From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Qian Cai <cai@lca.pw>,
Theodore Tso <tytso@mit.edu>,
stable@kernel.org
Subject: [PATCH 4.4 101/113] ext4: fix a data race in EXT4_I(inode)->i_disksize
Date: Thu, 27 Feb 2020 14:36:57 +0100 [thread overview]
Message-ID: <20200227132227.934472019@linuxfoundation.org> (raw)
In-Reply-To: <20200227132211.791484803@linuxfoundation.org>
From: Qian Cai <cai@lca.pw>
commit 35df4299a6487f323b0aca120ea3f485dfee2ae3 upstream.
EXT4_I(inode)->i_disksize could be accessed concurrently as noticed by
KCSAN,
BUG: KCSAN: data-race in ext4_write_end [ext4] / ext4_writepages [ext4]
write to 0xffff91c6713b00f8 of 8 bytes by task 49268 on cpu 127:
ext4_write_end+0x4e3/0x750 [ext4]
ext4_update_i_disksize at fs/ext4/ext4.h:3032
(inlined by) ext4_update_inode_size at fs/ext4/ext4.h:3046
(inlined by) ext4_write_end at fs/ext4/inode.c:1287
generic_perform_write+0x208/0x2a0
ext4_buffered_write_iter+0x11f/0x210 [ext4]
ext4_file_write_iter+0xce/0x9e0 [ext4]
new_sync_write+0x29c/0x3b0
__vfs_write+0x92/0xa0
vfs_write+0x103/0x260
ksys_write+0x9d/0x130
__x64_sys_write+0x4c/0x60
do_syscall_64+0x91/0xb47
entry_SYSCALL_64_after_hwframe+0x49/0xbe
read to 0xffff91c6713b00f8 of 8 bytes by task 24872 on cpu 37:
ext4_writepages+0x10ac/0x1d00 [ext4]
mpage_map_and_submit_extent at fs/ext4/inode.c:2468
(inlined by) ext4_writepages at fs/ext4/inode.c:2772
do_writepages+0x5e/0x130
__writeback_single_inode+0xeb/0xb20
writeback_sb_inodes+0x429/0x900
__writeback_inodes_wb+0xc4/0x150
wb_writeback+0x4bd/0x870
wb_workfn+0x6b4/0x960
process_one_work+0x54c/0xbe0
worker_thread+0x80/0x650
kthread+0x1e0/0x200
ret_from_fork+0x27/0x50
Reported by Kernel Concurrency Sanitizer on:
CPU: 37 PID: 24872 Comm: kworker/u261:2 Tainted: G W O L 5.5.0-next-20200204+ #5
Hardware name: HPE ProLiant DL385 Gen10/ProLiant DL385 Gen10, BIOS A40 07/10/2019
Workqueue: writeback wb_workfn (flush-7:0)
Since only the read is operating as lockless (outside of the
"i_data_sem"), load tearing could introduce a logic bug. Fix it by
adding READ_ONCE() for the read and WRITE_ONCE() for the write.
Signed-off-by: Qian Cai <cai@lca.pw>
Link: https://lore.kernel.org/r/1581085751-31793-1-git-send-email-cai@lca.pw
Signed-off-by: Theodore Ts'o <tytso@mit.edu>
Cc: stable@kernel.org
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
fs/ext4/ext4.h | 2 +-
fs/ext4/inode.c | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
--- a/fs/ext4/ext4.h
+++ b/fs/ext4/ext4.h
@@ -2851,7 +2851,7 @@ static inline void ext4_update_i_disksiz
!mutex_is_locked(&inode->i_mutex));
down_write(&EXT4_I(inode)->i_data_sem);
if (newsize > EXT4_I(inode)->i_disksize)
- EXT4_I(inode)->i_disksize = newsize;
+ WRITE_ONCE(EXT4_I(inode)->i_disksize, newsize);
up_write(&EXT4_I(inode)->i_data_sem);
}
--- a/fs/ext4/inode.c
+++ b/fs/ext4/inode.c
@@ -2320,7 +2320,7 @@ update_disksize:
* truncate are avoided by checking i_size under i_data_sem.
*/
disksize = ((loff_t)mpd->first_page) << PAGE_CACHE_SHIFT;
- if (disksize > EXT4_I(inode)->i_disksize) {
+ if (disksize > READ_ONCE(EXT4_I(inode)->i_disksize)) {
int err2;
loff_t i_size;
next prev parent reply other threads:[~2020-02-27 14:46 UTC|newest]
Thread overview: 120+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-27 13:35 [PATCH 4.4 000/113] 4.4.215-stable review Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 001/113] x86/vdso: Use RDPID in preference to LSL when available Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 002/113] KVM: x86: emulate RDPID Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 003/113] ALSA: hda: Use scnprintf() for printing texts for sysfs/procfs Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 004/113] ecryptfs: fix a memory leak bug in parse_tag_1_packet() Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 005/113] ecryptfs: fix a memory leak bug in ecryptfs_init_messaging() Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 006/113] ALSA: usb-audio: Apply sample rate quirk for Audioengine D1 Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 007/113] ubifs: Fix deadlock in concurrent bulk-read and writepage Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 008/113] ext4: fix checksum errors with indexed dirs Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 009/113] Btrfs: fix race between using extent maps and merging them Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 010/113] btrfs: log message when rw remount is attempted with unclean tree-log Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 011/113] padata: Remove broken queue flushing Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 012/113] s390/time: Fix clk type in get_tod_clock Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 013/113] hwmon: (pmbus/ltc2978) Fix PMBus polling of MFR_COMMON definitions Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 014/113] jbd2: move the clearing of b_modified flag to the journal_unmap_buffer() Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 015/113] jbd2: do not clear the BH_Mapped flag when forgetting a metadata buffer Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 016/113] btrfs: print message when tree-log replay starts Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 017/113] scsi: qla2xxx: fix a potential NULL pointer dereference Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 018/113] Revert "KVM: VMX: Add non-canonical check on writes to RTIT address MSRs" Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 019/113] drm/gma500: Fixup fbdev stolen size usage evaluation Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 020/113] brcmfmac: Fix use after free in brcmf_sdio_readframes() Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 021/113] gianfar: Fix TX timestamping with a stacked DSA driver Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 022/113] pinctrl: sh-pfc: sh7264: Fix CAN function GPIOs Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 023/113] media: i2c: mt9v032: fix enum mbus codes and frame sizes Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 024/113] media: sti: bdisp: fix a possible sleep-in-atomic-context bug in bdisp_device_run() Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 025/113] efi/x86: Map the entire EFI vendor string before copying it Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 026/113] MIPS: Loongson: Fix potential NULL dereference in loongson3_platform_init() Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 027/113] uio: fix a sleep-in-atomic-context bug in uio_dmem_genirq_irqcontrol() Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 028/113] usb: gadget: udc: fix possible sleep-in-atomic-context bugs in gr_probe() Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 029/113] nfs: NFS_SWAP should depend on SWAP Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 030/113] jbd2: clear JBD2_ABORT flag before journal_reset to update log tail info when load journal Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 031/113] tracing: Fix very unlikely race of registering two stat tracers Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 032/113] ext4, jbd2: ensure panic when aborting with zero errno Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 033/113] kconfig: fix broken dependency in randconfig-generated .config Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 034/113] clk: qcom: rcg2: Dont crash if our parent cant be found; return an error Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 035/113] drm/amdgpu: remove 4 set but not used variable in amdgpu_atombios_get_connector_info_from_object_table Greg Kroah-Hartman
2020-03-11 9:07 ` nobuhiro1.iwamatsu
2020-03-16 10:53 ` Greg KH
2020-02-27 13:35 ` [PATCH 4.4 036/113] regulator: rk808: Lower log level on optional GPIOs being not available Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 037/113] NFC: port100: Convert cpu_to_le16(le16_to_cpu(E1) + E2) to use le16_add_cpu() Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 038/113] reiserfs: Fix spurious unlock in reiserfs_fill_super() error handling Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 039/113] ALSA: usx2y: Adjust indentation in snd_usX2Y_hwdep_dsp_status Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 040/113] b43legacy: Fix -Wcast-function-type Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 041/113] ipw2x00: " Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 042/113] iwlegacy: " Greg Kroah-Hartman
2020-02-27 13:35 ` [PATCH 4.4 043/113] rtlwifi: rtl_pci: " Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 044/113] orinoco: avoid assertion in case of NULL pointer Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 045/113] ACPICA: Disassembler: create buffer fields in ACPI_PARSE_LOAD_PASS1 Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 046/113] scsi: aic7xxx: Adjust indentation in ahc_find_syncrate Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 047/113] ARM: dts: r8a7779: Add device node for ARM global timer Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 048/113] x86/vdso: Provide missing include file Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 049/113] pinctrl: sh-pfc: sh7269: Fix CAN function GPIOs Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 050/113] ALSA: sh: Fix compile warning wrt const Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 051/113] tools lib api fs: Fix gcc9 stringop-truncation compilation error Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 052/113] usbip: Fix unsafe unaligned pointer usage Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 053/113] soc/tegra: fuse: Correct straps address for older Tegra124 device trees Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 054/113] rcu: Use WRITE_ONCE() for assignments to ->pprev for hlist_nulls Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 055/113] Input: edt-ft5x06 - work around first register access error Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 056/113] wan: ixp4xx_hss: fix compile-testing on 64-bit Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 057/113] ASoC: atmel: fix build error with CONFIG_SND_ATMEL_SOC_DMA=m Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 058/113] PCI: Dont disable bridge BARs when assigning bus resources Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 059/113] driver core: Print device when resources present in really_probe() Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 060/113] drm/nouveau: Fix copy-paste error in nouveau_fence_wait_uevent_handler Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 061/113] drm/vmwgfx: prevent memory leak in vmw_cmdbuf_res_add Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 062/113] iommu/arm-smmu-v3: Use WRITE_ONCE() when changing validity of an STE Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 063/113] scsi: iscsi: Dont destroy session if there are outstanding connections Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 064/113] cmd64x: potential buffer overflow in cmd64x_program_timings() Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 065/113] ide: serverworks: potential overflow in svwks_set_pio_mode() Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 066/113] remoteproc: Initialize rproc_class before use Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 067/113] s390/ftrace: generate traced function stack frame Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 068/113] ALSA: hda - Add docking station support for Lenovo Thinkpad T420s Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 069/113] jbd2: switch to use jbd2_journal_abort() when failed to submit the commit record Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 070/113] ARM: 8951/1: Fix Kexec compilation issue Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 071/113] hostap: Adjust indentation in prism2_hostapd_add_sta Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 072/113] iwlegacy: ensure loop counter addr does not wrap and cause an infinite loop Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 073/113] drm/nouveau/disp/nv50-: prevent oops when no channel method map provided Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 074/113] trigger_next should increase position index Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 075/113] radeon: insert 10ms sleep in dce5_crtc_load_lut Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 076/113] ocfs2: fix a NULL pointer dereference when call ocfs2_update_inode_fsync_trans() Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 077/113] lib/scatterlist.c: adjust indentation in __sg_alloc_table Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 078/113] reiserfs: prevent NULL pointer dereference in reiserfs_insert_item() Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 079/113] bcache: explicity type cast in bset_bkey_last() Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 080/113] irqchip/gic-v3-its: Reference to its_invall_cmd descriptor when building INVALL Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 081/113] microblaze: Prevent the overflow of the start Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 082/113] brd: check and limit max_part par Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 083/113] selinux: ensure we cleanup the internal AVC counters on error in avc_update() Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 084/113] enic: prevent waking up stopped tx queues over watchdog reset Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 085/113] floppy: check FDC index for errors before assigning it Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 086/113] staging: android: ashmem: Disallow ashmem memory from being remapped Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 087/113] staging: vt6656: fix sign of rx_dbm to bb_pre_ed_rssi Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 088/113] usb: uas: fix a plug & unplug racing Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 089/113] USB: Fix novation SourceControl XL after suspend Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 090/113] USB: hub: Dont record a connect-change event during reset-resume Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 091/113] staging: rtl8188eu: Fix potential security hole Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 092/113] staging: rtl8188eu: Fix potential overuse of kernel memory Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 093/113] x86/mce/amd: Fix kobject lifetime Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 094/113] tty: serial: imx: setup the correct sg entry for tx dma Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 095/113] Revert "ipc,sem: remove uneeded sem_undo_list lock usage in exit_sem()" Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 096/113] xhci: apply XHCI_PME_STUCK_QUIRK to Intel Comet Lake platforms Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 097/113] VT_RESIZEX: get rid of field-by-field copyin Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 098/113] vt: vt_ioctl: fix race in VT_RESIZEX Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 099/113] KVM: nVMX: Dont emulate instructions in guest mode Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 100/113] netfilter: xt_bpf: add overflow checks Greg Kroah-Hartman
2020-02-27 13:36 ` Greg Kroah-Hartman [this message]
2020-02-27 13:36 ` [PATCH 4.4 102/113] ext4: add cond_resched() to __ext4_find_entry() Greg Kroah-Hartman
2020-02-27 13:36 ` [PATCH 4.4 103/113] KVM: nVMX: Refactor IO bitmap checks into helper function Greg Kroah-Hartman
2020-02-27 13:37 ` [PATCH 4.4 104/113] KVM: nVMX: Check IO instruction VM-exit conditions Greg Kroah-Hartman
2020-02-27 13:37 ` [PATCH 4.4 105/113] KVM: apic: avoid calculating pending eoi from an uninitialized val Greg Kroah-Hartman
2020-02-27 13:37 ` [PATCH 4.4 106/113] Btrfs: fix btrfs_wait_ordered_range() so that it waits for all ordered extents Greg Kroah-Hartman
2020-02-27 13:37 ` [PATCH 4.4 107/113] scsi: Revert "RDMA/isert: Fix a recently introduced regression related to logout" Greg Kroah-Hartman
2020-02-27 13:37 ` [PATCH 4.4 108/113] scsi: Revert "target: iscsi: Wait for all commands to finish before freeing a session" Greg Kroah-Hartman
2020-02-27 13:37 ` [PATCH 4.4 109/113] ecryptfs: replace BUG_ON with error handling code Greg Kroah-Hartman
2020-02-27 13:37 ` [PATCH 4.4 110/113] ALSA: rawmidi: Avoid bit fields for state flags Greg Kroah-Hartman
2020-02-27 13:37 ` [PATCH 4.4 111/113] ALSA: seq: Avoid concurrent access to queue flags Greg Kroah-Hartman
2020-02-27 13:37 ` [PATCH 4.4 112/113] ALSA: seq: Fix concurrent access to queue current tick/time Greg Kroah-Hartman
2020-02-27 13:37 ` [PATCH 4.4 113/113] xen: Enable interrupts when calling _cond_resched() Greg Kroah-Hartman
2020-02-27 15:52 ` [PATCH 4.4 000/113] 4.4.215-stable review Chris Paterson
2020-02-27 18:50 ` Jon Hunter
2020-02-27 19:37 ` Guenter Roeck
2020-02-28 11:11 ` Naresh Kamboju
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200227132227.934472019@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=cai@lca.pw \
--cc=linux-kernel@vger.kernel.org \
--cc=stable@kernel.org \
--cc=stable@vger.kernel.org \
--cc=tytso@mit.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).