Re: BUG: KCSAN: data-race in _copy_to_iter / ext4_generic_delete_entry

Next message: Bartosz Golaszewski: "Re: [PATCH v4 1/6] gpio: Access `gpio_bus_type` in gpiochip_setup_dev()"
Previous message: Bryan O'Donoghue: "Re: [PATCH RFC 2/2] usb: typec: qcom: Add support for shared USBIN VBUS detection"
In reply to: Jianzhou Zhao: "BUG: KCSAN: data-race in _copy_to_iter / ext4_generic_delete_entry"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Theodore Tso

Date: Wed Mar 11 2026 - 10:40:25 EST

On Wed, Mar 11, 2026 at 04:04:28PM +0800, Jianzhou Zhao wrote:
> Subject: [BUG] ext4: KCSAN: data-race in _copy_to_iter / ext4_generic_delete_entry
>
> Dear Maintainers,
>
> We are writing to report a KCSAN-detected data race vulnerability
> within `ext4` and the block device layer. This bug was found by our
> custom fuzzing tool, RacePilot. The race occurs when
> `ext4_generic_delete_entry` modifies the `rec_len` of a previous
> directory entry (via a 2-byte write) during a path unlink operation,
> while a concurrent thread directly accesses the raw block device of
> the mounted filesystem (via `read()`), executing `_copy_to_iter()`
> which blindly bulk-reads the buffer underlying the filesystem page
> cache. We observed this bug on the Linux kernel version
> 6.18.0-08691-g2061f18ad76e-dirty.

Any attempts to read from a block device while it is mounted is
subject to arbitrary race conditions; there is no guarantee that the
file system contents accessed by userspace is going to be consistent.
In fact, it's practically guaranteed that it will not be consistent.

So this is considered NOTABUG.

- Ted