Hi, We found a concurrency bug in linux 5.12-rc3 and we are able to reproduce it under x86. This bug happens when the two configfs functions configfs_dir_lseek() and configfs_lookup() are running in parallel. configfs_dir_lseek() is deleting an entry while configfs_lookup() is accessing that entry, as shown in below. ------------------------------------------ Execution interleaving Thread 1 Thread 2 configfs_dir_lseek() configfs_lookup() if (!configfs_dirent_is_ready(parent_sd)) // configfs_dirent_lock is released after configfs_dirent_is_ready() list_for_each_entry(sd, &parent_sd->s_children, s_sibling) spin_lock(&configfs_dirent_lock); list_del(&cursor->s_sibling); list_for_each_entry(sd, &parent_sd->s_children, s_sibling) // error happens ------------------------------------------ Impact & fix Eventually, this bug can cause a kernel NULL pointer dereference error, as attached below. We think a potential fix is to use list_for_each_entry_safe() instead of list_for_each_entry() in configfs_lookup(). ------------------------------------------ Console output [ 809.642609][T10805] BUG: kernel NULL pointer dereference, address: 00000118 [ 810.198062][T10805] #PF: supervisor read access in kernel mode [ 810.836171][T10805] #PF: error_code(0x0000) - not-present page [ 811.361680][T10805] *pde = 00000000 [ 811.869905][T10805] Oops: 0000 [#1] PREEMPT SMP [ 812.386532][T10805] CPU: 1 PID: 10805 Comm: executor Not tainted 5.12.0-rc3 #3 [ 813.377094][T10805] Hardware name: Bochs Bochs, BIOS Bochs 01/01/2007 [ 813.896812][T10805] EIP: configfs_lookup+0x44/0x1a0 [ 814.431935][T10805] Code: 01 b8 f8 15 2f c4 8b 5f 20 e8 08 fd bb 01 b9 fe ff ff ff 81 e3 00 04 00 00 85 db 75 2f 8b 47 10 83 c7 10 8d 58 f8 39 c7 74 10 <f6> 43 20 0c 75 26 8b 43 08 8d 58 f8 39 c7 75 f0 81 7e 18 ff 00 00 [ 815.925387][T10805] EAX: 00000100 EBX: 000000f8 ECX: fffffffe EDX: c10d1cb0 [ 816.450272][T10805] ESI: cd029900 EDI: c3c50930 EBP: cf54ff04 ESP: cf54fef4 [ 816.986662][T10805] DS: 007b ES: 007b FS: 00d8 GS: 00e0 SS: 0068 EFLAGS: 00000286 [ 818.033135][T10805] CR0: 80050033 CR2: 00000118 CR3: 0efd3000 CR4: 00000690 [ 818.567560][T10805] DR0: 00000000 DR1: 00000000 DR2: 00000000 DR3: 00000000 [ 819.109192][T10805] DR6: 00000000 DR7: 00000000 [ 819.666769][T10805] Call Trace: [ 820.179775][T10805] __lookup_hash+0x50/0x80 [ 820.702414][T10805] filename_create+0x70/0x130 [ 821.238903][T10805] do_symlinkat+0x4e/0x100 [ 821.776290][T10805] __ia32_sys_symlinkat+0x10/0x20 [ 822.375670][T10805] __do_fast_syscall_32+0x40/0x70 [ 823.000644][T10805] do_fast_syscall_32+0x29/0x60 [ 823.494806][T10805] do_SYSENTER_32+0x15/0x20 Thanks, Sishuai
