Hi,
We found a data race in linux kernel 5.3.11 that we are able to reproduce in x86 under specific interleavings. Currently, we are not sure about the consequence of this race but we noticed that the reader is not protected while the writer is. Thus, we would like to confirm with the community if this is a harmful bug.
------------------------------------------
Writer site
/tmp/tmp.B7zb7od2zE-5.3.11/extract/linux-5.3.11/fs/pipe.c:575
570 static void put_pipe_info(struct inode *inode, struct pipe_inode_info *pipe)
571 {
572 int kill = 0;
573
574 spin_lock(&inode->i_lock);
==> 575 if (!--pipe->files) {
576 inode->i_pipe = NULL;
577 kill = 1;
578 }
579 spin_unlock(&inode->i_lock);
580
581 if (kill)
582 free_pipe_info(pipe);
583 }
------------------------------------------
Reader site
/tmp/tmp.B7zb7od2zE-5.3.11/extract/linux-5.3.11/fs/pipe.c:62
60 static void pipe_lock_nested(struct pipe_inode_info *pipe, int subclass)
61 {
==> 62 if (pipe->files)
63 mutex_lock_nested(&pipe->mutex, subclass);
64 }
------------------------------------------
Writer calling trace
- exit_to_usermode_loop
-- tracehook_notify_resume
--- task_work_run
---- __fput()
----- pipe_release()
------ put_pipe_info
------------------------------------------
Reader calling trace
- do_epoll_wait
-- schedule_hrtimeout_range
--- schedule_hrtimeout_range_clock
---- schedule
----- pipe_lock
———
pipe_lock_nested
Thanks,
Sishuai
