From patchwork Sat May 9 05:20:01 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jia-Ju Bai X-Patchwork-Id: 11537971 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id AA0FD17EA for ; Sat, 9 May 2020 05:20:30 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 88E7C20736 for ; Sat, 9 May 2020 05:20:30 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Kkjt9IiR" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726214AbgEIFU1 (ORCPT ); Sat, 9 May 2020 01:20:27 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45712 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725795AbgEIFU0 (ORCPT ); Sat, 9 May 2020 01:20:26 -0400 Received: from mail-pj1-x1043.google.com (mail-pj1-x1043.google.com [IPv6:2607:f8b0:4864:20::1043]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 94E16C061A0C; Fri, 8 May 2020 22:20:25 -0700 (PDT) Received: by mail-pj1-x1043.google.com with SMTP id ms17so5234882pjb.0; Fri, 08 May 2020 22:20:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=+T9eW2owY9q4Gb8vjKMZplraEfe6AYxf3AR2Osn5jN0=; b=Kkjt9IiRnzbkfmp7+hnU9lHDQc2fbSpVCMCaiWueCBEGH667DO8TTOBTNYSdYwyV4G Sk4NHPzL71YlcuLs+5gezK6C6rV/XTXqWrDvMt9qLniW9SV7BfcPdPUNbcNWWogrDSC1 0J8WV8KOc/Ny5XhtkLFqEU88eurZbNpUFVsO3VU4KmkuthBZrm5D2GlPZx77TXmbcWJB Mo7XkAAWIBnPqZNm6jP/37l6bbQP5QBBc+ItUGSB2dhbEELAoCN8ld9NTZdonbxQ6hXc y/+pTX1/mH4m2eCTBfwVlz/q59T+UwFCKB9RPJry0xVY5Zavt0tGf/PkbXRmt6mg4Mwe 5HgQ== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=+T9eW2owY9q4Gb8vjKMZplraEfe6AYxf3AR2Osn5jN0=; b=sVR25Og0zuL0469MjmRGljZQ5fQPLf5nJEBUJaUa+ewSIvCEsdZjmnlt1x5C82ptLg fhTsQuxghyVJLOHWoZqU2gaZIMvdc27x/RzipuO5g1nfT/uxsfOeA6CawKf1J470LMIG VTdIcsyVuAidAzHEy42AXmTC0g8hmBRZ6QaV+/5Ek+3Eu/8nWqgzkc7hCMyH99G3tayu UpTRh+ZTxTAL5qqnvQRqWyzSpKP/H6fyYbbZBP7BIBpi9yEuowV53lmz8ONxmVI0870G cfIOKATn3+FKSF1q35wVphNbSCzL97+wGYh0XoDfs9Ecxk6y06s9MfOxYe0bTAX4iX78 /aag== X-Gm-Message-State: AGi0PuYXXc3N1cL8LT1Zs24Wsm5b9i5SfICm38wpNdAZMFle0OhimskD ZEiK1LAR7cHbqAjh8nfPxfQ= X-Google-Smtp-Source: APiQypIC5AosZruIS7Cr4bGisH5c/SrwVaDvEytMqYNScxNBSLTRxaLmEYTTW6tVr/fhKKXV3mN1Og== X-Received: by 2002:a17:90a:17ed:: with SMTP id q100mr8783323pja.80.1589001624980; Fri, 08 May 2020 22:20:24 -0700 (PDT) Received: from localhost.localdomain ([223.72.62.216]) by smtp.gmail.com with ESMTPSA id j32sm2638775pgb.55.2020.05.08.22.20.20 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 08 May 2020 22:20:24 -0700 (PDT) From: Jia-Ju Bai To: clm@fb.com, josef@toxicpanda.com, dsterba@suse.com Cc: linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org, Jia-Ju Bai Subject: [PATCH 1/4] fs: btrfs: fix a data race in btrfs_block_group_done() Date: Sat, 9 May 2020 13:20:01 +0800 Message-Id: <20200509052001.2298-1-baijiaju1990@gmail.com> X-Mailer: git-send-email 2.17.1 Sender: linux-btrfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org The functions btrfs_block_group_done() and caching_thread() are concurrently executed at runtime in the following call contexts: Thread 1: btrfs_sync_file() start_ordered_ops() btrfs_fdatawrite_range() btrfs_writepages() [via function pointer] extent_writepages() extent_write_cache_pages() __extent_writepage() writepage_delalloc() btrfs_run_delalloc_range() cow_file_range() btrfs_reserve_extent() find_free_extent() btrfs_block_group_done() Thread 2: caching_thread() In btrfs_block_group_done(): smp_mb(); return cache->cached == BTRFS_CACHE_FINISHED || cache->cached == BTRFS_CACHE_ERROR; In caching_thread(): spin_lock(&block_group->lock); block_group->caching_ctl = NULL; block_group->cached = ret ? BTRFS_CACHE_ERROR : BTRFS_CACHE_FINISHED; spin_unlock(&block_group->lock); The values cache->cached and block_group->cached access the same memory, and thus a data race can occur. This data race was found and actually reproduced by our concurrency fuzzer. To fix this race, the spinlock cache->lock is used to protect the access to cache->cached in btrfs_block_group_done(). Signed-off-by: Jia-Ju Bai --- fs/btrfs/block-group.h | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/fs/btrfs/block-group.h b/fs/btrfs/block-group.h index 107bb557ca8d..fb5f12acea40 100644 --- a/fs/btrfs/block-group.h +++ b/fs/btrfs/block-group.h @@ -278,9 +278,13 @@ static inline u64 btrfs_system_alloc_profile(struct btrfs_fs_info *fs_info) static inline int btrfs_block_group_done(struct btrfs_block_group *cache) { + int flag; smp_mb(); - return cache->cached == BTRFS_CACHE_FINISHED || - cache->cached == BTRFS_CACHE_ERROR; + spin_lock(&cache->lock); + flag = (cache->cached == BTRFS_CACHE_FINISHED || + cache->cached == BTRFS_CACHE_ERROR); + spin_unlock(&cache->lock); + return flag; } #ifdef CONFIG_BTRFS_FS_RUN_SANITY_TESTS From patchwork Sat May 9 05:27:01 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jia-Ju Bai X-Patchwork-Id: 11537973 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 547C717EA for ; Sat, 9 May 2020 05:27:32 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 3BCB824953 for ; Sat, 9 May 2020 05:27:32 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="PNXDweui" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728759AbgEIF12 (ORCPT ); Sat, 9 May 2020 01:27:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:46796 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728662AbgEIF12 (ORCPT ); Sat, 9 May 2020 01:27:28 -0400 Received: from mail-pf1-x444.google.com (mail-pf1-x444.google.com [IPv6:2607:f8b0:4864:20::444]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id D879AC061A0C; Fri, 8 May 2020 22:27:27 -0700 (PDT) Received: by mail-pf1-x444.google.com with SMTP id z1so2095751pfn.3; Fri, 08 May 2020 22:27:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=zoFA6VdYSfRZGFLq/UlQ0f7xhnJ9z2WuMaRDbctPxQk=; b=PNXDweuigCDujhsl3G5xltaia8JU6hyGMrYGgGSlfVTC1GEbxtRfx8nhEp9eQMzxDc hBy9IhKb1kSphs8Pv3SqwrZxlpnm2J228Dj1n0FFUAxgVbQ9t2cdGJllKvFTs06R6eny Bjll9TL05ACKnrcuXou06s+InixjwmOEZdiN/NZ4DdBazxcU5dQx8BSIUU3nDjmQi2vO df0LgF9zyzcVFVpozVp7khdwVZ7d3i6fqZ6XMcBF/+Y7mjLgD6YNCauTNeUt+lfBmsC6 ImhUnP/muWY/ZMeArWpDdx+tgdkrQ69CJSP54DB4i00CB88IG06xR9vu4PHfaRfe82SG oHdA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=zoFA6VdYSfRZGFLq/UlQ0f7xhnJ9z2WuMaRDbctPxQk=; b=dcZdvgYTuSEdeLsRgbcYPgBBHyxlAmdLlDmWwXQkh9AJ7RYRTOzw6Mf+GN4G9CGAWj 7lmqfI8w5C8QgNB+jchi8Tq+8oqjkruJAHMy4HccIA8jMviAZQ4A1zny0XAKQ+Tt5kLj aXQ3sQXTnFLIexNPPcyGO+pHsYgMvzKotPDok6V75xDuBsHCOnpA2WrTC9NIC9UvSpc2 yVaF7NkAZsgpWtb8Sel1KeqsW84S70kOognQgX9imAsjRT5+ewaJAGUdCELiix5gKFo1 zQkuUhRi0PzNsc9zpNmKBlcY5pseS4RhdL9/whs9wpuue5TQTIvhhty73S+YlB5AMOa7 5dAg== X-Gm-Message-State: AGi0PuaL7URWlGbpERqZE6Ru4dr/XYi0MVIQ48ndlLsExcBO38qD9aZo TpXZoyW6yimFuy/ko4p8G7I= X-Google-Smtp-Source: APiQypIx21HMxoy9ECPPHjTHpK2Dui0Sorwd5J+JP8NkSEgfnnD6JgYSO3pVRM6Qh+AcS1XMplog9A== X-Received: by 2002:aa7:83c8:: with SMTP id j8mr6447874pfn.272.1589002047407; Fri, 08 May 2020 22:27:27 -0700 (PDT) Received: from localhost.localdomain ([223.72.62.216]) by smtp.gmail.com with ESMTPSA id 141sm3558021pfz.171.2020.05.08.22.27.21 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 08 May 2020 22:27:26 -0700 (PDT) From: Jia-Ju Bai To: clm@fb.com, josef@toxicpanda.com, dsterba@suse.com Cc: linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org, Jia-Ju Bai Subject: [PATCH 2/4] fs: btrfs: fix data races in extent_write_cache_pages() Date: Sat, 9 May 2020 13:27:01 +0800 Message-Id: <20200509052701.3156-1-baijiaju1990@gmail.com> X-Mailer: git-send-email 2.17.1 Sender: linux-btrfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org The function extent_write_cache_pages is concurrently executed with itself at runtime in the following call contexts: Thread 1: btrfs_sync_file() start_ordered_ops() btrfs_fdatawrite_range() btrfs_writepages() [via function pointer] extent_writepages() extent_write_cache_pages() Thread 2: btrfs_writepages() extent_writepages() extent_write_cache_pages() In extent_write_cache_pages(): index = mapping->writeback_index; ... mapping->writeback_index = done_index; The accesses to mapping->writeback_index are not synchronized, and thus data races for this value can occur. These data races were found and actually reproduced by our concurrency fuzzer. To fix these races, the spinlock mapping->private_lock is used to protect the accesses to mapping->writeback_index. Signed-off-by: Jia-Ju Bai --- fs/btrfs/extent_io.c | 7 ++++++- 1 file changed, 6 insertions(+), 1 deletion(-) diff --git a/fs/btrfs/extent_io.c b/fs/btrfs/extent_io.c index 39e45b8a5031..8c33a60bde1d 100644 --- a/fs/btrfs/extent_io.c +++ b/fs/btrfs/extent_io.c @@ -4160,7 +4160,9 @@ static int extent_write_cache_pages(struct address_space *mapping, pagevec_init(&pvec); if (wbc->range_cyclic) { + spin_lock(&mapping->private_lock); index = mapping->writeback_index; /* Start from prev offset */ + spin_unlock(&mapping->private_lock); end = -1; /* * Start from the beginning does not need to cycle over the @@ -4271,8 +4273,11 @@ static int extent_write_cache_pages(struct address_space *mapping, goto retry; } - if (wbc->range_cyclic || (wbc->nr_to_write > 0 && range_whole)) + if (wbc->range_cyclic || (wbc->nr_to_write > 0 && range_whole)) { + spin_lock(&mapping->private_lock); mapping->writeback_index = done_index; + spin_unlock(&mapping->private_lock); + } btrfs_add_delayed_iput(inode); return ret; From patchwork Sat May 9 05:29:07 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Jia-Ju Bai X-Patchwork-Id: 11537975 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 08A5D81 for ; Sat, 9 May 2020 05:29:55 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id DA3B62184D for ; Sat, 9 May 2020 05:29:54 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="S02+alZF" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726120AbgEIF3w (ORCPT ); Sat, 9 May 2020 01:29:52 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47170 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725820AbgEIF3w (ORCPT ); Sat, 9 May 2020 01:29:52 -0400 Received: from mail-pf1-x441.google.com (mail-pf1-x441.google.com [IPv6:2607:f8b0:4864:20::441]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id C0646C061A0C; Fri, 8 May 2020 22:29:50 -0700 (PDT) Received: by mail-pf1-x441.google.com with SMTP id v63so2082765pfb.10; Fri, 08 May 2020 22:29:50 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=i7Pcj/pO/1wQknbrV0B7XO4re+6riEodPKqMtRylol0=; b=S02+alZFvBSnG4edBHgjeoKwZJcTBdf+B3xcf+hOLAicYwixLUf9C3puvplIChaff0 /cn3sPyeu9ma57n+4aj86XcQXRbqY1gJm8SKEsWmo1mHZ6umPGR4JJrrtOqOVBkmhHFC ka6dL2YwKUHAmrniFlOsfGhryZunij9Wk8IwecDSSf77gF+XVavchka3kQNOpVRDktfE SJoX8j16dtLuUDiMn4HYbPYQry6fVFDJnAZKZF/BZNiYahGBtJ5Pk7YavyUyUhrA9pxK CRuigdkfpkE/7evn+iUzBnayFbJzrbmqvtD9XOwo6NVYG5Fjcg4j1Sd5nY3JBm2M/mr0 N8Lw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=i7Pcj/pO/1wQknbrV0B7XO4re+6riEodPKqMtRylol0=; b=HD1Uzja2dh3WN/5gvAA66bsbGpudSSzR8/LnDog6pCPGvwH9m9S9Hx00zkMB682hy1 kmkxXKHym1Ro6cN/lGY3wsrVQ4/YUI9h+gFBNLq9OHVOP866flFOTaC3CPqWp+Nek1De Wzyoib0Dta9+g8yOuGuDcisP/Qb4TOLHWye7Tv9063LF7rRZ4FfWvQnSu0fak0iP775n bb27SCKaVnjb4GcXRX+KSrF0fZrOLkBvAyQHKkS2+tjF5RIv6smSdWn3CWct/RMi/JQ5 8TvZD6qnpzh2lSlhNH7QC5PSOyPIi+MoGiWkgGoAtCHoHjtkD/nqpHfXagvhExwx8hO8 Icgw== X-Gm-Message-State: AGi0PubvG61R2AueH4lTI6cm6xGucSQSKl/bU8kqnOt12cXLrFnxU9IQ kZD7L0lWZWti6XjFuAAcgZg= X-Google-Smtp-Source: APiQypIWeshpliUO6GEvnffQhhhEJaYGENM8Z6IVHrfa/1nfD5X36WWlScsQ/zXOyS+c9ZrtkTFr+w== X-Received: by 2002:a62:15c5:: with SMTP id 188mr6059885pfv.66.1589002190226; Fri, 08 May 2020 22:29:50 -0700 (PDT) Received: from localhost.localdomain ([223.72.62.216]) by smtp.gmail.com with ESMTPSA id w2sm3793805pja.53.2020.05.08.22.29.42 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 08 May 2020 22:29:49 -0700 (PDT) From: Jia-Ju Bai To: clm@fb.com, josef@toxicpanda.com, dsterba@suse.com Cc: linux-btrfs@vger.kernel.org, linux-kernel@vger.kernel.org, Jia-Ju Bai Subject: [PATCH 3/4] fs: btrfs: fix data races in start_transaction() Date: Sat, 9 May 2020 13:29:07 +0800 Message-Id: <20200509052907.3324-1-baijiaju1990@gmail.com> X-Mailer: git-send-email 2.17.1 Sender: linux-btrfs-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-btrfs@vger.kernel.org The functions start_transaction() and btrfs_update_delayed_refs_rsv() are concurrently executed at runtime in the following call contexts: Thread 1: btrfs_sync_file() btrfs_start_transaction() start_transaction() Thread 2: finish_ordered_fn() btrfs_finish_ordered_io() insert_reserved_file_extent() __btrfs_drop_extents() btrfs_free_extent() btrfs_add_delayed_data_ref() btrfs_update_delayed_refs_rsv() In start_transaction(): if (delayed_refs_rsv->full == 0) ... else if (... && !delayed_refs_rsv->full) In btrfs_update_delayed_refs_rsv(): spin_lock(&delayed_rsv->lock); delayed_rsv->size += num_bytes; delayed_rsv->full = 0; spin_unlock(&delayed_rsv->lock); The values delayed_refs_rsv->full and delayed_rsv->full access the same memory, and these data races can occur. These data races were found and actually reproduced by our conccurency fuzzer. To fix these races, the spinlock delayed_refs_rsv->lock is used to protect the access to delayed_refs_rsv->full in start_transaction(). Signed-off-by: Jia-Ju Bai --- fs/btrfs/transaction.c | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/fs/btrfs/transaction.c b/fs/btrfs/transaction.c index 8cede6eb9843..ca38d7cf665d 100644 --- a/fs/btrfs/transaction.c +++ b/fs/btrfs/transaction.c @@ -524,6 +524,7 @@ start_transaction(struct btrfs_root *root, unsigned int num_items, u64 qgroup_reserved = 0; bool reloc_reserved = false; int ret; + unsigned short full = 0; /* Send isn't supposed to start transactions. */ ASSERT(current->journal_info != BTRFS_SEND_TRANS_STUB); @@ -541,6 +542,10 @@ start_transaction(struct btrfs_root *root, unsigned int num_items, goto got_it; } + spin_lock(&delayed_refs_rsv->lock); + full = delayed_refs_rsv->full; + spin_unlock(&delayed_refs_rsv->lock); + /* * Do the reservation before we join the transaction so we can do all * the appropriate flushing if need be. @@ -563,7 +568,7 @@ start_transaction(struct btrfs_root *root, unsigned int num_items, * refill that amount for whatever is missing in the reserve. */ num_bytes = btrfs_calc_insert_metadata_size(fs_info, num_items); - if (delayed_refs_rsv->full == 0) { + if (full == 0) { delayed_refs_bytes = num_bytes; num_bytes <<= 1; } @@ -585,7 +590,7 @@ start_transaction(struct btrfs_root *root, unsigned int num_items, num_bytes -= delayed_refs_bytes; } } else if (num_items == 0 && flush == BTRFS_RESERVE_FLUSH_ALL && - !delayed_refs_rsv->full) { + !full) { /* * Some people call with btrfs_start_transaction(root, 0) * because they can be throttled, but have some other mechanism