[bug report] potential order violation bug in 'fs/f2fs/segment.c', in '__create_discard

public inbox for linux-kernel@vger.kernel.org
 help / color / mirror / Atom feed

* [bug report] potential order violation bug in 'fs/f2fs/segment.c', in '__create_discard_cmd'
@ 2026-04-23  5:48 Ginger
  2026-05-03  9:00 ` Chao Yu
  0 siblings, 1 reply; 2+ messages in thread
From: Ginger @ 2026-04-23  5:48 UTC (permalink / raw)
  To: jaegeuk, chao; +Cc: linux-f2fs-devel, linux-kernel

Dear Linux kernel maintainers,

My research-based static analyzer found a potential atomicity bug
within the 'fs/f2fs' subsystem, more specifically, in
'fs/f2fs/segment.c'.

Kernel version: long-term kernel v6.18.9

Potential concurrent triggering executions:
T0:
__create_discard_cmd
     --> dc = f2fs_kmem_cache_alloc(discard_cmd_slab, GFP_NOFS, true, NULL);
     --> list_add_tail(&dc->list, pend_list);
     --> spin_lock_init(&dc->lock);
     --> dc->bio_ref = 0;

In T0, the freshly allocated 'struct discard_cmd *dc' is first added
to the globally visible list 'pend_list' (i.e., from
dcc->pend_list[plist_idx(len)]'.
However, its fields like 'dc->lock' and 'dc->bio_ref' are set up after
being globally visible.
This violated the expected order of setting up private local heap
variables before exposing them to the global state, causing potential
concurrency bugs with '__issue_discard_cmd()' or
'__submit_discard_cmd()' within 'fs/f2fs/segment.c'.

Please kindly check at your convenience. Thank you for your time and
consideration.

Best regards,
Ginger

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [bug report] potential order violation bug in 'fs/f2fs/segment.c', in '__create_discard_cmd'
  2026-04-23  5:48 [bug report] potential order violation bug in 'fs/f2fs/segment.c', in '__create_discard_cmd' Ginger
@ 2026-05-03  9:00 ` Chao Yu
  0 siblings, 0 replies; 2+ messages in thread
From: Chao Yu @ 2026-05-03  9:00 UTC (permalink / raw)
  To: Ginger, jaegeuk; +Cc: chao, linux-f2fs-devel, linux-kernel

On 4/23/26 13:48, Ginger wrote:
> Dear Linux kernel maintainers,
> 
> My research-based static analyzer found a potential atomicity bug
> within the 'fs/f2fs' subsystem, more specifically, in
> 'fs/f2fs/segment.c'.
> 
> Kernel version: long-term kernel v6.18.9
> 
> Potential concurrent triggering executions:
> T0:
> __create_discard_cmd
>       --> dc = f2fs_kmem_cache_alloc(discard_cmd_slab, GFP_NOFS, true, NULL);
>       --> list_add_tail(&dc->list, pend_list);
>       --> spin_lock_init(&dc->lock);
>       --> dc->bio_ref = 0;

Hi,

Actually, fields of dc entries are protected by dcc->cmd_lock, so it should be
fine? it needs to fix static analyzer? IIUC.

Thanks,

> 
> In T0, the freshly allocated 'struct discard_cmd *dc' is first added
> to the globally visible list 'pend_list' (i.e., from
> dcc->pend_list[plist_idx(len)]'.
> However, its fields like 'dc->lock' and 'dc->bio_ref' are set up after
> being globally visible.
> This violated the expected order of setting up private local heap
> variables before exposing them to the global state, causing potential
> concurrency bugs with '__issue_discard_cmd()' or
> '__submit_discard_cmd()' within 'fs/f2fs/segment.c'.
> 
> Please kindly check at your convenience. Thank you for your time and
> consideration.
> 
> Best regards,
> Ginger


^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2026-05-03  9:00 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-23  5:48 [bug report] potential order violation bug in 'fs/f2fs/segment.c', in '__create_discard_cmd' Ginger
2026-05-03  9:00 ` Chao Yu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox