Hi, We found a potential concurrency bug in linux kernel 5.3.11. We were able to reproduce this bug in x86 under specific thread interleavings. This bug causes a “checksum invalid” EXT4-fs error. ------------------------------------------ Kernel console output EXT4-fs error (device sda1): swap_inode_boot_loader:124: inode #5: comm ski-executor:iget: checksum invalid ------------------------------------------ Test input This bug occurs when a kernel test program is executed twice in different threads and ran concurrently. Our analysis has located that it happens when syscall ioctl with the EXT4_IOC_SWAP_BOOT flag is called twice and interleaves with itself. The test program is generated by Syzkaller as follows: r0 = creat(&(0x7f0000000080)='./file0\x00', 0x0) ioctl$FS_IOC_SETFLAGS(r0, 0x40046602, &(0x7f0000000040)) r1 = creat(&(0x7f0000000000)='./file0\x00', 0x0) pwrite64(r1, &(0x7f00000000c0)='\x00', 0x1, 0x1010000) r2 = creat(&(0x7f0000000000)='./file0\x00', 0x0) ioctl$EXT4_IOC_SWAP_BOOT(r2, 0x6611) ------------------------------------------ Interleaving Our analysis revealed that the following interleaving triggers the bug. CPU0 CPU1 swap_inode_boot_loader() … bytes = inode_bl->i_bytes; inode_bl->i_blocks = inode->i_blocks; inode_bl->i_bytes = inode->i_bytes; ---> err = ext4_mark_inode_dirty(handle, inode_bl); ext4_mark_iloc_dirty() (fs/ext4/ioctl.c: 223) ext4_do_update_inode() ext4_inode_csum_set() ext4_has_metadata_sum() ext4_inode_csum() ext4_chksum() crypto_shash_update() chksum_update() [context switch] swap_inode_boot_loader() ext4_iget() ext4_inode_csum_verify(fs/ext4/inode.c:4927) [EXT4-fs error] Thanks, Sishuai
