lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20241104064857.295818-1-danielyangkang@gmail.com>
Date: Sun,  3 Nov 2024 22:48:57 -0800
From: Daniel Yang <danielyangkang@...il.com>
To: "Theodore Ts'o" <tytso@....edu>,
	Andreas Dilger <adilger.kernel@...ger.ca>,
	linux-ext4@...r.kernel.org (open list:EXT4 FILE SYSTEM),
	linux-kernel@...r.kernel.org (open list)
Cc: Daniel Yang <danielyangkang@...il.com>,
	syzbot+a388a53633c9a4e9b22e@...kaller.appspotmail.com
Subject: [PATCH] fix: KCSAN data-race in ext4_buffered_write_iter() 

In ext4_buffered_write_iter(), generic_write_sync() is being called at
the same time by two different CPUs. This causes a data-race for
inode->i_state. To prevent this, make generic_write_sync() a critical
section in ext4_buffered_write_iter(). Use mutex to allow preemption so
other CPU is not blocked while waiting.

Signed-off-by: Daniel Yang <danielyangkang@...il.com>
Reported-by: syzbot+a388a53633c9a4e9b22e@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=a388a53633c9a4e9b22e
---
 fs/ext4/file.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/fs/ext4/file.c b/fs/ext4/file.c
index f14aed14b..ce1251d3b 100644
--- a/fs/ext4/file.c
+++ b/fs/ext4/file.c
@@ -19,6 +19,7 @@
  *	(jj@...site.ms.mff.cuni.cz)
  */
 
+#include "linux/mutex.h"
 #include <linux/time.h>
 #include <linux/fs.h>
 #include <linux/iomap.h>
@@ -282,6 +283,9 @@ static ssize_t ext4_write_checks(struct kiocb *iocb, struct iov_iter *from)
 	return count;
 }
 
+/* lock for critical section of generic_write_sync */
+static DEFINE_MUTEX(write_sync_lock);
+
 static ssize_t ext4_buffered_write_iter(struct kiocb *iocb,
 					struct iov_iter *from)
 {
@@ -302,7 +306,13 @@ static ssize_t ext4_buffered_write_iter(struct kiocb *iocb,
 	inode_unlock(inode);
 	if (unlikely(ret <= 0))
 		return ret;
-	return generic_write_sync(iocb, ret);
+
+	/* prevent read-write data race */
+	mutex_lock(&write_sync_lock);
+	ret = generic_write_sync(iocb, ret);
+	mutex_unlock(&write_sync_lock);
+
+	return ret;
 }
 
 static ssize_t ext4_handle_inode_extension(struct inode *inode, loff_t offset,
-- 
2.39.2


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ