[BUG] Data race between xfs_file_release and xfs_bmap_del_extent_delay about i_delayed_blks

[BUG] Data race between xfs_file_release and xfs_bmap_del_extent_delay about i_delayed_blks

[cen zhang]

Hello maintainers,

I would like to report a data race bug detected in
the Btrfs filesystem on Linux kernel 6.14-rc4.
The issue was discovered by our tools,
which identified unsynchronized concurrent accesses to
`ip->i_delayed_blks`.

Kernel panic: ============ DATARACE ============
VarName 17363501701721901078, BlockLineNumber 20, IrLineNumber 2, is write 0
Function: watchpoints_monitor+0x1340/0x17c0 kernel/kccwf/wp_checker.c:73
Function: kccwf_rec_mem_access+0x7ec/0xab0 kernel/kccwf/core.c:359
Function: xfs_file_release+0x39e/0x910 fs/xfs/xfs_file.c:1325
Function: __fput+0x40b/0x970
Function: task_work_run+0x1ce/0x260
Function: do_exit+0x88c/0x2520
Function: do_group_exit+0x1d4/0x290
Function: get_signal+0xf7e/0x1060
Function: arch_do_signal_or_restart+0x44/0x600
Function: syscall_exit_to_user_mode+0x62/0x110
Function: do_syscall_64+0xd6/0x1a0
Function: entry_SYSCALL_64_after_hwframe+0x77/0x7f
Function: 0x0
============OTHER_INFO============
VarName 16100634012471765034, BlockLineNumber 44, IrLineNumber 6,
watchpoint index 22144
Function: set_report_info+0xa6/0x1f0 kernel/kccwf/report.c:49
Function: watchpoints_monitor+0x7e8/0x17c0 kernel/kccwf/wp_checker.c:100
Function: kccwf_rec_mem_access+0x7ec/0xab0 kernel/kccwf/core.c:359
Function: xfs_bmap_del_extent_delay+0x91a/0x1cf0 fs/xfs/libxfs/xfs_bmap.c:4981
Function: __xfs_bunmapi+0x2c50/0x54f0 fs/xfs/libxfs/xfs_bmap.c:5673
Function: xfs_bunmapi_range+0x170/0x2c0 fs/xfs/libxfs/xfs_bmap.c:6437
Function: xfs_itruncate_extents_flags+0x50a/0x1070 fs/xfs/xfs_inode.c:1066
Function: xfs_itruncate_extents fs/xfs/xfs_inode.h:603 [inline]
Function: xfs_setattr_size+0xd78/0x1c80 fs/xfs/xfs_iops.c:1003
Function: xfs_vn_setattr_size+0x321/0x590 fs/xfs/xfs_iops.c:1054
Function: xfs_vn_setattr+0x2f4/0x910 fs/xfs/xfs_iops.c:1079
Function: notify_change+0x9f9/0xca0
Function: do_truncate+0x18d/0x220
Function: path_openat+0x2741/0x2db0
Function: do_filp_open+0x230/0x440
Function: do_sys_openat2+0xab/0x110
Function: __x64_sys_creat+0xd7/0x100
Function: do_syscall_64+0xc9/0x1a0
Function: entry_SYSCALL_64_after_hwframe+0x77/0x7f
=================END==============

The code locations involved in the data race are:

Write (fs/xfs/xfs_bmap.c):
xfs_bmap_del_extent_delay  {
……
    xfs_quota_unreserve_blkres(ip, del->br_blockcount);
    ip->i_delayed_blks -= del->br_blockcount;
……
}

Reader (fs/xfs/xfs_file.c):
xfs_file_release  {
……
        xfs_iflags_clear(ip, XFS_EOFBLOCKS_RELEASED);
        if (ip->i_delayed_blks > 0)
            filemap_flush(inode->i_mapping);
……
}

I’ve verified that this issue still exists in the latest source tree
in xfs_file.c:1552 and xfs_bmap.c:4702

Re: [BUG] Data race between xfs_file_release and xfs_bmap_del_extent_delay about i_delayed_blks

[Christoph Hellwig]

On Mon, May 12, 2025 at 12:01:54PM +0800, cen zhang wrote:
> I would like to report a data race bug detected in
> the Btrfs filesystem on Linux kernel 6.14-rc4.

xfs?

> The issue was discovered by our tools,

As in KCSAN?

> Reader (fs/xfs/xfs_file.c):
> xfs_file_release  {
> ……
>         xfs_iflags_clear(ip, XFS_EOFBLOCKS_RELEASED);
>         if (ip->i_delayed_blks > 0)
>             filemap_flush(inode->i_mapping);
> ……
> }

And this should make it very clear that the race does not matter.
bu we should indeed throw in a data_race() and a comment to make that
clear.  I'll take care of that.