Bug 207717

Summary: reiserfs: data race on inode->i_size in reiserfs_write_full_page()
Product: File System Reporter: Jia-Ju Bai (baijiaju1990)
Component: ReiserFSAssignee: ReiseFS developers team (reiserfs-devel)
Status: NEW ---    
Severity: normal CC: baijiaju1990, jeffm
Priority: P1    
Hardware: All   
OS: Linux   
Kernel Version: 5.4 Subsystem:
Regression: No Bisected commit-id:

Description Jia-Ju Bai 2020-05-13 03:28:02 UTC 
The functions reiserfs_write_full_page() and reiserfs_write_end() are concurrently executed at runtime in the following call contexts:

Thread 1:
reiserfs_writepage()
  reiserfs_write_full_page()

Thread 2:
reiserfs_write_end()

In reiserfs_write_full_page():
  unsigned long end_index = inode->i_size >> PAGE_SHIFT;

In reiserfs_write_end():
  inode->i_size = pos + copied;

Thus, a data race on inode->i_size occurs.

This data race was found and actually reproduced by our concurrency fuzzer.

I am not sure whether this data race is harmful and how to fix this data race properly, so I want to listen to your opinions, thanks :)