In ext4_buffered_write_iter(), generic_write_sync() is being called at
the same time by two different CPUs. This causes a data-race for
inode->i_state. To prevent this, make generic_write_sync() a critical
section in ext4_buffered_write_iter(). Use mutex to allow preemption so
other CPU is not blocked while waiting.

Signed-off-by: Daniel Yang <danielyangkang@gmail.com>
Reported-by: syzbot+a388a53633c9a4e9b22e@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=a388a53633c9a4e9b22e
---
 fs/ext4/file.c | 12 +++++++++++-
 1 file changed, 11 insertions(+), 1 deletion(-)

diff --git a/fs/ext4/file.c b/fs/ext4/file.c
index f14aed14b..ce1251d3b 100644
--- a/fs/ext4/file.c
+++ b/fs/ext4/file.c
@@ -19,6 +19,7 @@
  *	(jj@sunsite.ms.mff.cuni.cz)
  */
 
+#include "linux/mutex.h"
 #include <linux/time.h>
 #include <linux/fs.h>
 #include <linux/iomap.h>
@@ -282,6 +283,9 @@ static ssize_t ext4_write_checks(struct kiocb *iocb, struct iov_iter *from)
 	return count;
 }
 
+/* lock for critical section of generic_write_sync */
+static DEFINE_MUTEX(write_sync_lock);
+
 static ssize_t ext4_buffered_write_iter(struct kiocb *iocb,
 					struct iov_iter *from)
 {
@@ -302,7 +306,13 @@ static ssize_t ext4_buffered_write_iter(struct kiocb *iocb,
 	inode_unlock(inode);
 	if (unlikely(ret <= 0))
 		return ret;
-	return generic_write_sync(iocb, ret);
+
+	/* prevent read-write data race */
+	mutex_lock(&write_sync_lock);
+	ret = generic_write_sync(iocb, ret);
+	mutex_unlock(&write_sync_lock);
+
+	return ret;
 }
 
 static ssize_t ext4_handle_inode_extension(struct inode *inode, loff_t offset,
-- 
2.39.2