Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp3729065ybz;
        Mon, 4 May 2020 08:37:40 -0700 (PDT)
X-Google-Smtp-Source: APiQypIcc+UZdLr3Ma3H+NO55GNtKgdx+nhk+h+c1gLC2klLZ73zEEi/KQfyX6+u9dB3LfK4pZTH
X-Received: by 2002:aa7:c3c2:: with SMTP id l2mr15327409edr.362.1588606660086;
        Mon, 04 May 2020 08:37:40 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1588606660; cv=none;
        d=google.com; s=arc-20160816;
        b=ysQd7KXdvgjjp1KxhCQMx5nChCvF1riunQjqebFHWq5yzb/ZWyfb+tfMumnqRnZUcO
         mIG9/cBWuetbQXIHN8fO+WvfjAYH4R6MTa5bbY4YU5vJ6LP2YENH2BpOOIb1ONNTsXJN
         IHDdPefJHcYKGA/8rZQ3TA2/0fDd/dKFweDxK9zhZB6uL0CQ1RYI3N77mAxnlcCOQLn6
         RW8QurtRsdyqhORes0iyIphffs4qgxR0bt5GE/V5eeIK+xFhrlM8F65aYf2iXQ00kTjg
         f4wTErIgDKdgVGrq4W3X5r5dEMKlpFx/bYn4b+9asAXr9z4Ynvgt04xkzYuZr77qvq61
         RQZQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=6x/gkPpdUu5ZmCBu+qA+TYPM/TczyqfC7nUcr3D0L1k=;
        b=TIXHfMaImg59cNC1VvDDZ8VrHVKYBMxb2TR+EIQGe9Ro3HFHmsLDctDf+8kaY8UwHs
         vq4iFx7TZyrQ+DVv2/3DK1kXS3ZgA1f5v1tKNcbQ6Z5sDt6aM0xyP1JV/yWp35vLt0Ac
         inKadTJO8lUti89JtvUOZnLBzN+mCc6Lc0LAnfFJKHmngLolS11wDY0aeyzqn9dn5lpH
         Co1E0/12IrxgUTvp+kHiyggG0rdGkfDJvY3QKGdgtarJFWViXSz1sVhQ2HSCLX7e7Hkl
         2HOPV8ZWYk5ZsZimvCGxH0+YkH+7LxKKzTQ19Kk+WknfzuH2lI2VoHNymFa4hXczC3Dq
         CW5Q==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=XTPPH0DQ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id i13si6914704ejh.439.2020.05.04.08.37.11;
        Mon, 04 May 2020 08:37:40 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=XTPPH0DQ;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729317AbgEDPcK (ORCPT <rfc822;austinkernel.kim@gmail.com>
        + 99 others); Mon, 4 May 2020 11:32:10 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33618 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-FAIL-OK-FAIL)
        by vger.kernel.org with ESMTP id S1726908AbgEDPcK (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 4 May 2020 11:32:10 -0400
Received: from mail-pg1-x542.google.com (mail-pg1-x542.google.com [IPv6:2607:f8b0:4864:20::542])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 67573C061A0E
        for <linux-kernel@vger.kernel.org>; Mon,  4 May 2020 08:32:10 -0700 (PDT)
Received: by mail-pg1-x542.google.com with SMTP id j21so612087pgb.7
        for <linux-kernel@vger.kernel.org>; Mon, 04 May 2020 08:32:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id;
        bh=6x/gkPpdUu5ZmCBu+qA+TYPM/TczyqfC7nUcr3D0L1k=;
        b=XTPPH0DQ0On3AJBqn12M+3nev/cwzx+gz00/YUky/lwUu6RbphgQjtpuZlqjH+XaM4
         bEuVcKAZ+5bOsrtkY77Qm+ZWBkSphxa2KPb152eY5jVMtuw1YKMSEamDWLtZ0IDLhufE
         /OxOfjLf7XzKtQLjPznBqcoGl3UONq7vS1j08DscuQ81NvDYIZTqEfUrcOU5C6O2mn7u
         OpKYoC1AH3D56+CBzrWckRFAyTN4JeAv4Ai98hs9+F1WJHmsh4O7oczY+T3GQJeJZk0F
         MuOsgUt2KOWnAUbAMxlsaFmUS/F2UmOsjYzyfnirTebXu9aFgen9wcwbzIl1JrrXQJoH
         KI/Q==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id;
        bh=6x/gkPpdUu5ZmCBu+qA+TYPM/TczyqfC7nUcr3D0L1k=;
        b=s8abxsUO8a94CRltpKpEAp+5zuE1G2a08eS3AIfxybzcGW95i+vxEjfihvLgyjd0ux
         f2J96og2lA7SPcAFBzFL187q7bVCYH34bSu8IoZ51v2Ydthquis0EncU6+le3HdPNmA0
         Q1trsrr4Yy+5zR0NQlDyHAdvLZMxmUb2FcWzYjYD84OhWfBZSMyK89n8BsLrr/10V/SL
         qBm0jUIyF+k482IBmRc3BRMLa6F80+blXhYSyvJKaQBWUf2y5YzQxaFqHMXD3PJFqFiv
         2/4BzLu8DQUhb0xafcZDsuqIg3oQFj2gLbc8hG3YrmIcceMW0TMXtL9dZY3avQjy0I71
         SblQ==
X-Gm-Message-State: AGi0PubX2mNd5NLJRW21k+NmGVvtdt7f24pKa3LWUzotpqFGd5Shvoy0
        Rg3s5oMurTnFD2QWr37KCYc=
X-Received: by 2002:a63:a043:: with SMTP id u3mr16617563pgn.287.1588606329912;
        Mon, 04 May 2020 08:32:09 -0700 (PDT)
Received: from localhost.localdomain ([120.244.110.63])
        by smtp.gmail.com with ESMTPSA id l137sm9226518pfd.107.2020.05.04.08.32.06
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Mon, 04 May 2020 08:32:09 -0700 (PDT)
From:   Jia-Ju Bai <baijiaju1990@gmail.com>
To:     shaggy@kernel.org
Cc:     jfs-discussion@lists.sourceforge.net, linux-kernel@vger.kernel.org,
        Jia-Ju Bai <baijiaju1990@gmail.com>
Subject: [PATCH] fs: jfs: fix a possible data race in metapage_writepage()
Date:   Mon,  4 May 2020 23:31:38 +0800
Message-Id: <20200504153138.13464-1-baijiaju1990@gmail.com>
X-Mailer: git-send-email 2.17.1
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

The functions metapage_writepage() and lmPostGC() can be concurrently 
executed in the following call contexts:

Thread1:
  metapage_writepage()

Thread2:
  lbmIODone()
    lmPostGC()

In metapage_writepage():
  if (mp->log && !(mp->log->cflag & logGC_PAGEOUT))

In lmPostGC():
  spin_lock_irqsave(&log->gclock, flags);
  ...
  log->cflag &= ~logGC_PAGEOUT
  ...
  spin_unlock_irqrestore(&log->gclock, flags);

The memory addresses of mp->log->cflag and log->cflag can be identical,
and thus a data race can occur.

To fix this data race, the spinlock mp->log->gclock is used in
metapage_writepage().

This data race is found by our concurrency fuzzer.

Signed-off-by: Jia-Ju Bai <baijiaju1990@gmail.com>
---
 fs/jfs/jfs_metapage.c | 11 +++++++++--
 1 file changed, 9 insertions(+), 2 deletions(-)

diff --git a/fs/jfs/jfs_metapage.c b/fs/jfs/jfs_metapage.c
index a2f5338a5ea1..026c11b2572d 100644
--- a/fs/jfs/jfs_metapage.c
+++ b/fs/jfs/jfs_metapage.c
@@ -351,6 +351,7 @@ static int metapage_writepage(struct page *page, struct writeback_control *wbc)
 	unsigned long bio_offset = 0;
 	int offset;
 	int bad_blocks = 0;
+	uint cflag;
 
 	page_start = (sector_t)page->index <<
 		     (PAGE_SHIFT - inode->i_blkbits);
@@ -370,8 +371,14 @@ static int metapage_writepage(struct page *page, struct writeback_control *wbc)
 			 * Make sure this page isn't blocked indefinitely.
 			 * If the journal isn't undergoing I/O, push it
 			 */
-			if (mp->log && !(mp->log->cflag & logGC_PAGEOUT))
-				jfs_flush_journal(mp->log, 0);
+
+			if (mp->log) {
+				spin_lock_irq(&mp->log->gclock);
+				cflag = mp->log->cflag;
+				spin_unlock_irq(&mp->log->gclock);
+				if (!(cflag & logGC_PAGEOUT))
+					jfs_flush_journal(mp->log, 0);
+			}
 			continue;
 		}
 
-- 
2.17.1