linux-kernel - [BUG] Data race on xtSearch about jfs

lists.openwall.net		lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC
Open Source and information security mailing list archives

Hash Suite for Android: free password hash cracker in your pocket

[<prev] [next>] [day] [month] [year] [list]

Message-ID: <CAFRLqsVpY4EtBKoJHwafoeTfd3wF2Q2ga924FTNBG5pVLCBnKw@mail.gmail.com>
Date: Mon, 12 May 2025 11:47:17 +0800
From: cen zhang <zzzccc427@...il.com>
To: shaggy@...nel.org
Cc: jfs-discussion@...ts.sourceforge.net, linux-kernel@...r.kernel.org, 
	baijiaju1990@...il.com, zhenghaoran154@...il.com
Subject: [BUG] Data race on xtSearch about jfs_ip->btindex

I would like to report a data race bug detected in
the jfs filesystem on Linux kernel 6.14-rc4.
The issue was discovered by our tools,
which identified unsynchronized concurrent accesses to
`jfs_ip->btindex`.
============ DATARACE ============
Function: xtSearch+0x268c/0x3d60 fs/jfs/jfs_xtree.c:451
Function: xtLookup+0x4d7/0x1490 fs/jfs/jfs_xtree.c:152
Function: jfs_get_block+0x520/0x2130 fs/jfs/inode.c:218
Function: __blockdev_direct_IO+0x1629/0x3e20
Function: jfs_direct_IO+0x304/0x610 include/linux/fs.h:3412
Function: generic_file_read_iter+0x2d2/0x410
Function: vfs_read+0x745/0xaa0
Function: ksys_read+0x116/0x200
Function: do_syscall_64+0xc9/0x1a0
Function: entry_SYSCALL_64_after_hwframe+0x77/0x7f
Function: 0x0
============OTHER_INFO============
Function: xtSearch+0x2593/0x3d60 fs/jfs/jfs_xtree.c:446
Function: xtLookup+0x4d7/0x1490 fs/jfs/jfs_xtree.c:152
Function: jfs_get_block+0x520/0x2130 fs/jfs/inode.c:218
Function: block_read_full_folio+0x35e/0x9b0
Function: do_mpage_readpage+0xed3/0x1070
Function: mpage_read_folio+0xb8/0x160
Function: jfs_read_folio+0x3a/0x60 fs/jfs/inode.c:275
Function: filemap_read_folio+0x54/0x140
Function: filemap_get_pages+0x102b/0x14c0
Function: filemap_read+0x34e/0xb90
Function: vfs_read+0x745/0xaa0
Function: ksys_read+0x116/0x200
Function: do_syscall_64+0xc9/0x1a0
Function: entry_SYSCALL_64_after_hwframe+0x77/0x7f
=================END==============

The code locations involved in the data race are:

Read (fs/jfs/jfs_xtree.c):
static int xtSearch(struct inode *ip, s64 xoff, s64 *nextp,
            int *cmpp, struct btstack * btstack, int flag)
{
            ...
            /* init sequential access heuristics */
            btindex = jfs_ip->btindex;
            ...
}

Write (fs/jfs/jfs_xtree.c):
static int xtSearch(struct inode *ip, s64 xoff, s64 *nextp,
            int *cmpp, struct btstack * btstack, int flag)
{
            ...
                jfs_ip->btorder = BT_RANDOM;
            jfs_ip->btindex = base;
            ...
}
I’ve verified that this issue still exists in the latest source tree
Thank you for your attention to this matter.
Best regards,
Cen Zhang