[<prev] [next>] [day] [month] [year] [list]
Message-Id: <20241104064857.295818-1-danielyangkang@gmail.com>
Date: Sun, 3 Nov 2024 22:48:57 -0800
From: Daniel Yang <danielyangkang@...il.com>
To: "Theodore Ts'o" <tytso@....edu>,
Andreas Dilger <adilger.kernel@...ger.ca>,
linux-ext4@...r.kernel.org (open list:EXT4 FILE SYSTEM),
linux-kernel@...r.kernel.org (open list)
Cc: Daniel Yang <danielyangkang@...il.com>,
syzbot+a388a53633c9a4e9b22e@...kaller.appspotmail.com
Subject: [PATCH] fix: KCSAN data-race in ext4_buffered_write_iter()
In ext4_buffered_write_iter(), generic_write_sync() is being called at
the same time by two different CPUs. This causes a data-race for
inode->i_state. To prevent this, make generic_write_sync() a critical
section in ext4_buffered_write_iter(). Use mutex to allow preemption so
other CPU is not blocked while waiting.
Signed-off-by: Daniel Yang <danielyangkang@...il.com>
Reported-by: syzbot+a388a53633c9a4e9b22e@...kaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=a388a53633c9a4e9b22e
---
fs/ext4/file.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
diff --git a/fs/ext4/file.c b/fs/ext4/file.c
index f14aed14b..ce1251d3b 100644
--- a/fs/ext4/file.c
+++ b/fs/ext4/file.c
@@ -19,6 +19,7 @@
* (jj@...site.ms.mff.cuni.cz)
*/
+#include "linux/mutex.h"
#include <linux/time.h>
#include <linux/fs.h>
#include <linux/iomap.h>
@@ -282,6 +283,9 @@ static ssize_t ext4_write_checks(struct kiocb *iocb, struct iov_iter *from)
return count;
}
+/* lock for critical section of generic_write_sync */
+static DEFINE_MUTEX(write_sync_lock);
+
static ssize_t ext4_buffered_write_iter(struct kiocb *iocb,
struct iov_iter *from)
{
@@ -302,7 +306,13 @@ static ssize_t ext4_buffered_write_iter(struct kiocb *iocb,
inode_unlock(inode);
if (unlikely(ret <= 0))
return ret;
- return generic_write_sync(iocb, ret);
+
+ /* prevent read-write data race */
+ mutex_lock(&write_sync_lock);
+ ret = generic_write_sync(iocb, ret);
+ mutex_unlock(&write_sync_lock);
+
+ return ret;
}
static ssize_t ext4_handle_inode_extension(struct inode *inode, loff_t offset,
--
2.39.2
Powered by blists - more mailing lists