splice: fix deadlock in splicing to file

There's a possible deadlock in generic_file_splice_write(), splice_from_pipe() and ocfs2_file_splice_write(): - task A calls generic_file_splice_write() - this calls inode_double_lock(), which locks i_mutex on both pipe->inode and target inode - ordering depends on inode pointers, can happen that pipe->inode is locked first - __splice_from_pipe() needs more data, calls pipe_wait() - this releases lock on pipe->inode, goes to interruptible sleep - task B calls generic_file_splice_write(), similarly to the first - this locks pipe->inode, then tries to lock inode, but that is already held by task A - task A is interrupted, it tries to lock pipe->inode, but fails, as it is already held by task B - ABBA deadlock Fix this by explicitly ordering locks: the outer lock must be on target inode and the inner lock (which is later unlocked and relocked) must be on pipe->inode. This is OK, pipe inodes and target inodes form two nonoverlapping sets, generic_file_splice_write() and friends are not called with a target which is a pipe. Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> Acked-by: Mark Fasheh <mfasheh@suse.com> Acked-by: Jens Axboe <jens.axboe@oracle.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

splice: fix deadlock in splicing to file
There's a possible deadlock in generic_file_splice_write(), splice_from_pipe() and ocfs2_file_splice_write(): - task A calls generic_file_splice_write() - this calls inode_double_lock(), which locks i_mutex on both pipe->inode and target inode - ordering depends on inode pointers, can happen that pipe->inode is locked first - __splice_from_pipe() needs more data, calls pipe_wait() - this releases lock on pipe->inode, goes to interruptible sleep - task B calls generic_file_splice_write(), similarly to the first - this locks pipe->inode, then tries to lock inode, but that is already held by task A - task A is interrupted, it tries to lock pipe->inode, but fails, as it is already held by task B - ABBA deadlock Fix this by explicitly ordering locks: the outer lock must be on target inode and the inner lock (which is later unlocked and relocked) must be on pipe->inode. This is OK, pipe inodes and target inodes form two nonoverlapping sets, generic_file_splice_write() and friends are not called with a target which is a pipe. Signed-off-by: Miklos Szeredi <mszeredi@suse.cz> Acked-by: Mark Fasheh <mfasheh@suse.com> Acked-by: Jens Axboe <jens.axboe@oracle.com> Cc: stable@kernel.org Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
Miklos Szeredi · Linus Torvalds
1 parent 612392307c
Showing 2 changed files with 26 additions and 7 deletions Side-by-side Diff
fs/ocfs2/file.c
fs/splice.c
@@ -1926,7 +1926,7 @@
 		   out->f_path.dentry->d_name.len,
 		   out->f_path.dentry->d_name.name);
  
-	inode_double_lock(inode, pipe->inode);
+	mutex_lock_nested(&inode->i_mutex, I_MUTEX_PARENT);
  
 	ret = ocfs2_rw_lock(inode, 1);
 	if (ret < 0) {
  
  
@@ -1941,12 +1941,16 @@
 		goto out_unlock;
 	}
  
+	if (pipe->inode)
+		mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_CHILD);
 	ret = generic_file_splice_write_nolock(pipe, out, ppos, len, flags);
+	if (pipe->inode)
+		mutex_unlock(&pipe->inode->i_mutex);
  
 out_unlock:
 	ocfs2_rw_unlock(inode, 1);
 out:
-	inode_double_unlock(inode, pipe->inode);
+	mutex_unlock(&inode->i_mutex);
  
 	mlog_exit(ret);
 	return ret;
@@ -737,10 +737,19 @@
 	 * ->write_end. Most of the time, these expect i_mutex to
 	 * be held. Since this may result in an ABBA deadlock with
 	 * pipe->inode, we have to order lock acquiry here.
+	 *
+	 * Outer lock must be inode->i_mutex, as pipe_wait() will
+	 * release and reacquire pipe->inode->i_mutex, AND inode must
+	 * never be a pipe.
 	 */
-	inode_double_lock(inode, pipe->inode);
+	WARN_ON(S_ISFIFO(inode->i_mode));
+	mutex_lock_nested(&inode->i_mutex, I_MUTEX_PARENT);
+	if (pipe->inode)
+		mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_CHILD);
 	ret = __splice_from_pipe(pipe, &sd, actor);
-	inode_double_unlock(inode, pipe->inode);
+	if (pipe->inode)
+		mutex_unlock(&pipe->inode->i_mutex);
+	mutex_unlock(&inode->i_mutex);
  
 	return ret;
 }
  
  
@@ -831,11 +840,17 @@
 	};
 	ssize_t ret;
  
-	inode_double_lock(inode, pipe->inode);
+	WARN_ON(S_ISFIFO(inode->i_mode));
+	mutex_lock_nested(&inode->i_mutex, I_MUTEX_PARENT);
 	ret = file_remove_suid(out);
-	if (likely(!ret))
+	if (likely(!ret)) {
+		if (pipe->inode)
+			mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_CHILD);
 		ret = __splice_from_pipe(pipe, &sd, pipe_to_file);
-	inode_double_unlock(inode, pipe->inode);
+		if (pipe->inode)
+			mutex_unlock(&pipe->inode->i_mutex);
+	}
+	mutex_unlock(&inode->i_mutex);
 	if (ret > 0) {
 		unsigned long nr_pages;
...	...	@@ -1926,7 +1926,7 @@
1926	1926	out->f_path.dentry->d_name.len,
1927	1927	out->f_path.dentry->d_name.name);
1928	1928
1929		- inode_double_lock(inode, pipe->inode);
	1929	+ mutex_lock_nested(&inode->i_mutex, I_MUTEX_PARENT);
1930	1930
1931	1931	ret = ocfs2_rw_lock(inode, 1);
1932	1932	if (ret < 0) {
1933	1933
1934	1934
...	...	@@ -1941,12 +1941,16 @@
1941	1941	goto out_unlock;
1942	1942	}
1943	1943
	1944	+ if (pipe->inode)
	1945	+ mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_CHILD);
1944	1946	ret = generic_file_splice_write_nolock(pipe, out, ppos, len, flags);
	1947	+ if (pipe->inode)
	1948	+ mutex_unlock(&pipe->inode->i_mutex);
1945	1949
1946	1950	out_unlock:
1947	1951	ocfs2_rw_unlock(inode, 1);
1948	1952	out:
1949		- inode_double_unlock(inode, pipe->inode);
	1953	+ mutex_unlock(&inode->i_mutex);
1950	1954
1951	1955	mlog_exit(ret);
1952	1956	return ret;
...	...	@@ -737,10 +737,19 @@
737	737	* ->write_end. Most of the time, these expect i_mutex to
738	738	* be held. Since this may result in an ABBA deadlock with
739	739	* pipe->inode, we have to order lock acquiry here.
	740	+ *
	741	+ * Outer lock must be inode->i_mutex, as pipe_wait() will
	742	+ * release and reacquire pipe->inode->i_mutex, AND inode must
	743	+ * never be a pipe.
740	744	*/
741		- inode_double_lock(inode, pipe->inode);
	745	+ WARN_ON(S_ISFIFO(inode->i_mode));
	746	+ mutex_lock_nested(&inode->i_mutex, I_MUTEX_PARENT);
	747	+ if (pipe->inode)
	748	+ mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_CHILD);
742	749	ret = __splice_from_pipe(pipe, &sd, actor);
743		- inode_double_unlock(inode, pipe->inode);
	750	+ if (pipe->inode)
	751	+ mutex_unlock(&pipe->inode->i_mutex);
	752	+ mutex_unlock(&inode->i_mutex);
744	753
745	754	return ret;
746	755	}
747	756
748	757
...	...	@@ -831,11 +840,17 @@
831	840	};
832	841	ssize_t ret;
833	842
834		- inode_double_lock(inode, pipe->inode);
	843	+ WARN_ON(S_ISFIFO(inode->i_mode));
	844	+ mutex_lock_nested(&inode->i_mutex, I_MUTEX_PARENT);
835	845	ret = file_remove_suid(out);
836		- if (likely(!ret))
	846	+ if (likely(!ret)) {
	847	+ if (pipe->inode)
	848	+ mutex_lock_nested(&pipe->inode->i_mutex, I_MUTEX_CHILD);
837	849	ret = __splice_from_pipe(pipe, &sd, pipe_to_file);
838		- inode_double_unlock(inode, pipe->inode);
	850	+ if (pipe->inode)
	851	+ mutex_unlock(&pipe->inode->i_mutex);
	852	+ }
	853	+ mutex_unlock(&inode->i_mutex);
839	854	if (ret > 0) {
840	855	unsigned long nr_pages;
841	856