50 ` Al Viro
2024-04-07 11:02 ` Amir Goldstein
2024-04-09 9:18 ` Christian Brauner
2024-04-04 0:42 ` Hillf Danton
2024-04-04 1:08 ` syzbot
2024-04-04 2:12 ` Hillf Danton
2024-04-04 2:39 ` syzbot
2024-04-05 23:00 ` Hillf Danton
2024-04-05 23:02 ` syzbot
2024-04-06 0:10 ` Al Viro
2024-04-05 23:02 ` Hillf Danton
2024-04-06 0:34 ` syzbot
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20240404220108.GT538574@ZenIV \
--to=viro@zeniv.linux.org.uk \
--cc=amir73il@gmail.com \
--cc=brauner@kernel.org \
--cc=gregkh@linuxfoundation.org \
--cc=hch@lst.de \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=miklos@szeredi.hu \
--cc=syzbot+9a5b0ced8b1bfb238b56@syzkaller.appspotmail.com \
--cc=syzkaller-bugs@googlegroups.com \
--cc=tj@kernel.org \
--cc=valesini@yandex-team.ru \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox