Bug 207711

Summary: xfs: data race on ctx->space_used in xlog_cil_insert_items()
Product: File System Reporter: Jia-Ju Bai (baijiaju1990)
Component: XFSAssignee: FileSystem/XFS Default Virtual Assignee (filesystem_xfs)
Status: RESOLVED INVALID    
Severity: normal CC: baijiaju1990
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 5.4 Subsystem:
Regression: No Bisected commit-id:

Description Jia-Ju Bai 2020-05-13 02:45:54 UTC 
The functions xlog_cil_insert_items() and xlog_cil_push_background() are concurrently executed at runtime at the following call contexts:

Thread 1:
xfs_file_write_iter()
  xfs_file_buffered_aio_write()
    xfs_file_aio_write_checks()
      xfs_vn_update_time()
        xfs_trans_commit()
          __xfs_trans_commit()
            xfs_log_commit_cil()
              xlog_cil_insert_items()

Thread 2:
xfs_file_write_iter()
  xfs_file_buffered_aio_write()
    xfs_file_aio_write_checks()
      xfs_vn_update_time()
        xfs_trans_commit()
          __xfs_trans_commit()
            xfs_log_commit_cil()
              xlog_cil_push_background()

In xlog_cil_insert_items():
  ctx->space_used += len;

In xlog_cil_push_background():
  if (cil->xc_ctx->space_used < XLOG_CIL_SPACE_LIMIT(log))

The variables ctx->space_used and cil->xc_ctx->space_used access the same memory, and thus a data race can occur.

This data race was found and actually reproduced by our concurrency fuzzer.

I am not sure whether this data race is harmful and how to fix this data race properly, so I want to listen to your opinions, thanks :)
Comment 1 Dave Chinner 2020-05-13 04:07:40 UTC 
On Wed, May 13, 2020 at 02:45:54AM +0000, bugzilla-daemon@bugzilla.kernel.org wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=207711
> 
>             Bug ID: 207711
>            Summary: xfs: data race on ctx->space_used in
>                     xlog_cil_insert_items()
>            Product: File System
>            Version: 2.5
>     Kernel Version: 5.4
>           Hardware: All
>                 OS: Linux
>               Tree: Mainline
>             Status: NEW
>           Severity: normal
>           Priority: P1
>          Component: XFS
>           Assignee: filesystem_xfs@kernel-bugs.kernel.org
>           Reporter: baijiaju1990@gmail.com
>         Regression: No
> 
> The functions xlog_cil_insert_items() and xlog_cil_push_background() are
> concurrently executed at runtime at the following call contexts:
> 
> Thread 1:
> xfs_file_write_iter()
>   xfs_file_buffered_aio_write()
>     xfs_file_aio_write_checks()
>       xfs_vn_update_time()
>         xfs_trans_commit()
>           __xfs_trans_commit()
>             xfs_log_commit_cil()
>               xlog_cil_insert_items()
> 
> Thread 2:
> xfs_file_write_iter()
>   xfs_file_buffered_aio_write()
>     xfs_file_aio_write_checks()
>       xfs_vn_update_time()
>         xfs_trans_commit()
>           __xfs_trans_commit()
>             xfs_log_commit_cil()
>               xlog_cil_push_background()
> 
> In xlog_cil_insert_items():
>   ctx->space_used += len;
> 
> In xlog_cil_push_background():
>   if (cil->xc_ctx->space_used < XLOG_CIL_SPACE_LIMIT(log))

Intentionally racy accounting check as it's not critical to be
perfectly accurate here.

Not a bug, please close.

-Dave.
Comment 2 Jia-Ju Bai 2020-05-13 08:00:43 UTC 
Okay, thanks for explanation.