Fix BUG: KCSAN: data-race in fat16_ent_get / fat16_ent_put

[PATCH] Fix BUG: KCSAN: data-race in fat16_ent_get / fat16_ent_put

Posted by Daniel Yang 3 weeks, 6 days ago

Issue is that fat_free() calls fat_get_cluster() and fat_free_clusters()
at the same time. If the same fatent gets modified, it can lead to a
race condition where fat16_ent_put() and fat16_ent_get() will read/write
conflict on fatent->u.ent16_p.

To fix: add critical sections in fat_free() on the offending function
calls so that they can't both be running at the same time. Since the
critical sections are short, a spinlock is used since the overhead is
not that high.

Signed-off-by: Daniel Yang <danielyangkang@gmail.com>
Reported-by: syzbot+3999cae1c2d59c2cc8b9@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=3999cae1c2d59c2cc8b9
---
 fs/fat/file.c | 14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

diff --git a/fs/fat/file.c b/fs/fat/file.c
index e887e9ab7..d7ae152a9 100644
--- a/fs/fat/file.c
+++ b/fs/fat/file.c
@@ -7,6 +7,7 @@
  *  regular file handling primitives for fat-based filesystems
  */
 
+#include "linux/spinlock.h"
 #include <linux/capability.h>
 #include <linux/module.h>
 #include <linux/compat.h>
@@ -306,6 +307,9 @@ static long fat_fallocate(struct file *file, int mode,
 	return err;
 }
 
+/* Prevent data race in fat_free. */
+static DEFINE_SPINLOCK(cluster_lock);
+
 /* Free all clusters after the skip'th cluster. */
 static int fat_free(struct inode *inode, int skip)
 {
@@ -343,7 +347,10 @@ static int fat_free(struct inode *inode, int skip)
 		struct fat_entry fatent;
 		int ret, fclus, dclus;
 
+		/* Ensure fat_get_cluster isn't called while freeing. */
+		spin_lock(&cluster_lock);
 		ret = fat_get_cluster(inode, skip - 1, &fclus, &dclus);
+		spin_unlock(&cluster_lock);
 		if (ret < 0)
 			return ret;
 		else if (ret == FAT_ENT_EOF)
@@ -373,7 +380,12 @@ static int fat_free(struct inode *inode, int skip)
 	inode->i_blocks = skip << (MSDOS_SB(sb)->cluster_bits - 9);
 
 	/* Freeing the remained cluster chain */
-	return fat_free_clusters(inode, free_start);
+	int ret;
+
+	spin_lock(&cluster_lock);
+	ret = fat_free_clusters(inode, free_start);
+	spin_unlock(&cluster_lock);
+	return ret;
 }
 
 void fat_truncate_blocks(struct inode *inode, loff_t offset)
-- 
2.39.2

Re: [PATCH] Fix BUG: KCSAN: data-race in fat16_ent_get / fat16_ent_put

Posted by OGAWA Hirofumi 3 weeks, 6 days ago

Daniel Yang <danielyangkang@gmail.com> writes:

> Issue is that fat_free() calls fat_get_cluster() and fat_free_clusters()
> at the same time. If the same fatent gets modified, it can lead to a
> race condition where fat16_ent_put() and fat16_ent_get() will read/write
> conflict on fatent->u.ent16_p.
>
> To fix: add critical sections in fat_free() on the offending function
> calls so that they can't both be running at the same time. Since the
> critical sections are short, a spinlock is used since the overhead is
> not that high.

Which case can read and write a same entry on FAT table with it except
corrupted image?  And if corrupted image, I think reading invalid data
is ok if it didn't become the cause of crash.

Thanks.

> Signed-off-by: Daniel Yang <danielyangkang@gmail.com>
> Reported-by: syzbot+3999cae1c2d59c2cc8b9@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=3999cae1c2d59c2cc8b9
> ---
>  fs/fat/file.c | 14 +++++++++++++-
>  1 file changed, 13 insertions(+), 1 deletion(-)
>
> diff --git a/fs/fat/file.c b/fs/fat/file.c
> index e887e9ab7..d7ae152a9 100644
> --- a/fs/fat/file.c
> +++ b/fs/fat/file.c
> @@ -7,6 +7,7 @@
>   *  regular file handling primitives for fat-based filesystems
>   */
>  
> +#include "linux/spinlock.h"
>  #include <linux/capability.h>
>  #include <linux/module.h>
>  #include <linux/compat.h>
> @@ -306,6 +307,9 @@ static long fat_fallocate(struct file *file, int mode,
>  	return err;
>  }
>  
> +/* Prevent data race in fat_free. */
> +static DEFINE_SPINLOCK(cluster_lock);
> +
>  /* Free all clusters after the skip'th cluster. */
>  static int fat_free(struct inode *inode, int skip)
>  {
> @@ -343,7 +347,10 @@ static int fat_free(struct inode *inode, int skip)
>  		struct fat_entry fatent;
>  		int ret, fclus, dclus;
>  
> +		/* Ensure fat_get_cluster isn't called while freeing. */
> +		spin_lock(&cluster_lock);
>  		ret = fat_get_cluster(inode, skip - 1, &fclus, &dclus);
> +		spin_unlock(&cluster_lock);
>  		if (ret < 0)
>  			return ret;
>  		else if (ret == FAT_ENT_EOF)
> @@ -373,7 +380,12 @@ static int fat_free(struct inode *inode, int skip)
>  	inode->i_blocks = skip << (MSDOS_SB(sb)->cluster_bits - 9);
>  
>  	/* Freeing the remained cluster chain */
> -	return fat_free_clusters(inode, free_start);
> +	int ret;
> +
> +	spin_lock(&cluster_lock);
> +	ret = fat_free_clusters(inode, free_start);
> +	spin_unlock(&cluster_lock);
> +	return ret;
>  }
>  
>  void fat_truncate_blocks(struct inode *inode, loff_t offset)

-- 
OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>