From: OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
To: tejas bharambe <tejas.bharambe@outlook.com>
Cc: "linux-kernel@vger.kernel.org" <linux-kernel@vger.kernel.org>,
"syzbot+56be2a55de6142438317@syzkaller.appspotmail.com"
<syzbot+56be2a55de6142438317@syzkaller.appspotmail.com>
Subject: Re: [PATCH] fat: fix data race in fat_clusters_flush between free_clusters access
Date: Sun, 01 Mar 2026 12:33:27 +0900 [thread overview]
Message-ID: <87bjh8b4vs.fsf@mail.parknet.co.jp> (raw)
In-Reply-To: <JH0PR06MB6632486E67725454B3B71F958970A@JH0PR06MB6632.apcprd06.prod.outlook.com>
tejas bharambe <tejas.bharambe@outlook.com> writes:
> From b1b914bdde5bc450eb586141823ba34924606b49 Mon Sep 17 00:00:00 2001
> From: Tejas Bharambe <tejas.bharambe@outlook.com>
> Date: Sat, 28 Feb 2026 09:58:20 -0800
> Subject: [PATCH] fat: fix data race in fat_clusters_flush between
> free_clusters access
>
> fat_clusters_flush() reads sbi->free_clusters and sbi->prev_free
> without holding sbi->fat_lock, while fat_alloc_clusters() modifies
> these fields under the lock. This causes a data race detected by KCSAN.
>
> Fix this by acquiring sbi->fat_lock around the read of these fields
> in fat_clusters_flush().
>
> Reported-by: syzbot+56be2a55de6142438317@syzkaller.appspotmail.com
> Closes: https://syzkaller.appspot.com/bug?extid=56be2a55de6142438317
> Signed-off-by: Tejas Bharambe <tejas.bharambe@outlook.com>
What is the real issue with this race other than KCSAN says?
fat_clusters_flush() is called only after marked as dirty. And it is
dirty only after completed the modification of those fields.
AFAICT, on disk data is fixed until unmount even if there is temporary
corruption. Or can you reproduce the real corruption with this race?
Thanks.
> ---
> fs/fat/misc.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/fs/fat/misc.c b/fs/fat/misc.c
> index b154a51627..7d257a5694 100644
> --- a/fs/fat/misc.c
> +++ b/fs/fat/misc.c
> @@ -89,10 +89,12 @@ int fat_clusters_flush(struct super_block *sb)
> le32_to_cpu(fsinfo->signature2),
> sbi->fsinfo_sector);
> } else {
> + mutex_lock(&sbi->fat_lock);
> if (sbi->free_clusters != -1)
> fsinfo->free_clusters = cpu_to_le32(sbi->free_clusters);
> if (sbi->prev_free != -1)
> fsinfo->next_cluster = cpu_to_le32(sbi->prev_free);
> + mutex_unlock(&sbi->fat_lock);
> mark_buffer_dirty(bh);
> }
> brelse(bh);
--
OGAWA Hirofumi <hirofumi@mail.parknet.co.jp>
next prev parent reply other threads:[~2026-03-01 3:39 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-02-28 18:29 [PATCH] fat: fix data race in fat_clusters_flush between free_clusters access tejas bharambe
2026-03-01 3:33 ` OGAWA Hirofumi [this message]
2026-03-03 7:29 ` tejas bharambe
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87bjh8b4vs.fsf@mail.parknet.co.jp \
--to=hirofumi@mail.parknet.co.jp \
--cc=linux-kernel@vger.kernel.org \
--cc=syzbot+56be2a55de6142438317@syzkaller.appspotmail.com \
--cc=tejas.bharambe@outlook.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox