From nobody Sat Apr 4 07:47:29 2026 Received: from mail-oo1-f72.google.com (mail-oo1-f72.google.com [209.85.161.72]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 81C823AA1AF for ; Fri, 20 Mar 2026 12:11:28 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.161.72 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774008690; cv=none; b=ICQtGc5VKcK9RqDGfRiEgLaZ1AI7u5QmWN5TpDxkQhF3O9ryymdN48ZWFCsoVqNXOozPyzxW6RWoc6+9kQx4q6qIyQ6U4ZiDxP1r2kDg2XJFovw6OY62gDt4/x/v5dN/rsuPeeLtIeSrhgASWA1OGfpvTXDXUR/ndod/SI/d9bA= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1774008690; c=relaxed/simple; bh=Jc7GN4oXZpAVMJsr/4Z91JjRuIH0V60nnwSUyzq/eOU=; h=MIME-Version:Date:In-Reply-To:Message-ID:Subject:From:To: Content-Type; b=iO1IvgLnnQogzV79eyIxDXbQh7HLtP5QiR0oOLYpkah5ng1tLwViXOXjfIA6OB+ds5HQzRky0xsW2TvQLv/cE2AGN0eEmKKOmn4ihxKhrKNQdlI/KkCoSUXTU5c/WhHcR4BvXC6btWKf5zr76/cOyzhHG2ebzkQxZ///swcSXlc= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com; arc=none smtp.client-ip=209.85.161.72 Authentication-Results: smtp.subspace.kernel.org; dmarc=fail (p=none dis=none) header.from=syzkaller.appspotmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=M3KW2WVRGUFZ5GODRSRYTGD7.apphosting.bounces.google.com Received: by mail-oo1-f72.google.com with SMTP id 006d021491bc7-67c0d7d179eso25457336eaf.1 for ; Fri, 20 Mar 2026 05:11:28 -0700 (PDT) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1774008687; x=1774613487; h=to:from:subject:message-id:in-reply-to:date:mime-version :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=hxYkROPECY7h9sJOzW73zrGmPso4RbmqC60Zoakmbog=; b=S6yf/BjVB+KTDcY+QdugJXWddWtcLWDguqlz4YpwBnPCJT+DUlmlnh70eNK2B0LEPo yunxx5dNb0Qx7WG9VKtEaUrTyNpY9Q24ghj6SMbmPIG5IEC85AOBaZk6/g7Hv4Vbr6J4 BcG6jHgT5/m64hc+ynmCU7JBRKIU/vkQEMCD4UNZBGPy+SP0PNkniAZCoBg2ZTzEL2RU t4wlgLU4IO+/953pG751Y480bog5wgDUpsftHxLw5NkSERrF1DjSCmhrT+7r5vEciUXa Rc74jM8rj480pnpXnF2FLBbFdPVbmOemeF97VB6fcW+tHaeLUA5SIrAvN7NJcsXH5u/V tvVA== X-Gm-Message-State: AOJu0YxdNyAI8feMOKqUZ1dcW3s2ylCLRy5D8Qabb/0oCghbI2j+alma FjsnTRXf7BN+0RSA25dA6WeW3ypa6gyiLLO3YY6WOKM2N9xmJfVSuw+trsZCZQMasa+7Ph1sjHE 5DpB6FR/reGliXYVTsEPgrakUI3zxYWbja0arqVtWRYur7sgQH/GruQJHtUU= Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 X-Received: by 2002:a4a:ee05:0:b0:67b:a4fa:7a0 with SMTP id 006d021491bc7-67c22f4cd83mr1888572eaf.44.1774008687303; Fri, 20 Mar 2026 05:11:27 -0700 (PDT) Date: Fri, 20 Mar 2026 05:11:27 -0700 In-Reply-To: <699b0b0f.a70a0220.2c38d7.017a.GAE@google.com> X-Google-Appengine-App-Id: s~syzkaller X-Google-Appengine-App-Id-Alias: syzkaller Message-ID: <69bd396f.050a0220.3bf4de.0020.GAE@google.com> Subject: Forwarded: [PATCH] splice: prevent deadlock when splicing a file to itself From: syzbot To: linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" For archival purposes, forwarding an incoming command email to linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com. *** Subject: [PATCH] splice: prevent deadlock when splicing a file to itself Author: kartikey406@gmail.com #syz test: git://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git= master When do_splice_direct_actor() is called with the same inode for both input and output files (either via the same fd or a dup'd fd), it causes a hung task in blkdev_write_iter(). The deadlock occurs because sendfile() calls do_splice_direct() which tries to acquire inode_lock_shared() for reading, while the write side already holds the same inode lock, causing the task to block indefinitely in rwsem_down_read_slowpath(). Fix this by checking if the input and output files share the same inode before proceeding, returning -EINVAL if they do. This mirrors the existing check in do_splice() for the pipe-to-pipe case where ipipe =3D=3D opipe. Reported-by: syzbot+d31a3b77e5cba96b9f69@syzkaller.appspotmail.com Closes: https://syzkaller.appspot.com/bug?extid=3Dd31a3b77e5cba96b9f69 Signed-off-by: Deepanshu Kartikey --- fs/splice.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/fs/splice.c b/fs/splice.c index 9d8f63e2fd1a..c0ad1859de34 100644 --- a/fs/splice.c +++ b/fs/splice.c @@ -1199,6 +1199,9 @@ static ssize_t do_splice_direct_actor(struct file *in= , loff_t *ppos, if (unlikely(out->f_flags & O_APPEND)) return -EINVAL; =20 + /* Prevent deadlock when splicing a file to itself */ + if (file_inode(in) =3D=3D file_inode(out)) + return -EINVAL; ret =3D splice_direct_to_actor(in, &sd, actor); if (ret > 0) *ppos =3D sd.pos; --=20 2.43.0