lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CAFRLqsWw_6XYE5K+31UBV+DOUht1MG+6v=P587DP-Su3z8t3Rg@mail.gmail.com>
Date: Mon, 12 May 2025 12:01:54 +0800
From: cen zhang <zzzccc427@...il.com>
To: cem@...nel.org
Cc: linux-xfs@...r.kernel.org, linux-kernel@...r.kernel.org, 
	baijiaju1990@...il.com, zhenghaoran154@...il.com
Subject: [BUG] Data race between xfs_file_release and xfs_bmap_del_extent_delay
 about i_delayed_blks

Hello maintainers,

I would like to report a data race bug detected in
the Btrfs filesystem on Linux kernel 6.14-rc4.
The issue was discovered by our tools,
which identified unsynchronized concurrent accesses to
`ip->i_delayed_blks`.

Kernel panic: ============ DATARACE ============
VarName 17363501701721901078, BlockLineNumber 20, IrLineNumber 2, is write 0
Function: watchpoints_monitor+0x1340/0x17c0 kernel/kccwf/wp_checker.c:73
Function: kccwf_rec_mem_access+0x7ec/0xab0 kernel/kccwf/core.c:359
Function: xfs_file_release+0x39e/0x910 fs/xfs/xfs_file.c:1325
Function: __fput+0x40b/0x970
Function: task_work_run+0x1ce/0x260
Function: do_exit+0x88c/0x2520
Function: do_group_exit+0x1d4/0x290
Function: get_signal+0xf7e/0x1060
Function: arch_do_signal_or_restart+0x44/0x600
Function: syscall_exit_to_user_mode+0x62/0x110
Function: do_syscall_64+0xd6/0x1a0
Function: entry_SYSCALL_64_after_hwframe+0x77/0x7f
Function: 0x0
============OTHER_INFO============
VarName 16100634012471765034, BlockLineNumber 44, IrLineNumber 6,
watchpoint index 22144
Function: set_report_info+0xa6/0x1f0 kernel/kccwf/report.c:49
Function: watchpoints_monitor+0x7e8/0x17c0 kernel/kccwf/wp_checker.c:100
Function: kccwf_rec_mem_access+0x7ec/0xab0 kernel/kccwf/core.c:359
Function: xfs_bmap_del_extent_delay+0x91a/0x1cf0 fs/xfs/libxfs/xfs_bmap.c:4981
Function: __xfs_bunmapi+0x2c50/0x54f0 fs/xfs/libxfs/xfs_bmap.c:5673
Function: xfs_bunmapi_range+0x170/0x2c0 fs/xfs/libxfs/xfs_bmap.c:6437
Function: xfs_itruncate_extents_flags+0x50a/0x1070 fs/xfs/xfs_inode.c:1066
Function: xfs_itruncate_extents fs/xfs/xfs_inode.h:603 [inline]
Function: xfs_setattr_size+0xd78/0x1c80 fs/xfs/xfs_iops.c:1003
Function: xfs_vn_setattr_size+0x321/0x590 fs/xfs/xfs_iops.c:1054
Function: xfs_vn_setattr+0x2f4/0x910 fs/xfs/xfs_iops.c:1079
Function: notify_change+0x9f9/0xca0
Function: do_truncate+0x18d/0x220
Function: path_openat+0x2741/0x2db0
Function: do_filp_open+0x230/0x440
Function: do_sys_openat2+0xab/0x110
Function: __x64_sys_creat+0xd7/0x100
Function: do_syscall_64+0xc9/0x1a0
Function: entry_SYSCALL_64_after_hwframe+0x77/0x7f
=================END==============

The code locations involved in the data race are:

Write (fs/xfs/xfs_bmap.c):
xfs_bmap_del_extent_delay  {
……
    xfs_quota_unreserve_blkres(ip, del->br_blockcount);
    ip->i_delayed_blks -= del->br_blockcount;
……
}

Reader (fs/xfs/xfs_file.c):
xfs_file_release  {
……
        xfs_iflags_clear(ip, XFS_EOFBLOCKS_RELEASED);
        if (ip->i_delayed_blks > 0)
            filemap_flush(inode->i_mapping);
……
}

I’ve verified that this issue still exists in the latest source tree
in xfs_file.c:1552 and xfs_bmap.c:4702

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ