Bug 207711 - xfs: data race on ctx->space_used in xlog_cil_insert_items()
Summary: xfs: data race on ctx->space_used in xlog_cil_insert_items()
Status: RESOLVED INVALID
Alias: None
Product: File System
Classification: Unclassified
Component: XFS (show other bugs)
Hardware: All Linux
: P1 normal
Assignee: FileSystem/XFS Default Virtual Assignee
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-05-13 02:45 UTC by Jia-Ju Bai
Modified: 2020-05-13 08:00 UTC (History)
1 user (show)

See Also:
Kernel Version: 5.4
Subsystem:
Regression: No
Bisected commit-id:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Jia-Ju Bai 2020-05-13 02:45:54 UTC 
The functions xlog_cil_insert_items() and xlog_cil_push_background() are concurrently executed at runtime at the following call contexts:

Thread 1:
xfs_file_write_iter()
  xfs_file_buffered_aio_write()
    xfs_file_aio_write_checks()
      xfs_vn_update_time()
        xfs_trans_commit()
          __xfs_trans_commit()
            xfs_log_commit_cil()
              xlog_cil_insert_items()

Thread 2:
xfs_file_write_iter()
  xfs_file_buffered_aio_write()
    xfs_file_aio_write_checks()
      xfs_vn_update_time()
        xfs_trans_commit()
          __xfs_trans_commit()
            xfs_log_commit_cil()
              xlog_cil_push_background()

In xlog_cil_insert_items():
  ctx->space_used += len;

In xlog_cil_push_background():
  if (cil->xc_ctx->space_used < XLOG_CIL_SPACE_LIMIT(log))

The variables ctx->space_used and cil->xc_ctx->space_used access the same memory, and thus a data race can occur.

This data race was found and actually reproduced by our concurrency fuzzer.

I am not sure whether this data race is harmful and how to fix this data race properly, so I want to listen to your opinions, thanks :)
Comment 1 Dave Chinner 2020-05-13 04:07:40 UTC 
On Wed, May 13, 2020 at 02:45:54AM +0000, bugzilla-daemon@bugzilla.kernel.org wrote:
> https://bugzilla.kernel.org/show_bug.cgi?id=207711
> 
>             Bug ID: 207711
>            Summary: xfs: data race on ctx->space_used in
>                     xlog_cil_insert_items()
>            Product: File System
>            Version: 2.5
>     Kernel Version: 5.4
>           Hardware: All
>                 OS: Linux
>               Tree: Mainline
>             Status: NEW
>           Severity: normal
>           Priority: P1
>          Component: XFS
>           Assignee: filesystem_xfs@kernel-bugs.kernel.org
>           Reporter: baijiaju1990@gmail.com
>         Regression: No
> 
> The functions xlog_cil_insert_items() and xlog_cil_push_background() are
> concurrently executed at runtime at the following call contexts:
> 
> Thread 1:
> xfs_file_write_iter()
>   xfs_file_buffered_aio_write()
>     xfs_file_aio_write_checks()
>       xfs_vn_update_time()
>         xfs_trans_commit()
>           __xfs_trans_commit()
>             xfs_log_commit_cil()
>               xlog_cil_insert_items()
> 
> Thread 2:
> xfs_file_write_iter()
>   xfs_file_buffered_aio_write()
>     xfs_file_aio_write_checks()
>       xfs_vn_update_time()
>         xfs_trans_commit()
>           __xfs_trans_commit()
>             xfs_log_commit_cil()
>               xlog_cil_push_background()
> 
> In xlog_cil_insert_items():
>   ctx->space_used += len;
> 
> In xlog_cil_push_background():
>   if (cil->xc_ctx->space_used < XLOG_CIL_SPACE_LIMIT(log))

Intentionally racy accounting check as it's not critical to be
perfectly accurate here.

Not a bug, please close.

-Dave.
Comment 2 Jia-Ju Bai 2020-05-13 08:00:43 UTC 
Okay, thanks for explanation.
Note You need to log in before you can comment on or make changes to this bug.