From patchwork Mon Mar 10 16:54:00 2025
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Yuan Tan <tanyuan@tinylab.org>
X-Patchwork-Id: 14010413
Return-Path: <owner-linux-mm@kvack.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from kanga.kvack.org (kanga.kvack.org [205.233.56.17])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 65211C282EC
	for <linux-mm@archiver.kernel.org>; Mon, 10 Mar 2025 16:56:04 +0000 (UTC)
Received: by kanga.kvack.org (Postfix)
	id 433D0280011; Mon, 10 Mar 2025 12:56:02 -0400 (EDT)
Received: by kanga.kvack.org (Postfix, from userid 40)
	id 3E17D280004; Mon, 10 Mar 2025 12:56:02 -0400 (EDT)
X-Delivered-To: int-list-linux-mm@kvack.org
Received: by kanga.kvack.org (Postfix, from userid 63042)
	id 2F842280011; Mon, 10 Mar 2025 12:56:02 -0400 (EDT)
X-Delivered-To: linux-mm@kvack.org
Received: from relay.hostedemail.com (smtprelay0013.hostedemail.com
 [216.40.44.13])
	by kanga.kvack.org (Postfix) with ESMTP id 11EA1280004
	for <linux-mm@kvack.org>; Mon, 10 Mar 2025 12:56:02 -0400 (EDT)
Received: from smtpin22.hostedemail.com (a10.router.float.18 [10.200.18.1])
	by unirelay02.hostedemail.com (Postfix) with ESMTP id 6D6E2121261
	for <linux-mm@kvack.org>; Mon, 10 Mar 2025 16:56:03 +0000 (UTC)
X-FDA: 83206243806.22.4B815D9
Received: from mail.cs.ucr.edu (mail.cs.ucr.edu [169.235.30.83])
	by imf18.hostedemail.com (Postfix) with ESMTP id 7DFAA1C000C
	for <linux-mm@kvack.org>; Mon, 10 Mar 2025 16:56:00 +0000 (UTC)
Authentication-Results: imf18.hostedemail.com;
	dkim=none;
	spf=none (imf18.hostedemail.com: domain of ytan089@mail.cs.ucr.edu has no SPF
 policy when checking 169.235.30.83) smtp.mailfrom=ytan089@mail.cs.ucr.edu;
	dmarc=none
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed;
 d=hostedemail.com;
	s=arc-20220608; t=1741625761;
	h=from:from:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=DylQ5AIVzcR0RmnX4lDFNDU2+rdYlwWpIfqWsUcEdrc=;
	b=D9bYVomz0/H5q33eX/sR/sIXvQVd/eN94UPQ0JTcrXnmO3lXF2N8TqM9F2ldC36omDcuFt
	Rv21RZGGcmQvFdGNCTjOuKkbcYWNPvvIi5/2NYOFnJMmni0pTbSC0E6iLBFwAR0/LDv5R2
	wP2dRKH6MlE8X1iydyZpIQaEULg8IFk=
ARC-Authentication-Results: i=1;
	imf18.hostedemail.com;
	dkim=none;
	spf=none (imf18.hostedemail.com: domain of ytan089@mail.cs.ucr.edu has no SPF
 policy when checking 169.235.30.83) smtp.mailfrom=ytan089@mail.cs.ucr.edu;
	dmarc=none
ARC-Seal: i=1; s=arc-20220608; d=hostedemail.com; t=1741625761; a=rsa-sha256;
	cv=none;
	b=6zVNkoUWMP/92Wr6DLrT/Q3PDwRSK/e89QuTybm7Lp9AfFmFRhGmhJuhUR9n/Wkl12vhQx
	28pttYCybXXbkINIXC4Cj3aerGdoAdcsbC7JHGosKOWZhzxHp57Nl0rnPLqK3VAl4iWk7e
	SMgg3ciWzg67H7BzaKfMnpIM2tOLLkY=
Received: by mail.cs.ucr.edu (Postfix, from userid 1000)
	id BAB902C800243; Mon, 10 Mar 2025 09:55:58 -0700 (PDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.cs.ucr.edu BAB902C800243
Received: from kq.cs.ucr.edu (kq.cs.ucr.edu [169.235.27.223])
	by mail.cs.ucr.edu (Postfix) with ESMTP id 9C2D92C8002FC;
	Mon, 10 Mar 2025 09:55:57 -0700 (PDT)
DKIM-Filter: OpenDKIM Filter v2.11.0 mail.cs.ucr.edu 9C2D92C8002FC
Received: by kq.cs.ucr.edu (Postfix, from userid 101072)
	id 84D6427E46DC; Mon, 10 Mar 2025 09:54:46 -0700 (PDT)
From: Yuan Tan <tanyuan@tinylab.org>
To: axboe@kernel.dk,
	syzbot+f2aaf773187f5cae54f3@syzkaller.appspotmail.com
Cc: linux-block@vger.kernel.org,
	akpm@linux-foundation.org,
	linux-fsdevel@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	linux-mm@kvack.org,
	syzkaller-bugs@googlegroups.com,
	willy@infradead.org,
	falcon@tinylab.org,
	tanyuan@tinylab.org
Subject: [PATCH] block: add lock for safe nrpages access in invalidate_bdev()
Date: Mon, 10 Mar 2025 09:54:00 -0700
Message-Id: <20250310165400.3166618-1-tanyuan@tinylab.org>
X-Mailer: git-send-email 2.25.1
In-Reply-To: <67ceb38a.050a0220.e1a89.04b1.GAE@google.com>
References: <67ceb38a.050a0220.e1a89.04b1.GAE@google.com>
MIME-Version: 1.0
X-Stat-Signature: i9hwys5fnikr9r4jmnn3x8rw1zef364t
X-Rspam-User: 
X-Rspamd-Queue-Id: 7DFAA1C000C
X-Rspamd-Server: rspam01
X-HE-Tag: 1741625760-341491
X-HE-Meta: 
 U2FsdGVkX18bZHjUQSMGPfmhF6ZmNJwDxtHW98a37YRwIpDDTrjzx/nvme1bIEPa+bjxGmqn8Do9JhZtlruuWJwArUZebDyjAAMtUN6JZ1xXVUP598CHerrt6xASlKksEMB5+GMmLkQ2Rry3zhWI14voyKPXoMgksqtqFe6YB8MhLXIicuvNg8YiIL/LqPnA5pFOtg61zi6CC6U/s23FSKjZSh8jghYEcQFPLuf/xQxx7gAzp78PjAMkpAIBZt506KZJ/bvBLAN92I2AAk+0vB8tGDsl7QZAm6kfO2uKS/KNKzvqF2rXHoPHJT5B7DtuXvoIsY5n8qdvx3cKejveLpQYwJFCfBhvppG8jI/+et5jXFEUSCfCME7551XwDalWtfwIZkUpOVGk1ScYTgqcdi8I/pQlU8+sG66gV+h2I+o3ww7lwBqZZKLw356FYAAla8GMiUCnITACbWfveNXIZ+XUuAN0KU28hYvqu5KvRw3XkRlXA0a7Au0yf5FI7tIRgK/tBjNYlrek+H90zWRzSg41UWjKuI3uARBffxrKlZ91DNbGIHPVjLTnLQdhFJrXPg73fSV9uOub6Hk8XSohaINL9+KZ/UEITDbf7kLuFGyp4ecNYXsn51/LsL4SCqN3rhOeoTHd28bIg1NuxKscXgXGYtvihycc1LbVSBImlQiNQ3Cs3pxPu9Sp+hXqLwn8ZIa+9id5dOJfOASdqKFWDjUdI5xItHxKS8yI1CzHPwsYcVyaXlctgqIC5igZNK9NdCa4IEt4BwK4jGxO/CivGlnr0GEPRFYg23bf4O6iUeFTBCEGSC3CfNjfvhhkrFifGcJLuG9/73b0OFq/s/BWxFkdke75vTInDKxxLIdNWgTPyD0r0vfLkT7hZJilCSpJseywln+zGFam8bM63WjpezB1msjeWOpZ7j4HEvQWHhnKiby4AfeUfJXrgY1Isr1+M8JQ3t5v5dD61A/TgGy
 +bUF7EKP
 NrlC1Li2HgdK6TKq1ok/uDqvEpyw0ds1o8nYckCHx6c7IOCwLOyg/AEBReSL+e1ames997SU+8q+paLgHv1omw4aacuwQ7AhD31jptB16AKJI4ZLE0zQJq/WS8jM0CN4hWw+9NWKiCagKxJYf66Mln7OYnN3TFFVPDp7xy7TfaebCzRgBQu2m0mY0xmzv1hGcK15qiiSSMO/ELv9RYrGpqjrecJsOc5uVVpus8HLm3cwAUCJreU14yq9XPlE+ahUZnsMyHBYtHR70ZGLPNyWYZyCqZOn8d8SKGCyEV6+97UFFZ4X5M5QNdLnt1GiDTbYI4b7S2zfaYh8IUkQWap2F7y0k1B6KfdCrkGInkxHTmIIj4MA7UYq+kbS/Ko7/GbV6dZSFZ+gfGevvTUPOIsU11e7+YMixFGYMRkB30JU6vtU4jrDtdkpp8Iu1e07FZvFgB11O9HmdGKq13ZpJzhQOhnUeB9OsonfYaT0sAE7YuRo+1Wmu29ldpuhBNqcCs/unBxh5Dg23fwOvbdI=
X-Bogosity: Ham, tests=bogofilter, spamicity=0.000000, version=1.2.4
Sender: owner-linux-mm@kvack.org
Precedence: bulk
X-Loop: owner-majordomo@kvack.org
List-ID: <linux-mm.kvack.org>
List-Subscribe: <mailto:majordomo@kvack.org>
List-Unsubscribe: <mailto:majordomo@kvack.org>

Syzbot reported a data-race in __filemap_add_folio / invalidate_bdev[1]
due to concurrent access to mapping->nrpages.
Adds a lock around the access to nrpages.

[1] https://syzkaller.appspot.com/bug?extid=f2aaf773187f5cae54f3

Signed-off-by: Yuan Tan <tanyuan@tinylab.org>
Reported-by: syzbot+f2aaf773187f5cae54f3@syzkaller.appspotmail.com
---
 block/bdev.c | 9 ++++++++-
 1 file changed, 8 insertions(+), 1 deletion(-)

I had already completed and tested this patch before Matthew sent the
email. I'm not sure if this solution is correct. If it's not, please
ignore the patch :)

diff --git a/block/bdev.c b/block/bdev.c
index 9d73a8fbf7f9..934043d09068 100644
--- a/block/bdev.c
+++ b/block/bdev.c
@@ -96,7 +96,14 @@ void invalidate_bdev(struct block_device *bdev)
 {
 	struct address_space *mapping = bdev->bd_mapping;
 
-	if (mapping->nrpages) {
+	XA_STATE(xas, &mapping->i_pages, 0);  /* we don't care about the index */
+	unsigned long nrpages;
+
+	xas_lock_irq(&xas);
+	nrpages = mapping->nrpages;
+	xas_unlock_irq(&xas);
+
+	if (nrpages) {
 		invalidate_bh_lrus();
 		lru_add_drain_all();	/* make sure all lru add caches are flushed */
 		invalidate_mapping_pages(mapping, 0, -1);