• Lizhi Xu's avatar
    inotify: Fix possible deadlock in fsnotify_destroy_mark · cad3f4a2
    Lizhi Xu authored
    [Syzbot reported]
    WARNING: possible circular locking dependency detected
    6.11.0-rc4-syzkaller-00019-gb311c1b4 #0 Not tainted
    ------------------------------------------------------
    kswapd0/78 is trying to acquire lock:
    ffff88801b8d8930 (&group->mark_mutex){+.+.}-{3:3}, at: fsnotify_group_lock include/linux/fsnotify_backend.h:270 [inline]
    ffff88801b8d8930 (&group->mark_mutex){+.+.}-{3:3}, at: fsnotify_destroy_mark+0x38/0x3c0 fs/notify/mark.c:578
    
    but task is already holding lock:
    ffffffff8ea2fd60 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat mm/vmscan.c:6841 [inline]
    ffffffff8ea2fd60 (fs_reclaim){+.+.}-{0:0}, at: kswapd+0xbb4/0x35a0 mm/vmscan.c:7223
    
    which lock already depends on the new lock.
    
    the existing dependency chain (in reverse order) is:
    
    -> #1 (fs_reclaim){+.+.}-{0:0}:
           ...
           kmem_cache_alloc_noprof+0x3d/0x2a0 mm/slub.c:4044
           inotify_new_watch fs/notify/inotify/inotify_user.c:599 [inline]
           inotify_update_watch fs/notify/inotify/inotify_user.c:647 [inline]
           __do_sys_inotify_add_watch fs/notify/inotify/inotify_user.c:786 [inline]
           __se_sys_inotify_add_watch+0x72e/0x1070 fs/notify/inotify/inotify_user.c:729
           do_syscall_x64 arch/x86/entry/common.c:52 [inline]
           do_syscall_64+0xf3/0x230 arch/x86/entry/common.c:83
           entry_SYSCALL_64_after_hwframe+0x77/0x7f
    
    -> #0 (&group->mark_mutex){+.+.}-{3:3}:
           ...
           __mutex_lock+0x136/0xd70 kernel/locking/mutex.c:752
           fsnotify_group_lock include/linux/fsnotify_backend.h:270 [inline]
           fsnotify_destroy_mark+0x38/0x3c0 fs/notify/mark.c:578
           fsnotify_destroy_marks+0x14a/0x660 fs/notify/mark.c:934
           fsnotify_inoderemove include/linux/fsnotify.h:264 [inline]
           dentry_unlink_inode+0x2e0/0x430 fs/dcache.c:403
           __dentry_kill+0x20d/0x630 fs/dcache.c:610
           shrink_kill+0xa9/0x2c0 fs/dcache.c:1055
           shrink_dentry_list+0x2c0/0x5b0 fs/dcache.c:1082
           prune_dcache_sb+0x10f/0x180 fs/dcache.c:1163
           super_cache_scan+0x34f/0x4b0 fs/super.c:221
           do_shrink_slab+0x701/0x1160 mm/shrinker.c:435
           shrink_slab+0x1093/0x14d0 mm/shrinker.c:662
           shrink_one+0x43b/0x850 mm/vmscan.c:4815
           shrink_many mm/vmscan.c:4876 [inline]
           lru_gen_shrink_node mm/vmscan.c:4954 [inline]
           shrink_node+0x3799/0x3de0 mm/vmscan.c:5934
           kswapd_shrink_node mm/vmscan.c:6762 [inline]
           balance_pgdat mm/vmscan.c:6954 [inline]
           kswapd+0x1bcd/0x35a0 mm/vmscan.c:7223
    
    [Analysis]
    The problem is that inotify_new_watch() is using GFP_KERNEL to allocate
    new watches under group->mark_mutex, however if dentry reclaim races
    with unlinking of an inode, it can end up dropping the last dentry reference
    for an unlinked inode resulting in removal of fsnotify mark from reclaim
    context which wants to acquire group->mark_mutex as well.
    
    This scenario shows that all notification groups are in principle prone
    to this kind of a deadlock (previously, we considered only fanotify and
    dnotify to be problematic for other reasons) so make sure all
    allocations under group->mark_mutex happen with GFP_NOFS.
    
    Reported-and-tested-by: syzbot+c679f13773f295d2da53@syzkaller.appspotmail.com
    Closes: https://syzkaller.appspot.com/bug?extid=c679f13773f295d2da53Signed-off-by: default avatarLizhi Xu <lizhi.xu@windriver.com>
    Reviewed-by: default avatarAmir Goldstein <amir73il@gmail.com>
    Signed-off-by: default avatarJan Kara <jack@suse.cz>
    Link: https://patch.msgid.link/20240927143642.2369508-1-lizhi.xu@windriver.com
    cad3f4a2
dnotify.c 11.1 KB