[f2fs-dev] [BUG] Five data races in f2fs, two potentially harmful

Tue, 13 May 2025 02:19:13 -0700 

Hello maintainers,

I would like to report five data race bugs we discovered in the F2FS
filesystem on Linux kernel v6.14-rc4. These issues were identified
using our data race detector.

Among the five races, we believe that three are benign, and might be
acceptable to annotate with `data_race()`. However, the remaining two
involve shared global state and may lead to inconsistencies. We are
uncertain about their potential harmfulness and would appreciate your
evaluation.

Below is a summary of the findings:

---

Benign Races
============

1. Race in `f2fs_update_time()` at lines 1915 and 1916
------------------------------------------------------

============ DATARACE ============
Function: f2fs_fallocate+0xbb6/0x13e0 fs/f2fs/f2fs.h:1915
Function: vfs_fallocate+0x38d/0x440
Function: __x64_sys_fallocate+0xb0/0xf0
Function: do_syscall_64+0xc9/0x1a0
Function: entry_SYSCALL_64_after_hwframe+0x77/0x7f
Function: 0x0
========================
Function: f2fs_fallocate+0xbb6/0x13e0 fs/f2fs/f2fs.h:1915
Function: vfs_fallocate+0x38d/0x440
Function: __x64_sys_fallocate+0xb0/0xf0
Function: do_syscall_64+0xc9/0x1a0
Function: entry_SYSCALL_64_after_hwframe+0x77/0x7f
=================END==============

============ DATARACE ============
Function: f2fs_fallocate+0xc30/0x13e0 fs/f2fs/f2fs.h:1916
Function: vfs_fallocate+0x38d/0x440
Function: __x64_sys_fallocate+0xb0/0xf0
Function: do_syscall_64+0xc9/0x1a0
Function: entry_SYSCALL_64_after_hwframe+0x77/0x7f
Function: 0x0
========================
Function: f2fs_setxattr+0x53d/0x8e0 fs/f2fs/f2fs.h:1916
Function: f2fs_xattr_generic_set+0x293/0x3c0 fs/f2fs/xattr.c:86
Function: __vfs_setxattr+0x3b6/0x3f0
Function: __vfs_setxattr_noperm+0x115/0x5c0
Function: vfs_setxattr+0x165/0x300
Function: file_setxattr+0x1a9/0x280
Function: path_setxattrat+0x2f4/0x370
Function: __x64_sys_fsetxattr+0xbc/0xe0
Function: do_syscall_64+0xc9/0x1a0
Function: entry_SYSCALL_64_after_hwframe+0x77/0x7f
=================END==============

2. Race on `inode->i_advise`
----------------------------
A read in `f2fs_update_inode()` and a write in
`f2fs_expand_inode_data()` can happen concurrently.

 ============ DATARACE ============
Function: f2fs_update_inode+0x36a/0x7c30 fs/f2fs/inode.c:670
Function: f2fs_fsync_node_pages+0x3756/0x61a0 fs/f2fs/node.c:1848
Function: f2fs_do_sync_file+0x1935/0x3ba0 fs/f2fs/file.c:343
Function: f2fs_sync_file+0x2e2/0x450 fs/f2fs/file.c:395
Function: __x64_sys_fsync+0x18a/0x1d0
Function: do_syscall_64+0xc9/0x1a0
Function: entry_SYSCALL_64_after_hwframe+0x77/0x7f
Function: 0x0
========================
VarName 7370413196168665605, BlockLineNumber 152, IrLineNumber 2,
watchpoint index 38631
Function: f2fs_expand_inode_data+0x14ad/0x1af0 fs/f2fs/f2fs.h:3346
Function: f2fs_fallocate+0x7be/0x13e0 fs/f2fs/file.c:1959
Function: vfs_fallocate+0x38d/0x440
Function: __x64_sys_fallocate+0xb0/0xf0
Function: do_syscall_64+0xc9/0x1a0
Function: entry_SYSCALL_64_after_hwframe+0x77/0x7f
=================END==============

3. Race on `mapping->writeback_index` in `f2fs_write_cache_pages()`
-------------------------------------------------------------------
Multiple writers may assign to `mapping->writeback_index` concurrently.
This behavior is also seen in other subsystems and may be acceptable,
although racy in a strict sense.

Kernel panic: ============ DATARACE ============
Function: f2fs_write_data_pages+0x55ca/0x7220 fs/f2fs/data.c:3221
Function: do_writepages+0x302/0x7c0
Function: file_write_and_wait_range+0x1e2/0x3e0
Function: f2fs_do_sync_file+0xa41/0x3ba0 fs/f2fs/file.c:278
Function: f2fs_sync_file+0x2e2/0x450 fs/f2fs/file.c:395
Function: __x64_sys_fsync+0x18a/0x1d0
Function: do_syscall_64+0xc9/0x1a0
Function: entry_SYSCALL_64_after_hwframe+0x77/0x7f
Function: 0x0
============OTHER_INFO============
Function: f2fs_write_data_pages+0x55ca/0x7220 fs/f2fs/data.c:3221
Function: do_writepages+0x302/0x7c0
Function: file_write_and_wait_range+0x1e2/0x3e0
Function: f2fs_do_sync_file+0xa41/0x3ba0 fs/f2fs/file.c:278
Function: f2fs_sync_file+0x2e2/0x450 fs/f2fs/file.c:395
Function: __x64_sys_fsync+0x18a/0x1d0
Function: do_syscall_64+0xc9/0x1a0
Function: entry_SYSCALL_64_after_hwframe+0x77/0x7f
=================END==============
---

Possibly Harmful Race
----------------------------

1. Race on `free_sections` field of `struct f2fs_sb_info`
----------------------------

This race involves concurrent read and write to `sbi->free_sections`.
The read occurs in the function `has_not_enough_free_secs()` during a
write operation, while the write occurs deeper in `new_curseg()`
during a sync path.:

Kernel panic: ============ DATARACE ============
Function: has_not_enough_free_secs+0x11fd/0x1f50 fs/f2fs/segment.h:530
Function: f2fs_write_begin+0x33df/0x5580 fs/f2fs/data.c:3627
Function: generic_perform_write+0x26d/0x660
Function: f2fs_file_write_iter+0x15ea/0x55a0 fs/f2fs/file.c:4855
Function: vfs_write+0x940/0xd10
Function: ksys_write+0x116/0x200
Function: do_syscall_64+0xc9/0x1a0
Function: entry_SYSCALL_64_after_hwframe+0x77/0x7f
Function: 0x0
========================
Function: new_curseg+0x2382/0x3900 fs/f2fs/segment.h:456
Function: f2fs_allocate_data_block+0x47e3/0xa570 fs/f2fs/segment.c:3800
Function: do_write_page+0x321/0x1170 fs/f2fs/segment.c:3913
Function: f2fs_do_write_node_page+0x1aa/0x4d0 fs/f2fs/segment.c:3965
Function: __write_node_page+0x166e/0x4400 fs/f2fs/node.c:1706
Function: f2fs_fsync_node_pages+0x3b70/0x61a0 fs/f2fs/node.c:1860
Function: f2fs_do_sync_file+0x1935/0x3ba0 fs/f2fs/file.c:343
Function: f2fs_sync_file+0x2e2/0x450 fs/f2fs/file.c:395
Function: __x64_sys_fsync+0x18a/0x1d0
Function: do_syscall_64+0xc9/0x1a0
Function: entry_SYSCALL_64_after_hwframe+0x77/0x7f
=================END==============
----

2. Race on `nat_cnt[TOTAL_NAT]` in `struct f2fs_nm_info`
----------------------------
A read from `f2fs_balance_fs()` (via `excess_cached_nats()`) and a
concurrent write from `__init_nat_entry()` (in the mkdir path) race on
the same counter field. No locking or atomic access is used.

 ============ DATARACE ============
Function: f2fs_balance_fs+0x269/0xcd0 fs/f2fs/node.h:138
Function: f2fs_setattr+0x2585/0x38f0 fs/f2fs/file.c:1142
Function: notify_change+0x9f9/0xca0
Function: chmod_common+0x1fe/0x410
Function: __x64_sys_fchmod+0xd4/0x130
Function: do_syscall_64+0xc9/0x1a0
Function: entry_SYSCALL_64_after_hwframe+0x77/0x7f
Function: 0x0
============OTHER_INFO============
Function: set_node_addr+0x8c1/0x3760 fs/f2fs/node.c:202
Function: f2fs_new_node_page+0x12ce/0x3870 fs/f2fs/node.c:1357
Function: f2fs_new_inode_page+0x1a6/0x290 fs/f2fs/node.c:1313
Function: f2fs_init_inode_metadata+0x13a/0x32a0 fs/f2fs/dir.c:524
Function: f2fs_add_regular_entry+0xa3f/0x1cc0 fs/f2fs/dir.c:721
Function: f2fs_add_dentry+0x15e/0x560 fs/f2fs/dir.c:769
Function: f2fs_do_add_link+0x660/0xb30 fs/f2fs/dir.c:808
Function: f2fs_mkdir+0x70c/0xd50 fs/f2fs/f2fs.h:3616
Function: vfs_mkdir+0x4b1/0x6e0
Function: do_mkdirat+0x1ae/0x260
Function: __x64_sys_mkdir+0x6c/0x80
Function: do_syscall_64+0xc9/0x1a0
Function: entry_SYSCALL_64_after_hwframe+0x77/0x7f
=================END==============
-----

Thank you for your attention to this matter.

Best regards,
Cen Zhang


_______________________________________________
Linux-f2fs-devel mailing list
Linux-f2fs-devel@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/linux-f2fs-devel

Reply via email to