All of lore.kernel.org
 help / color / mirror / Atom feed
* [Race] data race between do_mpage_readpage() and set_blocksize()
@ 2020-11-30 15:41 Gong, Sishuai
  2020-11-30 16:10 ` Matthew Wilcox
  0 siblings, 1 reply; 4+ messages in thread
From: Gong, Sishuai @ 2020-11-30 15:41 UTC (permalink / raw)
  To: viro; +Cc: linux-fsdevel


Hi,

We found a data race in linux kernel 5.3.11 that we are able to reproduce in x86 under specific interleavings. Currently, we are not sure about the consequence of this race so we would like to confirm with the community if this can be a harmful bug.

------------------------------------------
Writer site

/tmp/tmp.B7zb7od2zE-5.3.11/extract/linux-5.3.11/fs/block_dev.c:135
        120
        121  int set_blocksize(struct block_device *bdev, int size)
        122  {
        123      /* Size must be a power of two, and between 512 and PAGE_SIZE */
        124      if (size > PAGE_SIZE || size < 512 || !is_power_of_2(size))
        125          return -EINVAL;
        126
        127      /* Size cannot be smaller than the size supported by the device */
        128      if (size < bdev_logical_block_size(bdev))
        129          return -EINVAL;
        130
        131      /* Don't change the size if it is same as current */
        132      if (bdev->bd_block_size != size) {
        133          sync_blockdev(bdev);
        134          bdev->bd_block_size = size;
 ==>    135          bdev->bd_inode->i_blkbits = blksize_bits(size);
        136          kill_bdev(bdev);
        137      }
        138      return 0;
        139  }

------------------------------------------
Reader site

 /tmp/tmp.B7zb7od2zE-5.3.11/extract/linux-5.3.11/fs/mpage.c:160
        147  /*
        148   * This is the worker routine which does all the work of mapping the disk
        149   * blocks and constructs largest possible bios, submits them for IO if the
        150   * blocks are not contiguous on the disk.
        151   *
        152   * We pass a buffer_head back and forth and use its buffer_mapped() flag to
        153   * represent the validity of its disk mapping and to decide when to do the next
        154   * get_block() call.
        155   */
        156  static struct bio *do_mpage_readpage(struct mpage_readpage_args *args)
        157  {
        158      struct page *page = args->page;
        159      struct inode *inode = page->mapping->host;
 ==>    160      const unsigned blkbits = inode->i_blkbits;
        161      const unsigned blocks_per_page = PAGE_SIZE >> blkbits;
        162      const unsigned blocksize = 1 << blkbits;
        163      struct buffer_head *map_bh = &args->map_bh;
        164      sector_t block_in_file;
        165      sector_t last_block;
        166      sector_t last_block_in_file;
        167      sector_t blocks[MAX_BUF_PER_PAGE];
        168      unsigned page_block;
        169      unsigned first_hole = blocks_per_page;
        170      struct block_device *bdev = NULL;
        171      int length;
        172      int fully_mapped = 1;
        173      int op_flags;
        174      unsigned nblocks;
        175      unsigned relative_block;
        176      gfp_t gfp;
        177
        178      if (args->is_readahead) {
        179          op_flags = REQ_RAHEAD;
        180          gfp = readahead_gfp_mask(page->mapping);


------------------------------------------
Writer calling trace

- ksys_mount
-- do_mount
--- vfs_get_tree
---- mount_bdev
----- sb_min_blocksize
------ sb_set_blocksize
------- set_blocksize

------------------------------------------
Reader calling trace

- ksys_read
-- vfs_read
--- __vfs_read
---- generic_file_read_iter
----- page_cache_sync_readahead
------ force_page_cache_readahead
------- __do_page_cache_readahead
-------- read_pages
--------- mpage_readpages
---------- do_mpage_readpage



Thanks,
Sishuai


^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [Race] data race between do_mpage_readpage() and set_blocksize()
  2020-11-30 15:41 [Race] data race between do_mpage_readpage() and set_blocksize() Gong, Sishuai
@ 2020-11-30 16:10 ` Matthew Wilcox
  2020-11-30 16:19   ` Christoph Hellwig
  0 siblings, 1 reply; 4+ messages in thread
From: Matthew Wilcox @ 2020-11-30 16:10 UTC (permalink / raw)
  To: Gong, Sishuai; +Cc: viro, linux-fsdevel

On Mon, Nov 30, 2020 at 03:41:53PM +0000, Gong, Sishuai wrote:
> We found a data race in linux kernel 5.3.11 that we are able to reproduce in x86 under specific interleavings. Currently, we are not sure about the consequence of this race so we would like to confirm with the community if this can be a harmful bug.

How are you able to reproduce it?  Normally mpage_readpage() is only called
from a filesystem, and you shouldn't be able to change the size of the
blocks in a block device while there's a mounted filesystem.

> ------------------------------------------
> Writer site
> 
> /tmp/tmp.B7zb7od2zE-5.3.11/extract/linux-5.3.11/fs/block_dev.c:135
>         120
>         121  int set_blocksize(struct block_device *bdev, int size)
>         122  {
>         123      /* Size must be a power of two, and between 512 and PAGE_SIZE */
>         124      if (size > PAGE_SIZE || size < 512 || !is_power_of_2(size))
>         125          return -EINVAL;
>         126
>         127      /* Size cannot be smaller than the size supported by the device */
>         128      if (size < bdev_logical_block_size(bdev))
>         129          return -EINVAL;
>         130
>         131      /* Don't change the size if it is same as current */
>         132      if (bdev->bd_block_size != size) {
>         133          sync_blockdev(bdev);
>         134          bdev->bd_block_size = size;
>  ==>    135          bdev->bd_inode->i_blkbits = blksize_bits(size);
>         136          kill_bdev(bdev);
>         137      }
>         138      return 0;
>         139  }
> 
> ------------------------------------------
> Reader site
> 
>  /tmp/tmp.B7zb7od2zE-5.3.11/extract/linux-5.3.11/fs/mpage.c:160
>         147  /*
>         148   * This is the worker routine which does all the work of mapping the disk
>         149   * blocks and constructs largest possible bios, submits them for IO if the
>         150   * blocks are not contiguous on the disk.
>         151   *
>         152   * We pass a buffer_head back and forth and use its buffer_mapped() flag to
>         153   * represent the validity of its disk mapping and to decide when to do the next
>         154   * get_block() call.
>         155   */
>         156  static struct bio *do_mpage_readpage(struct mpage_readpage_args *args)
>         157  {
>         158      struct page *page = args->page;
>         159      struct inode *inode = page->mapping->host;
>  ==>    160      const unsigned blkbits = inode->i_blkbits;
>         161      const unsigned blocks_per_page = PAGE_SIZE >> blkbits;
>         162      const unsigned blocksize = 1 << blkbits;
>         163      struct buffer_head *map_bh = &args->map_bh;
>         164      sector_t block_in_file;
>         165      sector_t last_block;
>         166      sector_t last_block_in_file;
>         167      sector_t blocks[MAX_BUF_PER_PAGE];
>         168      unsigned page_block;
>         169      unsigned first_hole = blocks_per_page;
>         170      struct block_device *bdev = NULL;
>         171      int length;
>         172      int fully_mapped = 1;
>         173      int op_flags;
>         174      unsigned nblocks;
>         175      unsigned relative_block;
>         176      gfp_t gfp;
>         177
>         178      if (args->is_readahead) {
>         179          op_flags = REQ_RAHEAD;
>         180          gfp = readahead_gfp_mask(page->mapping);
> 
> 
> ------------------------------------------
> Writer calling trace
> 
> - ksys_mount
> -- do_mount
> --- vfs_get_tree
> ---- mount_bdev
> ----- sb_min_blocksize
> ------ sb_set_blocksize
> ------- set_blocksize
> 
> ------------------------------------------
> Reader calling trace
> 
> - ksys_read
> -- vfs_read
> --- __vfs_read
> ---- generic_file_read_iter
> ----- page_cache_sync_readahead
> ------ force_page_cache_readahead
> ------- __do_page_cache_readahead
> -------- read_pages
> --------- mpage_readpages
> ---------- do_mpage_readpage
> 
> 
> 
> Thanks,
> Sishuai
> 

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [Race] data race between do_mpage_readpage() and set_blocksize()
  2020-11-30 16:10 ` Matthew Wilcox
@ 2020-11-30 16:19   ` Christoph Hellwig
  2020-11-30 17:00     ` Gong, Sishuai
  0 siblings, 1 reply; 4+ messages in thread
From: Christoph Hellwig @ 2020-11-30 16:19 UTC (permalink / raw)
  To: Matthew Wilcox; +Cc: Gong, Sishuai, viro, linux-fsdevel

On Mon, Nov 30, 2020 at 04:10:42PM +0000, Matthew Wilcox wrote:
> On Mon, Nov 30, 2020 at 03:41:53PM +0000, Gong, Sishuai wrote:
> > We found a data race in linux kernel 5.3.11 that we are able to reproduce in x86 under specific interleavings. Currently, we are not sure about the consequence of this race so we would like to confirm with the community if this can be a harmful bug.
> 
> How are you able to reproduce it?  Normally mpage_readpage() is only called
> from a filesystem, and you shouldn't be able to change the size of the
> blocks in a block device while there's a mounted filesystem.

mpage_readpages was also called by blkdev_readpages.  For current
mainline s/readpages/readahead/ but the effect should be the same.

^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [Race] data race between do_mpage_readpage() and set_blocksize()
  2020-11-30 16:19   ` Christoph Hellwig
@ 2020-11-30 17:00     ` Gong, Sishuai
  0 siblings, 0 replies; 4+ messages in thread
From: Gong, Sishuai @ 2020-11-30 17:00 UTC (permalink / raw)
  To: Matthew Wilcox; +Cc: Christoph Hellwig, viro, linux-fsdevel

We describe our reproducing workflow as following:

- Test input
We run 2 kernel test inputs in 2 kernel threads concurrently. They are generated by Syzkaller and attached below.

- Schedule execution
To schedule the execution of 2 threads, we leverage an academic research tool called SKI.
In general, we added a big big delay after the read access from do_mpage_readpage() happens and then we monitor if the write access from set_blocksize()  also hits the same memory resource.


Test input 1
r0 = socket$inet6_udplite(0xa, 0x2, 0x88)
sendmmsg$inet6(r0, &(0x7f0000000980)=[{{&(0x7f0000000100)={0xa, 0x4e23, 0x0, @dev}, 0x1c, &(0x7f0000000880)=[{&(0x7f0000000140)='.', 0x1}, {&(0x7f0000000200)="18", 0x1}], 0x2, &(0x7f0000000940)=[@flowinfo={{0x14, 0x29, 0xb, 0x85e}}], 0x18}}], 0x1, 0x0)
sishuai@rssys-server:/data1/sishuai/experiment/test/corpus/test$ cat 14044
syz_mount_image$ext4(&(0x7f0000000000)='ext4\x00', &(0x7f0000000100)='./file0\x00', 0x100000, 0x19, &(0x7f0000000200)=[{&(0x7f0000010000)="200000000002000019000000900100000f000000000000000100000005000000000004000040000020000000dbf4655fdbf4655f0100ffff53ef010001000000daf4655f000000000000000001000000000000000b0000000001000018000000c28500002b0200000000000000000000000000000000000073797a6b616c6c6572000000000000002f746d702f73797a2d696d61676567656e32323330373039383000"/192, 0xc0, 0x400}, {&(0x7f0000010100)="000000000000000000000000e8f7d2e8feeb4bf889ba053b02420ff8010040000c00000000000000daf4655f00"/64, 0x40, 0x4e0}, {&(0x7f0000010200)="00000000000000000000000000000000000000000000000000000000200020000100000000000500400000000000000000000000000000004300000000000000", 0x40, 0x540}, {&(0x7f0000010300)="02000000030000000400000019000f0003000400"/32, 0x20, 0x800}, {&(0x7f0000010400)="7f000000ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0100ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff0000000000000000daf4655fdaf4655fdaf4655f00"/4128, 0x1020, 0x1000}, {&(0x7f0000011500)="ed41000000080000daf4655fdbf4655fdbf4655f00000000000004004000000000000800050000000af301000400000000000000000000000100000010000000", 0x40, 0x2100}, {&(0x7f0000011600)="20000000641e8ebf641e8ebf00000000daf4655f00"/32, 0x20, 0x2180}, {&(0x7f0000011700)="8081000000601020daf4655fdaf4655fdaf4655f00000000000001004000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000030000000000000000000000000000000000000000000000000000000000000000000000020000000000000000000000000000000daf4655f00"/160, 0xa0, 0x2600}, {&(0x7f0000011800)="c041000000380000daf4655fdaf4655fdaf4655f00000000000002004000000000000800000000000af301000400000000000000000000000700000020000000", 0x40, 0x2a00}, {&(0x7f0000011900)="20000000000000000000000000000000daf4655f000000000000000000000000000002ea00"/64, 0x40, 0x2a80}, {&(0x7f0000011a00)="ed4100003c000000dbf4655fdbf4655fdbf4655f0000000000000200000000000000001003000000020000000d0000001000050166696c65300000000e0000002800050766696c6531000000000000000000000000000000000000000000000000000000904a5ec200000000000000000000000000000000000000000000000020000000641e8ebf641e8ebf641e8ebfdbf4655f641e8ebf0000000000000000000002ea04070000000000000000000000000000646174610000000000000000", 0xc0, 0x2b00}, {&(0x7f0000011b00)="ed8100001a040000dbf4655fdbf4655fdbf4655f00000000000001004000000000000800010000000af30100040000000000000000000000010000005000000000000000000000000000000000000000000000000000000000000000000000000000000046b58a6000000000000000000000000000000000000000000000000020000000641e8ebf641e8ebf641e8ebfdbf4655f641e8ebf0000000000000000", 0xa0, 0x2c00}, {&(0x7f0000011c00)="ffa1000026000000dbf4655fdbf4655fdbf4655f00000000000001000000000000000000010000002f746d702f73797a2d696d61676567656e3232333037303938302f66696c65302f66696c65300000000000000000000000000000000000000000000029d1c2e100000000000000000000000000000000000000000000000020000000641e8ebf641e8ebf641e8ebfdbf4655f641e8ebf0000000000000000", 0xa0, 0x2d00}, {&(0x7f0000011d00)="ed8100000a000000dbf4655fdbf4655fdbf4655f000000000000010000000000000000100100000073797a6b616c6c6572730000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000bae0739c00000000000000000000000000000000000000000000000020000000641e8ebf641e8ebf641e8ebfdbf4655f641e8ebf0000000000000000000002ea040700000000000000000000000000006461746106015400000000000600000000000000786174747231000006014c000000000006000000000000007861747472320000000000000000000078617474723200007861747472310000ed81000028230000dbf4655fdbf4655fdbf4655f00000000000002004000000000000800010000000af3010004000000000000000000000005000000600000000000000000000000000000000000000000000000000000000000000000000000000000005162155f00000000000000000000000000000000000000000000000020000000641e8ebf641e8ebf641e8ebfdbf4655f641e8ebf0000000000000000", 0x1a0, 0x2e00}, {&(0x7f0000011f00)="ed81000064000000dbf4655fdbf4655fdbf4655f000000000000010000000000000000100100000073797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616cb822423400000000000000000000000000000000000000000000000020000000641e8ebf641e8ebf641e8ebfdbf4655f641e8ebf0000000000000000000002ea040734000000000028000000000000006461746100000000000000000000000000000000000000000000000000000000000000006c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273797a6b616c6c657273", 0x100, 0x3000}, {&(0x7f0000012000)="020000000c0001022e000000020000000c0002022e2e00000b00000014000a026c6f73742b666f756e6400000c0000001000050266696c65300000000f0000001000050166696c6531000000100000001000050166696c6532000000100000001000050166696c6533000000110000009407090166696c652e636f6c64000000", 0x80, 0x8000}, {&(0x7f0000012100)="0b0000000c0001022e000000020000000c0002022e2e000000000000e8070000", 0x20, 0x10000}, {&(0x7f0000012200)='\x00\x00\x00\x00\x00\b\x00'/32, 0x20, 0x10800}, {&(0x7f0000012300)='\x00\x00\x00\x00\x00\b\x00'/32, 0x20, 0x11000}, {&(0x7f0000012400)='\x00\x00\x00\x00\x00\b\x00'/32, 0x20, 0x11800}, {&(0x7f0000012500)='\x00\x00\x00\x00\x00\b\x00'/32, 0x20, 0x12000}, {&(0x7f0000012600)='\x00\x00\x00\x00\x00\b\x00'/32, 0x20, 0x12800}, {&(0x7f0000012700)='\x00\x00\x00\x00\x00\b\x00'/32, 0x20, 0x13000}, {&(0x7f0000012800)="504d4d00504d4dffdbf4655f00000000647679756b6f762d676c6170746f70320000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000006c6f6f7033320075782f746573742f73797a5f6d6f756e745f696d6167655f650500"/128, 0x80, 0x20000}, {&(0x7f0000012900)='syzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkallersyzkal\x00\x00\x00\x00\x00\x00', 0x420, 0x28000}], 0x0, &(0x7f0000012e00))


Test input 2
r0 = perf_event_open(&(0x7f0000000000)={0x0, 0x70, 0x3, 0x0, 0x0, 0x0, 0x0, 0xffffffff, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, 0x0, @perf_config_ext}, 0x0, 0xffffffffffffffff, 0xffffffffffffffff, 0x0)
ioctl$PERF_EVENT_IOC_PERIOD(r0, 0x40082404, &(0x7f0000000080)=0x40)
syz_mount_image$ext4(&(0x7f0000000000)='ext4\x00', &(0x7f0000000100)='./file0\x00', 0x200000, 0x4, &(0x7f0000000200)=[{&(0x7f0000010000)="200000000002000019000000900100000f000000000000000200000006000000000008000080000020000000d6f4655fd6f4655f0100ffff53ef010001000000d5f4655f000000000000000001000000000000000b0000000001000018000000c28500002b02", 0x66, 0x400}, {&(0x7f0000010100)="00000000000000000000000028305c8a835f4f4da440baa59e2884cb010040", 0x1f, 0x4e0}, {&(0x7f0000010300)="020000000300000004", 0x9, 0x1000}, {&(0x7f0000012500)="ed41000000100000d5f4655fd6f4655f33f4655f000000000000040080000000f9ff", 0x22, 0x4100}], 0x1000085, &(0x7f0000000080)=ANY=[@ANYBLOB='\x00'])
umount2(&(0x7f0000000040)='./file0\x00', 0x0)


Thanks,
Sishuai

> On Nov 30, 2020, at 11:19 AM, Christoph Hellwig <hch@infradead.org> wrote:
> 
> On Mon, Nov 30, 2020 at 04:10:42PM +0000, Matthew Wilcox wrote:
>> On Mon, Nov 30, 2020 at 03:41:53PM +0000, Gong, Sishuai wrote:
>>> We found a data race in linux kernel 5.3.11 that we are able to reproduce in x86 under specific interleavings. Currently, we are not sure about the consequence of this race so we would like to confirm with the community if this can be a harmful bug.
>> 
>> How are you able to reproduce it?  Normally mpage_readpage() is only called
>> from a filesystem, and you shouldn't be able to change the size of the
>> blocks in a block device while there's a mounted filesystem.
> 
> mpage_readpages was also called by blkdev_readpages.  For current
> mainline s/readpages/readahead/ but the effect should be the same.


^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2020-11-30 17:01 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-11-30 15:41 [Race] data race between do_mpage_readpage() and set_blocksize() Gong, Sishuai
2020-11-30 16:10 ` Matthew Wilcox
2020-11-30 16:19   ` Christoph Hellwig
2020-11-30 17:00     ` Gong, Sishuai

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.