Received: by 2002:a25:1506:0:0:0:0:0 with SMTP id 6csp156171ybv;
        Tue, 18 Feb 2020 20:05:23 -0800 (PST)
X-Google-Smtp-Source: APXvYqzv3KQ8nojPm0JiKrEbdc1GZp3zLzu+jDrbt7NmRWPdJaD+rdV9Sw2+5zhfUZ5SlpZU+HOT
X-Received: by 2002:aca:b183:: with SMTP id a125mr3474140oif.83.1582085123402;
        Tue, 18 Feb 2020 20:05:23 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1582085123; cv=none;
        d=google.com; s=arc-20160816;
        b=AdOSBFWY0RKlUYfHLY99gMgKui4BTZFHiyyvbq+iyg+sxJwrvXU252tQqbGHd+KcRv
         6Beg6slICoUmPpstFSDhI66asbyHqyLkPDoisHxpVFOC+L4fY9vKWgjYLdgBBpBvadrV
         7aDo3/tXgEiwDqH0s8VBg/Jrrqr8Lr5AmOH1UrSZQ/yt+pyWqJFm0RUXcvNFCS52AgGO
         v7eqfyfUyhli22iAkpA1yC8DdNPI/v1Ruvmpsv7Ui25dMPmj7RkgAMlVBAgj1m7ZeOeh
         /brXsrcI9+Utx+BNgs4q8CQ212v7Ohuwkny1GOywIDXsDgbd6R7oQHZcMkasioWDJPwH
         LPzQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=oP2MqxukizBRlPC9SfvqBAcpKQDQ39+MBV8Jn9d7IdU=;
        b=p1LIrFK2mQOPTLU3gzDcf8fKyITLvFFjF7CKG2PfiP00YLThdsrksnvsGpR3Wsb3QB
         9WT3eFEueuAwqGpG6FpMpHzf9V5kY7H06RXevo5vp758EtzjSYHkounnXpEdCnKwvcMs
         /DGW6cOiT7o1l8ZZCZEQV2RQoz5wpXlo3Jwt0SU56EPmmOD/UUXokvC2Zf6H6f52JTlP
         kvTgDXCEUlvCSnnA75Y8n8VxqiNXm0tY3AukmQ7otNNnvH6uqIP1BK66rKOXXCdj/85c
         U65wm17IC+WMHVKry9vT4t07S0L7HQ5AkgstSuO1ov65M9aTV2cgk0JFfENid4PIv40K
         jVWg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@lca.pw header.s=google header.b=knLDS9Ro;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id f81si8942359oig.110.2020.02.18.20.05.11;
        Tue, 18 Feb 2020 20:05:23 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@lca.pw header.s=google header.b=knLDS9Ro;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726548AbgBSEEr (ORCPT <rfc822;xiaochao379261131@gmail.com>
        + 99 others); Tue, 18 Feb 2020 23:04:47 -0500
Received: from mail-qt1-f196.google.com ([209.85.160.196]:42740 "EHLO
        mail-qt1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726439AbgBSEEr (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 18 Feb 2020 23:04:47 -0500
Received: by mail-qt1-f196.google.com with SMTP id r5so16235675qtt.9
        for <linux-kernel@vger.kernel.org>; Tue, 18 Feb 2020 20:04:46 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=lca.pw; s=google;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=oP2MqxukizBRlPC9SfvqBAcpKQDQ39+MBV8Jn9d7IdU=;
        b=knLDS9RoP4max5hfagxZux9hUSAX4uFXfIJOs4Pl2iD9XJS0gDytXhY535GWwyXKmN
         GJGwl+8ma/bF3nRhUMOQSPTgsNO/7vN7ewM5h8CkBZnCKRxP101mDXAPZcn6FYdj448X
         0inKFN/p2mRk2G19n6AB6ukXJyEI6j0DXLgym23pawd/vSoFtufYh7mTtUO6o+y/vjw2
         e1USu3q3AkJyEWBUdYnDTdoEEfoz03ddfy9+SkuecdjATdIvFhRcOs1uXasqBzGjRHMR
         vJ1UwDMKKfS0aJHfclnzQaWPADxOLlMObvWb9NCenfbbY11xlpkRGRjdmJZ2WfSEOgkl
         6KFA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=oP2MqxukizBRlPC9SfvqBAcpKQDQ39+MBV8Jn9d7IdU=;
        b=OPdH0UlMQM4SJV/eBzxvSbqljVDKXY8RUy3z22woyYzzqnxzBdCwo3UiaYzSL+bUWi
         Fy64f8vFSeWcgRxrM5FiUiuk3oWMOvQErMMTWlVThgwvHvTQVop7Pdrop4s6+d3qRTji
         fUHJ+UPK7zQksR7Zk9GNOJKSWjNIDq1hDUyCvD+3nEvoNT4FA9rcvpfhNOqe4cHLqaBd
         1xbvFlET27xX3/Xy6IqZVNZBZEF2cYsWyDiKAKUz+I4dIxRnv2rmZscyIpQ6iAs0Iq5y
         qhAONFrVq6cV1wPvveYmzp1jObCdVYzWR3jlDie9DRzL8bL4h6DI4KwFfWBz3Mm4lJ6B
         9uow==
X-Gm-Message-State: APjAAAWsGtxQKTJHVIQ6Gq7XdjCTzd+b2X6pGuU8po7Z0dLYnN82WC+O
        AeCJh2avVPmstDXeeqUZ3VpWSA==
X-Received: by 2002:ac8:1b18:: with SMTP id y24mr19970707qtj.158.1582085086153;
        Tue, 18 Feb 2020 20:04:46 -0800 (PST)
Received: from ovpn-121-44.rdu2.redhat.com (pool-71-184-117-43.bstnma.fios.verizon.net. [71.184.117.43])
        by smtp.gmail.com with ESMTPSA id r6sm323671qtm.63.2020.02.18.20.04.45
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Tue, 18 Feb 2020 20:04:45 -0800 (PST)
From:   Qian Cai <cai@lca.pw>
To:     viro@zeniv.linux.org.uk
Cc:     hch@infradead.org, darrick.wong@oracle.com, elver@google.com,
        linux-xfs@vger.kernel.org, linux-fsdevel@vger.kernel.org,
        linux-kernel@vger.kernel.org, Qian Cai <cai@lca.pw>
Subject: [PATCH] fs: fix a data race in i_size_write/i_size_read
Date:   Tue, 18 Feb 2020 23:04:26 -0500
Message-Id: <20200219040426.1140-1-cai@lca.pw>
X-Mailer: git-send-email 2.21.0 (Apple Git-122.2)
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

inode::i_size could be accessed concurently as noticed by KCSAN,

 BUG: KCSAN: data-race in iomap_do_writepage / iomap_write_end

 write to 0xffff8bf68fc0cac0 of 8 bytes by task 7484 on cpu 71:
  iomap_write_end+0xea/0x530
  i_size_write at include/linux/fs.h:888
  (inlined by) iomap_write_end at fs/iomap/buffered-io.c:782
  iomap_write_actor+0x132/0x200
  iomap_apply+0x245/0x8a5
  iomap_file_buffered_write+0xbd/0xf0
  xfs_file_buffered_aio_write+0x1c2/0x790 [xfs]
  xfs_file_write_iter+0x232/0x2d0 [xfs]
  new_sync_write+0x29c/0x3b0
  __vfs_write+0x92/0xa0
  vfs_write+0x103/0x260
  ksys_write+0x9d/0x130
  __x64_sys_write+0x4c/0x60
  do_syscall_64+0x91/0xb05
  entry_SYSCALL_64_after_hwframe+0x49/0xbe

 read to 0xffff8bf68fc0cac0 of 8 bytes by task 5901 on cpu 70:
  iomap_do_writepage+0xf4/0x450
  i_size_read at include/linux/fs.h:866
  (inlined by) iomap_do_writepage at fs/iomap/buffered-io.c:1558
  write_cache_pages+0x523/0xb20
  iomap_writepages+0x47/0x80
  xfs_vm_writepages+0xc7/0x100 [xfs]
  do_writepages+0x5e/0x130
  __writeback_single_inode+0xd5/0xb20
  writeback_sb_inodes+0x429/0x910
  __writeback_inodes_wb+0xc4/0x150
  wb_writeback+0x47b/0x830
  wb_workfn+0x688/0x930
  process_one_work+0x54f/0xb90
  worker_thread+0x80/0x5f0
  kthread+0x1cd/0x1f0
  ret_from_fork+0x27/0x50

 Reported by Kernel Concurrency Sanitizer on:
 CPU: 70 PID: 5901 Comm: kworker/u257:2 Tainted: G             L    5.6.0-rc2-next-20200218+ #2
 Hardware name: HPE ProLiant DL385 Gen10/ProLiant DL385 Gen10, BIOS A40 07/10/2019
 Workqueue: writeback wb_workfn (flush-254:0)

The write is protected by exclusive inode::i_rwsem (in
xfs_file_buffered_aio_write()) but the read is not. A shattered value
could introduce a logic bug. Fixed it using a pair of WRITE/READ_ONCE().

Signed-off-by: Qian Cai <cai@lca.pw>
---
 include/linux/fs.h | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/include/linux/fs.h b/include/linux/fs.h
index 3cd4fe6b845e..25f98da90cf3 100644
--- a/include/linux/fs.h
+++ b/include/linux/fs.h
@@ -863,7 +863,7 @@ static inline loff_t i_size_read(const struct inode *inode)
 	preempt_enable();
 	return i_size;
 #else
-	return inode->i_size;
+	return READ_ONCE(inode->i_size);
 #endif
 }
 
@@ -885,7 +885,7 @@ static inline void i_size_write(struct inode *inode, loff_t i_size)
 	inode->i_size = i_size;
 	preempt_enable();
 #else
-	inode->i_size = i_size;
+	WRITE_ONCE(inode->i_size, i_size);
 #endif
 }
 
-- 
2.21.0 (Apple Git-122.2)