[bug report] Potential order violation in fs/dlm/midcomms.c, between 'dlm_midcomms_addr()' and 'dlm_midcomms_exit()'

Next message: Greg Kroah-Hartman: "Re: [PATCH] usb: usbtmc: Allocate enough space for interrupt-IN buffer"
Previous message: Michal Pecio: "Re: [PATCH] usb: usbtmc: Allocate enough space for interrupt-IN buffer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Ginger

Date: Thu Apr 23 2026 - 01:35:27 EST

Dear Linux kernel maintainers,

My research-based static analyzer found a potential atomicity bug
within the 'fs/dlm' subsystem, more specifically, in
'fs/dlm/midcomms.c'.

Kernel version: long-term kernel v6.18.9

Potential concurrent triggering executions:
T0:
dlm_midcomms_addr
--> node = kmalloc(sizeof(*node))
--> hlist_add_head_rcu(&node->hlist, &node_hash[r]); [t0]
--> node->debugfs = dlm_create_debug_comms_file(nodeid, node); [t3]

T1:
dlm_midcomms_exit
--> hlist_for_each_entry_rcu(node, &node_hash[i], hlist) [t1]
--> dlm_delete_debug_comms_file(node->debugfs); [t2]

In T0, the freshly allocated midcomms_node is first added to the
globally visible 'node_hash' list, and then has its 'debugfs' field
set up.
In this case, in T1, the exit function can first iterate over the
'node_hash' list and access a 'debugfs' field that has not been set up
yet.
The concurrent buggy order is t0 -> t1 -> t2 -> t3, causing order violation.

Please kindly check at your convenience. Thank you for your time and
consideration.

Best regards,
Ginger