[PATCH] ext4: fix a data-race around bg_free_inodes_count_lo

[Jason Xing <kerneljasonxing@gmail.com>]

From: Jason Xing <kernelxing@tencent.com>

As KCSAN reported below, this member could be accessed concurrently
by two different cpus without lock protection.

BUG: KCSAN: data-race in ext4_free_inodes_count / ext4_free_inodes_set

write to 0xffff8881029ee00e of 2 bytes by task 3446 on cpu 0:
 ext4_free_inodes_set+0x1f/0x80 fs/ext4/super.c:405
 ext4_free_inode+0x436/0x810 fs/ext4/ialloc.c:323
 ext4_evict_inode+0xb20/0xdc0 fs/ext4/inode.c:303
 evict+0x1aa/0x410 fs/inode.c:665
 iput_final fs/inode.c:1739 [inline]
 iput+0x42c/0x5c0 fs/inode.c:1765
 do_unlinkat+0x282/0x4c0 fs/namei.c:4409
 __do_sys_unlink fs/namei.c:4450 [inline]
 __se_sys_unlink fs/namei.c:4448 [inline]
 __x64_sys_unlink+0x30/0x40 fs/namei.c:4448
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1d0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

read to 0xffff8881029ee00e of 2 bytes by task 4984 on cpu 1:
 ext4_free_inodes_count+0x1c/0x80 fs/ext4/super.c:349
 find_group_other fs/ext4/ialloc.c:594 [inline]
 __ext4_new_inode+0x6eb/0x2270 fs/ext4/ialloc.c:1017
 ext4_symlink+0x242/0x590 fs/ext4/namei.c:3396
 vfs_symlink+0xc2/0x1a0 fs/namei.c:4484
 do_symlinkat+0xe3/0x340 fs/namei.c:4510
 __do_sys_symlinkat fs/namei.c:4526 [inline]
 __se_sys_symlinkat fs/namei.c:4523 [inline]
 __x64_sys_symlinkat+0x62/0x70 fs/namei.c:4523
 do_syscall_x64 arch/x86/entry/common.c:52 [inline]
 do_syscall_64+0xcd/0x1d0 arch/x86/entry/common.c:83
 entry_SYSCALL_64_after_hwframe+0x63/0x6b

value changed: 0x1855 -> 0x1856

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 PID: 4984 Comm: syz-executor.1 Not tainted 6.8.0-rc7-syzkaller #0
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 01/25/2024

Signed-off-by: Jason Xing <kernelxing@tencent.com>
---
 fs/ext4/super.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/fs/ext4/super.c b/fs/ext4/super.c
index 044135796f2b..cf817a6a6e27 100644
--- a/fs/ext4/super.c
+++ b/fs/ext4/super.c
@@ -346,7 +346,7 @@ __u32 ext4_free_group_clusters(struct super_block *sb,
 __u32 ext4_free_inodes_count(struct super_block *sb,
 			      struct ext4_group_desc *bg)
 {
-	return le16_to_cpu(bg->bg_free_inodes_count_lo) |
+	return le16_to_cpu(READ_ONCE(bg->bg_free_inodes_count_lo)) |
 		(EXT4_DESC_SIZE(sb) >= EXT4_MIN_DESC_SIZE_64BIT ?
 		 (__u32)le16_to_cpu(bg->bg_free_inodes_count_hi) << 16 : 0);
 }
@@ -402,7 +402,7 @@ void ext4_free_group_clusters_set(struct super_block *sb,
 void ext4_free_inodes_set(struct super_block *sb,
 			  struct ext4_group_desc *bg, __u32 count)
 {
-	bg->bg_free_inodes_count_lo = cpu_to_le16((__u16)count);
+	WRITE_ONCE(bg->bg_free_inodes_count_lo, cpu_to_le16((__u16)count));
 	if (EXT4_DESC_SIZE(sb) >= EXT4_MIN_DESC_SIZE_64BIT)
 		bg->bg_free_inodes_count_hi = cpu_to_le16(count >> 16);
 }
-- 
2.37.3