Received: by 2002:a25:d783:0:0:0:0:0 with SMTP id o125csp657710ybg; Thu, 19 Mar 2020 06:32:00 -0700 (PDT) X-Google-Smtp-Source: ADFU+vstiho0nZHxlOEIylGANPd7NP1qVF3K9Fz7zvBCTl+/GSOt0bi/MAW3mW/I/CslocvrkF+J X-Received: by 2002:aca:57d6:: with SMTP id l205mr2245697oib.20.1584624720344; Thu, 19 Mar 2020 06:32:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1584624720; cv=none; d=google.com; s=arc-20160816; b=bsWAGDiWJ+JaTnmBHxl5FdPytvAP2VqgsMojMf4GKdwygoMD6c8ku8emwdTjm2NtGM 7OoUN6dr6N4ZIFN9yhGh3ocPHDq9/fBSOHf8SkdSTlpcETgIYQ/AGD5inTpRtxf/GxMk BWn7/OzxIJRE57OYqXrzpK2pXsFxhQ/7FH/OwI82ZLlXswAwuGMzPU9e7Lanh1ttSWtC 7649i4+ShSxeoSdqYkJNylGt4bDegvRVnKwT8iKNu2Sqntt7B6Ki5f9E7ycfpAV6zjMq JcfHN4lOyfkGXpTYU1c2Cr/OkSMRZ/y/alltP8jqc31tMIMSd9EOVzrCptO3GnrNVGTi ER2Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=6ygYdIF/GfXEoP4LBEb26zTxaioFkBrbQoITJzTpUz0=; b=kWQULeuAjqLpKAN2i2cK5VVnhruY/9tS6CiREM15wIOOL6b6c8+nWzdlJN06t6Y72k jArSshlKW+ZYAEGSlZKs3+xzJrC0nF2gN6y/C6p/RZbx3yyxsKFKpgTNf19hi2ILi1iv XAJqnesqR1jn6dEOR7cTBeeJb0FKYNPNHPiKwK17P9lgdj6+/i0FFZV8eRqnC1Bdsuug yLzUoWzTvF6/sDF9FP3pZXHUIorIjQS76Ua2baEvL7FHsV5qpXkJbV7fJ8eRmO2SxjDf VmQFElr1uAkC4Zwzwk9w4F51nX8FFu/KzQMoX3TcZ53SBJAzYncJ6fitnHQebwRcxP1k U+dA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=MOgvKYQb; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id i7si1297314otp.96.2020.03.19.06.31.48; Thu, 19 Mar 2020 06:32:00 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=MOgvKYQb; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729816AbgCSNSj (ORCPT + 99 others); Thu, 19 Mar 2020 09:18:39 -0400 Received: from mail.kernel.org ([198.145.29.99]:41048 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729808AbgCSNSg (ORCPT ); Thu, 19 Mar 2020 09:18:36 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5C7B3206D7; Thu, 19 Mar 2020 13:18:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1584623915; bh=KPV4xBHfo2J1Cm3TP9h9kb7gA4hXX8+vaoOMMPNrTSI=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=MOgvKYQbMOAjriOnlTNbE4BwyQpx41I+65derUeLmG10Mo5+8eY7+57rJiHXt1Znm /S3MlvB5lLY3klQMXztQ63O3G7/3T2vI+m9rpa4ahMn5t4lcQIoQ24qiIu/dubCY7H lJmytylUSad/8b1YJVte4NBFTygZ4UUS78whQYJQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Jan Kara , Qian Cai , Theodore Tso , Sasha Levin Subject: [PATCH 4.14 95/99] jbd2: fix data races at struct journal_head Date: Thu, 19 Mar 2020 14:04:13 +0100 Message-Id: <20200319124007.604200119@linuxfoundation.org> X-Mailer: git-send-email 2.25.2 In-Reply-To: <20200319123941.630731708@linuxfoundation.org> References: <20200319123941.630731708@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Qian Cai [ Upstream commit 6c5d911249290f41f7b50b43344a7520605b1acb ] journal_head::b_transaction and journal_head::b_next_transaction could be accessed concurrently as noticed by KCSAN, LTP: starting fsync04 /dev/zero: Can't open blockdev EXT4-fs (loop0): mounting ext3 file system using the ext4 subsystem EXT4-fs (loop0): mounted filesystem with ordered data mode. Opts: (null) ================================================================== BUG: KCSAN: data-race in __jbd2_journal_refile_buffer [jbd2] / jbd2_write_access_granted [jbd2] write to 0xffff99f9b1bd0e30 of 8 bytes by task 25721 on cpu 70: __jbd2_journal_refile_buffer+0xdd/0x210 [jbd2] __jbd2_journal_refile_buffer at fs/jbd2/transaction.c:2569 jbd2_journal_commit_transaction+0x2d15/0x3f20 [jbd2] (inlined by) jbd2_journal_commit_transaction at fs/jbd2/commit.c:1034 kjournald2+0x13b/0x450 [jbd2] kthread+0x1cd/0x1f0 ret_from_fork+0x27/0x50 read to 0xffff99f9b1bd0e30 of 8 bytes by task 25724 on cpu 68: jbd2_write_access_granted+0x1b2/0x250 [jbd2] jbd2_write_access_granted at fs/jbd2/transaction.c:1155 jbd2_journal_get_write_access+0x2c/0x60 [jbd2] __ext4_journal_get_write_access+0x50/0x90 [ext4] ext4_mb_mark_diskspace_used+0x158/0x620 [ext4] ext4_mb_new_blocks+0x54f/0xca0 [ext4] ext4_ind_map_blocks+0xc79/0x1b40 [ext4] ext4_map_blocks+0x3b4/0x950 [ext4] _ext4_get_block+0xfc/0x270 [ext4] ext4_get_block+0x3b/0x50 [ext4] __block_write_begin_int+0x22e/0xae0 __block_write_begin+0x39/0x50 ext4_write_begin+0x388/0xb50 [ext4] generic_perform_write+0x15d/0x290 ext4_buffered_write_iter+0x11f/0x210 [ext4] ext4_file_write_iter+0xce/0x9e0 [ext4] new_sync_write+0x29c/0x3b0 __vfs_write+0x92/0xa0 vfs_write+0x103/0x260 ksys_write+0x9d/0x130 __x64_sys_write+0x4c/0x60 do_syscall_64+0x91/0xb05 entry_SYSCALL_64_after_hwframe+0x49/0xbe 5 locks held by fsync04/25724: #0: ffff99f9911093f8 (sb_writers#13){.+.+}, at: vfs_write+0x21c/0x260 #1: ffff99f9db4c0348 (&sb->s_type->i_mutex_key#15){+.+.}, at: ext4_buffered_write_iter+0x65/0x210 [ext4] #2: ffff99f5e7dfcf58 (jbd2_handle){++++}, at: start_this_handle+0x1c1/0x9d0 [jbd2] #3: ffff99f9db4c0168 (&ei->i_data_sem){++++}, at: ext4_map_blocks+0x176/0x950 [ext4] #4: ffffffff99086b40 (rcu_read_lock){....}, at: jbd2_write_access_granted+0x4e/0x250 [jbd2] irq event stamp: 1407125 hardirqs last enabled at (1407125): [] __find_get_block+0x107/0x790 hardirqs last disabled at (1407124): [] __find_get_block+0x49/0x790 softirqs last enabled at (1405528): [] __do_softirq+0x34c/0x57c softirqs last disabled at (1405521): [] irq_exit+0xa2/0xc0 Reported by Kernel Concurrency Sanitizer on: CPU: 68 PID: 25724 Comm: fsync04 Tainted: G L 5.6.0-rc2-next-20200221+ #7 Hardware name: HPE ProLiant DL385 Gen10/ProLiant DL385 Gen10, BIOS A40 07/10/2019 The plain reads are outside of jh->b_state_lock critical section which result in data races. Fix them by adding pairs of READ|WRITE_ONCE(). Reviewed-by: Jan Kara Signed-off-by: Qian Cai Link: https://lore.kernel.org/r/20200222043111.2227-1-cai@lca.pw Signed-off-by: Theodore Ts'o Signed-off-by: Sasha Levin --- fs/jbd2/transaction.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/fs/jbd2/transaction.c b/fs/jbd2/transaction.c index f2ff141a4479e..a355ca418e788 100644 --- a/fs/jbd2/transaction.c +++ b/fs/jbd2/transaction.c @@ -1050,8 +1050,8 @@ static bool jbd2_write_access_granted(handle_t *handle, struct buffer_head *bh, /* For undo access buffer must have data copied */ if (undo && !jh->b_committed_data) goto out; - if (jh->b_transaction != handle->h_transaction && - jh->b_next_transaction != handle->h_transaction) + if (READ_ONCE(jh->b_transaction) != handle->h_transaction && + READ_ONCE(jh->b_next_transaction) != handle->h_transaction) goto out; /* * There are two reasons for the barrier here: @@ -2466,8 +2466,8 @@ void __jbd2_journal_refile_buffer(struct journal_head *jh) * our jh reference and thus __jbd2_journal_file_buffer() must not * take a new one. */ - jh->b_transaction = jh->b_next_transaction; - jh->b_next_transaction = NULL; + WRITE_ONCE(jh->b_transaction, jh->b_next_transaction); + WRITE_ONCE(jh->b_next_transaction, NULL); if (buffer_freed(bh)) jlist = BJ_Forget; else if (jh->b_modified) -- 2.20.1