[PATCH] f2fs: annotate data races around fi->i_flags

[PATCH] f2fs: annotate data races around fi->i_flags

[Cen Zhang]

fi->i_flags can be read by f2fs_update_inode() in the writeback path,
f2fs_getattr(), and f2fs_fileattr_get() without holding inode_lock or
fi->i_sem, while it can be concurrently written by
f2fs_setflags_common(), set_compress_context(), and
f2fs_disable_compressed_file() under inode_lock and/or fi->i_sem.

This is a data race as defined by the LKMM.  Use READ_ONCE() on the
read side and WRITE_ONCE() on the write side to ensure proper marking
of the concurrent accesses.

Fixes: 360985573b55 ("f2fs: separate f2fs i_flags from fs_flags and ext4 i_flags")
Cc: stable@vger.kernel.org
Signed-off-by: Cen Zhang <zzzccc427@gmail.com>
---
 fs/f2fs/f2fs.h  | 4 ++--
 fs/f2fs/file.c  | 6 +++---
 fs/f2fs/inode.c | 2 +-
 3 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/fs/f2fs/f2fs.h b/fs/f2fs/f2fs.h
index c66472e409a3..28161df79e4f 100644
--- a/fs/f2fs/f2fs.h
+++ b/fs/f2fs/f2fs.h
@@ -4764,7 +4764,7 @@ static inline int set_compress_context(struct inode *inode)
 		fi->i_compress_algorithm == COMPRESS_ZSTD) &&
 			F2FS_OPTION(sbi).compress_level)
 		fi->i_compress_level = F2FS_OPTION(sbi).compress_level;
-	fi->i_flags |= F2FS_COMPR_FL;
+	WRITE_ONCE(fi->i_flags, READ_ONCE(fi->i_flags) | F2FS_COMPR_FL);
 	set_inode_flag(inode, FI_COMPRESSED_FILE);
 	stat_inc_compr_inode(inode);
 	inc_compr_inode_stat(inode);
@@ -4791,7 +4791,7 @@ static inline bool f2fs_disable_compressed_file(struct inode *inode)
 		return false;
 	}
 
-	fi->i_flags &= ~F2FS_COMPR_FL;
+	WRITE_ONCE(fi->i_flags, READ_ONCE(fi->i_flags) & ~F2FS_COMPR_FL);
 	stat_dec_compr_inode(inode);
 	clear_inode_flag(inode, FI_COMPRESSED_FILE);
 	f2fs_mark_inode_dirty_sync(inode, true);
diff --git a/fs/f2fs/file.c b/fs/f2fs/file.c
index c8a2f17a8f11..abff927a8699 100644
--- a/fs/f2fs/file.c
+++ b/fs/f2fs/file.c
@@ -1005,7 +1005,7 @@ int f2fs_getattr(struct mnt_idmap *idmap, const struct path *path,
 		}
 	}
 
-	flags = fi->i_flags;
+	flags = READ_ONCE(fi->i_flags);
 	if (flags & F2FS_COMPR_FL)
 		stat->attributes |= STATX_ATTR_COMPRESSED;
 	if (flags & F2FS_APPEND_FL)
@@ -2153,7 +2153,7 @@ static int f2fs_setflags_common(struct inode *inode, u32 iflags, u32 mask)
 		}
 	}
 
-	fi->i_flags = iflags | (fi->i_flags & ~mask);
+	WRITE_ONCE(fi->i_flags, iflags | (READ_ONCE(fi->i_flags) & ~mask));
 	f2fs_bug_on(F2FS_I_SB(inode), (fi->i_flags & F2FS_COMPR_FL) &&
 					(fi->i_flags & F2FS_NOCOMP_FL));
 
@@ -3437,7 +3437,7 @@ int f2fs_fileattr_get(struct dentry *dentry, struct file_kattr *fa)
 {
 	struct inode *inode = d_inode(dentry);
 	struct f2fs_inode_info *fi = F2FS_I(inode);
-	u32 fsflags = f2fs_iflags_to_fsflags(fi->i_flags);
+	u32 fsflags = f2fs_iflags_to_fsflags(READ_ONCE(fi->i_flags));
 
 	if (IS_ENCRYPTED(inode))
 		fsflags |= FS_ENCRYPT_FL;
diff --git a/fs/f2fs/inode.c b/fs/f2fs/inode.c
index 078874db918c..17c8aff690fb 100644
--- a/fs/f2fs/inode.c
+++ b/fs/f2fs/inode.c
@@ -720,7 +720,7 @@ void f2fs_update_inode(struct inode *inode, struct folio *node_folio)
 	else if (S_ISREG(inode->i_mode))
 		ri->i_gc_failures = cpu_to_le16(fi->i_gc_failures);
 	ri->i_xattr_nid = cpu_to_le32(fi->i_xattr_nid);
-	ri->i_flags = cpu_to_le32(fi->i_flags);
+	ri->i_flags = cpu_to_le32(READ_ONCE(fi->i_flags));
 	ri->i_pino = cpu_to_le32(fi->i_pino);
 	ri->i_generation = cpu_to_le32(inode->i_generation);
 	ri->i_dir_level = fi->i_dir_level;
-- 
2.34.1

Re: [f2fs-dev] [PATCH] f2fs: annotate data races around fi->i_flags

[Eric Biggers]

On Thu, Mar 19, 2026 at 10:23:35AM +0800, Cen Zhang wrote:
> fi->i_flags can be read by f2fs_update_inode() in the writeback path,
> f2fs_getattr(), and f2fs_fileattr_get() without holding inode_lock or
> fi->i_sem, while it can be concurrently written by
> f2fs_setflags_common(), set_compress_context(), and
> f2fs_disable_compressed_file() under inode_lock and/or fi->i_sem.
> 
> This is a data race as defined by the LKMM.  Use READ_ONCE() on the
> read side and WRITE_ONCE() on the write side to ensure proper marking
> of the concurrent accesses.
> 
> Fixes: 360985573b55 ("f2fs: separate f2fs i_flags from fs_flags and ext4 i_flags")
> Cc: stable@vger.kernel.org
> Signed-off-by: Cen Zhang <zzzccc427@gmail.com>

Is that really the correct Fixes commit?  I don't see what it has to do
with this issue.

- Eric

Re: [f2fs-dev] [PATCH] f2fs: annotate data races around fi->i_flags

[Cen Zhang]

Hi Eric,

> Is that really the correct Fixes commit?  I don't see what it has to do
> with this issue.

You're right, commit 360985573b55 only remapped the flag values and is
not related to the race.

The race is between the lockless read of fi->i_flags in
f2fs_update_inode() (from the writeback path) and the writes from the
ioctl paths.

The read side goes back to:

19f99cee206c ("f2fs: add core inode operations")

which added:

ri->i_flags = cpu_to_le32(F2FS_I(inode)->i_flags);

I'll fix the Fixes tag in v2. Please let me know if my understanding is
correct.

Thanks,
Cen