From: Al Viro <viro@zeniv.linux.org.uk>
To: Jianzhou Zhao <luckd0g@163.com>
Cc: jack@suse.cz, brauner@kernel.org, linux-fsdevel@vger.kernel.org,
linux-kernel@vger.kernel.org
Subject: Re: KCSAN: data-race in path_lookupat / vfs_rename
Date: Thu, 9 Apr 2026 00:04:22 +0100 [thread overview]
Message-ID: <20260408230422.GK3836593@ZenIV> (raw)
In-Reply-To: <61ff6def.2d0d.19cdad1307e.Coremail.luckd0g@163.com>
On Wed, Mar 11, 2026 at 10:54:28AM +0800, Jianzhou Zhao wrote:
> Concurrently, a separate thread traversing the filesystem performs a path lookup and inspects the same intermediate dentry (the rename victim) within `step_into()`. It tests if the dentry needs mount-point translation by calling `d_managed()`:
> ```c
> 412: static inline bool d_managed(const struct dentry *dentry)
> 413: {
> 414: return dentry->d_flags & DCACHE_MANAGED_DENTRY; // <--- Lockless Read
> 415: }
> ```
>
> ### Root Cause Analysis
>
> The data race is triggered because `d_managed()` executes a plain read of `dentry->d_flags` without holding `d_lock` (or using `READ_ONCE`), while `dont_mount()` concurrently modifies `dentry->d_flags` using a plain read-modify-write operation (`|= DCACHE_CANT_MOUNT`).
>
> Although `dont_mount()` properly protects the write within a `spin_lock`, the lockless reader is oblivious to it. KCSAN identifies this as a data race because the plain read in `d_managed()` can overlap with the unlocked portion of the compiler's emitted store sequence in another CPU.
Who cares? d_managed() does not look at the bit in question, so what's
the point of READ_ONCE()? Split 32bit operations or not, if
thread A:
lock
x |= 1;
unlock
thread B:
return x & 2;
manage to depend upon the order of execution, compiler in question
needs to be tarred, feathered and shoved up the place where its
authors heads are. Sure, theoretically A could be compiled into
lock
x &= 1;
x ^= 1;
unlock
but who the hell would do something like that?
next prev parent reply other threads:[~2026-04-08 23:00 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-11 8:02 KCSAN: data-race in __d_drop / retain_dentry Jianzhou Zhao
2026-03-11 7:55 ` KCSAN: data-race in step_into_slowpath / vfs_unlink Jianzhou Zhao
2026-03-11 7:49 ` KCSAN: data-race in __remove_assoc_queue / mark_buffer_dirty_inode Jianzhou Zhao
2026-03-11 2:54 ` KCSAN: data-race in path_lookupat / vfs_rename Jianzhou Zhao
2026-03-11 10:38 ` KCSAN: data-race in __d_drop / retain_dentry Christian Brauner
2026-04-08 23:04 ` Al Viro [this message]
2026-04-08 23:06 ` KCSAN: data-race in path_lookupat / vfs_rename Al Viro
2026-03-17 12:37 ` KCSAN: data-race in __remove_assoc_queue / mark_buffer_dirty_inode Jan Kara
2026-04-08 23:12 ` KCSAN: data-race in __d_drop / retain_dentry Al Viro
2026-04-08 23:34 ` Al Viro
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20260408230422.GK3836593@ZenIV \
--to=viro@zeniv.linux.org.uk \
--cc=brauner@kernel.org \
--cc=jack@suse.cz \
--cc=linux-fsdevel@vger.kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=luckd0g@163.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.