From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17]) by smtp.lore.kernel.org (Postfix) with ESMTP id 66B11C77B61 for ; Mon, 1 May 2023 05:17:02 +0000 (UTC) Received: by kanga.kvack.org (Postfix) id C5041900003; Mon, 1 May 2023 01:17:01 -0400 (EDT) Received: by kanga.kvack.org (Postfix, from userid 40) id BFE89900002; Mon, 1 May 2023 01:17:01 -0400 (EDT) X-Delivered-To: int-list-linux-mm@kvack.org Received: by kanga.kvack.org (Postfix, from userid 63042) id AED8D900003; Mon, 1 May 2023 01:17:01 -0400 (EDT) X-Delivered-To: linux-mm@kvack.org Received: from relay.hostedemail.com (smtprelay0010.hostedemail.com [216.40.44.10]) by kanga.kvack.org (Postfix) with ESMTP id 9D720900002 for ; Mon, 1 May 2023 01:17:01 -0400 (EDT) Received: from smtpin01.hostedemail.com (a10.router.float.18 [10.200.18.1]) by unirelay10.hostedemail.com (Postfix) with ESMTP id 59829C087F for ; Mon, 1 May 2023 05:17:01 +0000 (UTC) X-FDA: 80740527042.01.4FEA61C Received: from www262.sakura.ne.jp (www262.sakura.ne.jp [202.181.97.72]) by imf20.hostedemail.com (Postfix) with ESMTP id BB5491C000F for ; Mon, 1 May 2023 05:16:58 +0000 (UTC) Authentication-Results: imf20.hostedemail.com; dkim=none; dmarc=none; spf=none (imf20.hostedemail.com: domain of penguin-kernel@I-love.SAKURA.ne.jp has no SPF policy when checking 202.181.97.72) smtp.mailfrom=penguin-kernel@I-love.SAKURA.ne.jp ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=hostedemail.com; s=arc-20220608; t=1682918219; h=from:from:sender:reply-to:subject:subject:date:date: message-id:message-id:to:to:cc:cc:mime-version:mime-version: content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=/TUdp7ozDNJGXgKBMrEFsgF4ha8+yDxj7auWAyCMvv0=; b=3lQpto/DcyeX2gC5jnGkKbqQnM+kxINxLqxG9WjXNh52hRyeIch/hCcG6c+4h6S/TyCFTy zsHPapB/DbjVx27df9iSeWfSM+JNZ2usAlEVH0neY/9YfjV+iG7RhTPDaGlYYR+qwkoqTj rfNtrX+pjQnQjANW0bRnQj5tN+7KkDE= ARC-Authentication-Results: i=1; imf20.hostedemail.com; dkim=none; dmarc=none; spf=none (imf20.hostedemail.com: domain of penguin-kernel@I-love.SAKURA.ne.jp has no SPF policy when checking 202.181.97.72) smtp.mailfrom=penguin-kernel@I-love.SAKURA.ne.jp ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1682918219; a=rsa-sha256; cv=none; b=kfmeW1WXSX9U1AdmwznkPfn5W8eQaWbvGkSGlxKClVjOPlt+mavTF+VuQaKYU5+dXVIQ23 3MDS5/qZYgpCT3HWbFa1zLCEZkSxtzRKsYQXO6gvCYvTGMRgLCvzCic8qQzufvJWujzZJM oQX5iBqoKhQV6gNYJ7yQQSw3KM8Wo9w= Received: from fsav311.sakura.ne.jp (fsav311.sakura.ne.jp [153.120.85.142]) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 3415GRo2034853; Mon, 1 May 2023 14:16:27 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Received: from www262.sakura.ne.jp (202.181.97.72) by fsav311.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav311.sakura.ne.jp); Mon, 01 May 2023 14:16:27 +0900 (JST) X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav311.sakura.ne.jp) Received: from [192.168.1.6] (M106072142033.v4.enabler.ne.jp [106.72.142.33]) (authenticated bits=0) by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 3415FvQL034733 (version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO); Mon, 1 May 2023 14:16:27 +0900 (JST) (envelope-from penguin-kernel@I-love.SAKURA.ne.jp) Message-ID: Date: Mon, 1 May 2023 14:15:56 +0900 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:102.0) Gecko/20100101 Thunderbird/102.10.0 Subject: Re: [syzbot] [mm?] KCSAN: data-race in generic_fillattr / shmem_mknod (2) To: linux-fsdevel , Alexander Viro Cc: akpm@linux-foundation.org, hughd@google.com, linux-kernel@vger.kernel.org, linux-mm@kvack.org, syzkaller-bugs@googlegroups.com, syzbot , Dmitry Vyukov References: <0000000000007337c705fa1060e2@google.com> Content-Language: en-US From: Tetsuo Handa In-Reply-To: Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 7bit X-Rspamd-Queue-Id: BB5491C000F X-Stat-Signature: nwf5jrwpq6gq5zr18t6bibri38f3xxme X-Rspam-User: X-Rspamd-Server: rspam08 X-HE-Tag: 1682918218-224971 X-HE-Meta: U2FsdGVkX19j5iMpUnMEaf64F2JLv5krKsDNe5CJK6JHctNU06fRUqbmsUvKOkASgoFmc8qtbHBOTMGFmciYLOHFEZoqFvWd1nFxQwO4D1bRA9K9y1uzpfkJG5Q/s//LSb4/snthNS602Lhc5aJ3QbUZ57U2YLcFUgVIh7YpBgNtOC6bDebjrtl3IkqG/PgJC3WU16PX3POxS3uO1j6eSgp7/2uUaYXkipq/V90MK1CoHp684w7uuUfIcyP79yRflmcs9hmgHHbb45gETYwa15EMzUDj8yE19PPMIivAcUhZlMNqutLGhcNjZSPrY+NCP2EVxnthULLPuqtb1hX/UwSAywvMKK2TEaqvlfSLzoJXuVmZI0QxGYOM300KumaQo0QHz2uCr5Oz2sAxP4H/4pG0W1ejRvflpfKovH4RvmzAJoI3mofPNoAoZnRDvX/YAaOC7GmC+Sv0dpPIsx6iduWQPBWKXXeVtIuhaQA6aigqSlfvTIRx2jwXPoNpvNZD6QqXNkSICuLuPQs2TOaHsEjDWIb14dWq7h9tYzh5gddLXTg/CBfsmwgRpWp9RvPeu33B04X6pNcWJP9ECAu5JG9NPSxfnxGZvaz1e8h3DucS1+34zYsdlcbvel5gD+uM3ZKyjky3VV/12SWngsIj6tMZ9ia0oQzqyj03PKurpwvX5W68DOLsz1bjJFTax7m9/gyIbFn0UGgQHQDLnaSG2Y3AgclbQOzQkbSxhe77wCp4aowkhJkK7Aw3kmDBFo6F3cMdrJbyQCFPDt4i/Z9m3lmOPJ8219G9lrGM/Iyby04ACPfzMRnp/o9qqWr+kTNsNkIjnRYw3qXo5AE5x2D6aCw80PCb+zqTYCOiKrr4MiuezN1/1XGrwi4bELuPHXVzHwgRdDpimbg8YMeABHEhe+8FjqCx/n9rsBJZFo9qbdhkYBFQqwqtEn3u65Yv7iLMgiL0C+bVqW+A/vRaGpO MxbJ8KBt NvDJs85jsrbgf9tzGu+Y3MtuIQG3eh6GipZPdz183sUSyoC+ehzukkPS829GtZSIZhfmoKa5zVpgtGw3KowDTse86M8zo1jf0ROoAvwgc7C/bAUXR/tTontUcjCqeLlXpUcu671mJHNtUKcJ5MyIicugzZ5LzzmaZmW+i9obOKFPvrEZz5qLsYgmbYKf7KAZelqVM//5KkvFe5kRFI83xCowKXuos97JQoExjXiwJPPac+m89B1SgoGmzgvcntsuLayOdhwZfC2w+JYfLKxYgVdaDgNSUi38+okWompbI4GYJbaVknFnk8Hk2L8Ma7RDwif/C/Z4V1518CHqpHg6FqJsIMAeUGVehsXAl6b8Yg1PVkxbsyNB82XE1p10UzOz2rm5QQca7CkdnP/a2PWjsWy2tt6yiLi/ODueYCPLF6o3CAvuqSyBREdjQeyC3PUuXbE3klTMhxcp3i+gnlUMJyhLga8pYpBypuv8xc9M9KqRu07bVyPCex5nK2cwkbgNEYEEShOQBZQ8wu8BnoCqs8SIarmnamwQoKecXu3VcasDg9Tn6KOYKxNr/VVbxl/nwQsPXbEjjKQwd3XA= X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4 Sender: owner-linux-mm@kvack.org Precedence: bulk X-Loop: owner-majordomo@kvack.org List-ID: On 2023/04/24 17:26, Dmitry Vyukov wrote: >> HEAD commit: 457391b03803 Linux 6.3 >> git tree: upstream >> console output: https://syzkaller.appspot.com/x/log.txt?x=13226cf0280000 >> kernel config: https://syzkaller.appspot.com/x/.config?x=8c81c9a3d360ebcf >> dashboard link: https://syzkaller.appspot.com/bug?extid=702361cf7e3d95758761 >> compiler: Debian clang version 15.0.7, GNU ld (GNU Binutils for Debian) 2.35.2 > > I think shmem_mknod() needs to use i_size_write() to update the size. > Writes to i_size are not assumed to be atomic throughout the kernel > code. > I don't think that using i_size_{read,write}() alone is sufficient, for I think that i_size_{read,write}() needs data_race() annotation. include/linux/fs.h | 13 +++++++++++-- mm/shmem.c | 12 ++++++------ 2 files changed, 17 insertions(+), 8 deletions(-) diff --git a/include/linux/fs.h b/include/linux/fs.h index 21a981680856..0d067bbe3ee9 100644 --- a/include/linux/fs.h +++ b/include/linux/fs.h @@ -860,6 +860,13 @@ void filemap_invalidate_unlock_two(struct address_space *mapping1, * the read or for example on x86 they can be still implemented as a * cmpxchg8b without the need of the lock prefix). For SMP compiles * and 64bit archs it makes no difference if preempt is enabled or not. + * + * However, when KCSAN is enabled, CPU being capable of reading/updating + * naturally aligned 8 bytes of memory atomically is not sufficient for + * avoiding KCSAN warning, for KCSAN checks whether value has changed between + * before and after of a read operation. But since we don't want to introduce + * seqcount overhead only for suppressing KCSAN warning, tell KCSAN that data + * race on accessing i_size field is acceptable. */ static inline loff_t i_size_read(const struct inode *inode) { @@ -880,7 +887,8 @@ static inline loff_t i_size_read(const struct inode *inode) preempt_enable(); return i_size; #else - return inode->i_size; + /* See comment above. */ + return data_race(inode->i_size); #endif } @@ -902,7 +910,8 @@ static inline void i_size_write(struct inode *inode, loff_t i_size) inode->i_size = i_size; preempt_enable(); #else - inode->i_size = i_size; + /* See comment above. */ + data_race(inode->i_size = i_size); #endif } diff --git a/mm/shmem.c b/mm/shmem.c index e40a08c5c6d7..a2f20297fb59 100644 --- a/mm/shmem.c +++ b/mm/shmem.c @@ -2951,7 +2951,7 @@ shmem_mknod(struct mnt_idmap *idmap, struct inode *dir, goto out_iput; error = 0; - dir->i_size += BOGO_DIRENT_SIZE; + i_size_write(dir, i_size_read(dir) + BOGO_DIRENT_SIZE); dir->i_ctime = dir->i_mtime = current_time(dir); inode_inc_iversion(dir); d_instantiate(dentry, inode); @@ -3027,7 +3027,7 @@ static int shmem_link(struct dentry *old_dentry, struct inode *dir, struct dentr goto out; } - dir->i_size += BOGO_DIRENT_SIZE; + i_size_write(dir, i_size_read(dir) + BOGO_DIRENT_SIZE); inode->i_ctime = dir->i_ctime = dir->i_mtime = current_time(inode); inode_inc_iversion(dir); inc_nlink(inode); @@ -3045,7 +3045,7 @@ static int shmem_unlink(struct inode *dir, struct dentry *dentry) if (inode->i_nlink > 1 && !S_ISDIR(inode->i_mode)) shmem_free_inode(inode->i_sb); - dir->i_size -= BOGO_DIRENT_SIZE; + i_size_write(dir, i_size_read(dir) - BOGO_DIRENT_SIZE); inode->i_ctime = dir->i_ctime = dir->i_mtime = current_time(inode); inode_inc_iversion(dir); drop_nlink(inode); @@ -3132,8 +3132,8 @@ static int shmem_rename2(struct mnt_idmap *idmap, inc_nlink(new_dir); } - old_dir->i_size -= BOGO_DIRENT_SIZE; - new_dir->i_size += BOGO_DIRENT_SIZE; + i_size_write(old_dir, i_size_read(old_dir) - BOGO_DIRENT_SIZE); + i_size_write(new_dir, i_size_read(new_dir) + BOGO_DIRENT_SIZE); old_dir->i_ctime = old_dir->i_mtime = new_dir->i_ctime = new_dir->i_mtime = inode->i_ctime = current_time(old_dir); @@ -3189,7 +3189,7 @@ static int shmem_symlink(struct mnt_idmap *idmap, struct inode *dir, folio_unlock(folio); folio_put(folio); } - dir->i_size += BOGO_DIRENT_SIZE; + i_size_write(dir, i_size_read(dir) + BOGO_DIRENT_SIZE); dir->i_ctime = dir->i_mtime = current_time(dir); inode_inc_iversion(dir); d_instantiate(dentry, inode); Maybe we want i_size_add() ? Also, there was a similar report on updating i_{ctime,mtime} to current_time() which means that i_size is not the only field that is causing data race. https://syzkaller.appspot.com/bug?id=067d40ab9ab23a6fa0a8156857ed54e295062a29 Hmm, where is the serialization that avoids concurrent shmem_mknod()/shmem_mknod() or shmem_mknod()/shmem_unlink() ? i_size_write() says "need locking around it (normally i_mutex)"...