From nobody Thu Apr  2 15:36:23 2026
Received: from mail-pl1-f172.google.com (mail-pl1-f172.google.com
 [209.85.214.172])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id AE8EC2FF15B
	for <linux-kernel@vger.kernel.org>; Fri, 27 Mar 2026 13:32:54 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.214.172
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1774618375; cv=none;
 b=Umvw2jHToFICzNqUPsvf7XjmyZp2+rasU2F7Uqr5G4JNwwKBt7VQMF7IKMdB9pzlQPTbfK+NFruhsebzeVhGtxon5CGFxreWi4XYitKwjwMOTBlhSK34NMwfUyVJ9iXziYamrrMkozSBf93B3LzVDJF+ukoNvSWMl9L4xfa9bM4=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1774618375; c=relaxed/simple;
	bh=PNjh+nBtoovM25MVmCPA4ZyoI9w3XN6jgyoE16tARQM=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=DnmZRXDu9ZgUEI7e4LFCmVb8w4ch31mGBuO4JjaNPyxykHAiVL8BukEibb8duCn3CObNB0ZfKEl4ZwbulA7AR9J8L8nMhRt9rG3P6+MEmjEvHF7Hm1OWIszVAWSShj/xMj7HOuwD5ADa+q6kvBB+AHoL+oGOQxv+BcRiCNyOyxI=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=HVAsYc/h; arc=none smtp.client-ip=209.85.214.172
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="HVAsYc/h"
Received: by mail-pl1-f172.google.com with SMTP id
 d9443c01a7336-2aaf43014d0so14427925ad.2
        for <linux-kernel@vger.kernel.org>;
 Fri, 27 Mar 2026 06:32:54 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1774618374; x=1775223174;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=EONMaUpVytMI8mDTZgVkhsH1HsODfwxhYYTYobffMbc=;
        b=HVAsYc/hEzGlJ8sfhC3A85W9aLu2mel2OEhfeLtDX+VrhsAi+GaB2KyYXVM9eFaXVN
         Jj8CCKRuTI15YZ1aPJaYfflEZKA0AslUbkL1G2T80ctAygOT6Gyog+CYtFbPnjZQ1SVc
         mahvRN4Z7UUd0RRDRhuVnOF/CiWvOs6RFX6iocsYGjIwTqNHFUiZME6fcAkpGZCibkfP
         gZW9cHvn4wfcGVR9UsgOHpPlDw29rq1eOkqS186n/ufIEPiKebVgyBrlc8s0wIW+bqbk
         8LTvoFDUFI+p7XC3aQMj0V8kK9kM6oaGrMf94H9LZcXiaTACi5PYpLf6kDrNGf+riEFN
         z5ow==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1774618374; x=1775223174;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=EONMaUpVytMI8mDTZgVkhsH1HsODfwxhYYTYobffMbc=;
        b=mykOfdyRBW13KUM2jOa+gxSpArfRjfLql+zhW1Q0HUDT6lXhTtKoCVrsrHM0FrhGQh
         QmKobnP8hHxmAHkCAcJDI9IcbbZYTD3X77ZW//KMnIWDK/CcgAANa7yOa2PV7YoU8pWm
         IoKkp58JAga8yDcqSgF4QTYvS4MqZiWTARx9bJOlbbwta4SCmGEKfMQDHQoNyfI0Eub7
         JBr8mYCRdgrYLFE7qgTFu2WPGo51nCjHAWyjuBVyVNz0a3MsZD7zZit8SAe1V4ycunIN
         pjuaL90KbykZ2qpmD4wOt8y9KKM4D93KToOvKrRVRyaGRU2Il53jRQvUHR/S5rHTBUKN
         lMGg==
X-Forwarded-Encrypted: i=1;
 AJvYcCXj8ZB5SqBOR/FT3VeF1rKuvsenGW6GAHgHTnPODVr0To3tEPIhEGqWl4OTCzL8p5eMfpxTyKNAnurtqDE=@vger.kernel.org
X-Gm-Message-State: AOJu0YzhpA0IZxwfdcce9c0Xe4SgJfbBTK3f3bG9w36bTqp8NUNDVE2D
	M9Nk0aHndpermj1A/ZXEfHJD6Nnhbw40Kz88RW9TSHORVFNorVVNRJ6H3Uos4ZdVoyI=
X-Gm-Gg: ATEYQzxofGRJZxosBXDORxtBFtczbg3nS4cbx2k52gWWnQ8GCgQH/AVOCIdwvdZSPdw
	HSltIrpTUiV/ZItRL3Buc5w7IbeM2LfZirYVsJ26pS0TpJ3i/3ZfDo7N9TEQpMyr2sY+O4ozb9X
	x4m2okijUlBLHUvBiUYuQGDsKvwKFtpXgCGVNcFmB5z4GWIVkYS/q2NGH3aSV+1fV/7W7h/tsrU
	abM4z+F7vaqu1Bjd2Iqt0qsoouNsVBXTQjlT4tSDrLYA7o5ka5ZnoWHiszcvK6hclrCzYH5Xpcc
	X7QVSSKME5Lv3HnJlqDZGhMWTRdwkPcszEn08vd4C0jXc1AQSa0Mfe+66BZQwLZXRHMW501pPzK
	6z7hcWOCe4IpPVHVlskg4qiURm3TIj6Ohug2R+GsRFnHagw01m/GXMhxeWdjlhr+rrS+RQr9w1V
	4b3uZz95V03o0WlXSciFOjyVyf4Cou
X-Received: by 2002:a17:903:1ac4:b0:2b2:3eec:c75f with SMTP id
 d9443c01a7336-2b23eecd14fmr677615ad.28.1774618373775;
        Fri, 27 Mar 2026 06:32:53 -0700 (PDT)
Received: from localhost ([111.228.63.84])
        by smtp.gmail.com with ESMTPSA id
 d9443c01a7336-2b0bc7b8adasm82689115ad.33.2026.03.27.06.32.48
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 27 Mar 2026 06:32:53 -0700 (PDT)
From: Cen Zhang <zzzccc427@gmail.com>
To: cem@kernel.org
Cc: linux-xfs@vger.kernel.org,
	linux-kernel@vger.kernel.org,
	baijiaju1990@gmail.com,
	Cen Zhang <zzzccc427@gmail.com>,
	stable@vger.kernel.org
Subject: [PATCH] xfs: annotate lockless bli_flags access in buf item paths
Date: Fri, 27 Mar 2026 21:14:48 +0800
Message-Id: <20260327131448.156177-1-zzzccc427@gmail.com>
X-Mailer: git-send-email 2.34.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

xfs_buf_item_unpin() and xfs_buf_item_committed() read bip->bli_flags
without holding the buffer lock, while xfs_buf_item_release() clears
XFS_BLI_LOGGED, XFS_BLI_HOLD, and XFS_BLI_ORDERED under that lock.
This can happen when an older checkpoint still holds a CIL reference to
the BLI while a new transaction is finishing with the buffer.

The lockless readers only test XFS_BLI_STALE and
XFS_BLI_INODE_ALLOC_BUF, which are disjoint from the bits being
cleared, so correctness is not affected in practice.  However, the
plain C accesses still constitute a data race that may allow the
compiler to optimize them in unexpected ways (e.g., load tearing or
fused reloads), so they should be marked explicitly.

Annotate the two lockless reads with READ_ONCE(), make the clearing
store in xfs_buf_item_release() a WRITE_ONCE(), and use READ_ONCE() in
the buf-item tracepoint that may snapshot bli_flags without the lock.

Fixes: 8e1238508633 ("xfs: remove stale parameter from ->iop_unpin method")
Fixes: 71e330b59390 ("xfs: Introduce delayed logging core code")
Cc: stable@vger.kernel.org
Signed-off-by: Cen Zhang <zzzccc427@gmail.com>
---
 fs/xfs/xfs_buf_item.c | 18 +++++++++++-------
 fs/xfs/xfs_trace.h    |  2 +-
 2 files changed, 12 insertions(+), 8 deletions(-)

diff --git a/fs/xfs/xfs_buf_item.c b/fs/xfs/xfs_buf_item.c
index 8487635579e5..c3d0dc17ee10 100644
--- a/fs/xfs/xfs_buf_item.c
+++ b/fs/xfs/xfs_buf_item.c
@@ -502,7 +502,8 @@ xfs_buf_item_unpin(
 {
 	struct xfs_buf_log_item	*bip =3D BUF_ITEM(lip);
 	struct xfs_buf		*bp =3D bip->bli_buf;
-	int			stale =3D bip->bli_flags & XFS_BLI_STALE;
+	unsigned int		flags =3D READ_ONCE(bip->bli_flags);
+	int			stale =3D flags & XFS_BLI_STALE;
 	int			freed;
=20
 	ASSERT(bp->b_log_item =3D=3D bip);
@@ -679,13 +680,14 @@ xfs_buf_item_release(
 {
 	struct xfs_buf_log_item	*bip =3D BUF_ITEM(lip);
 	struct xfs_buf		*bp =3D bip->bli_buf;
-	bool			hold =3D bip->bli_flags & XFS_BLI_HOLD;
-	bool			stale =3D bip->bli_flags & XFS_BLI_STALE;
+	unsigned int		flags =3D bip->bli_flags;
+	bool			hold =3D flags & XFS_BLI_HOLD;
+	bool			stale =3D flags & XFS_BLI_STALE;
 	bool			aborted =3D test_bit(XFS_LI_ABORTED,
 						   &lip->li_flags);
-	bool			dirty =3D bip->bli_flags & XFS_BLI_DIRTY;
+	bool			dirty =3D flags & XFS_BLI_DIRTY;
 #if defined(DEBUG) || defined(XFS_WARN)
-	bool			ordered =3D bip->bli_flags & XFS_BLI_ORDERED;
+	bool			ordered =3D flags & XFS_BLI_ORDERED;
 #endif
=20
 	trace_xfs_buf_item_release(bip);
@@ -705,7 +707,8 @@ xfs_buf_item_release(
 	 * per-transaction state from the bli, which has been copied above.
 	 */
 	bp->b_transp =3D NULL;
-	bip->bli_flags &=3D ~(XFS_BLI_LOGGED | XFS_BLI_HOLD | XFS_BLI_ORDERED);
+	WRITE_ONCE(bip->bli_flags,
+		   flags & ~(XFS_BLI_LOGGED | XFS_BLI_HOLD | XFS_BLI_ORDERED));
=20
 	/* If there are other references, then we have nothing to do. */
 	if (!atomic_dec_and_test(&bip->bli_refcount))
@@ -792,10 +795,11 @@ xfs_buf_item_committed(
 	xfs_lsn_t		lsn)
 {
 	struct xfs_buf_log_item	*bip =3D BUF_ITEM(lip);
+	unsigned int		flags =3D READ_ONCE(bip->bli_flags);
=20
 	trace_xfs_buf_item_committed(bip);
=20
-	if ((bip->bli_flags & XFS_BLI_INODE_ALLOC_BUF) && lip->li_lsn !=3D 0)
+	if ((flags & XFS_BLI_INODE_ALLOC_BUF) && lip->li_lsn !=3D 0)
 		return lip->li_lsn;
 	return lsn;
 }
diff --git a/fs/xfs/xfs_trace.h b/fs/xfs/xfs_trace.h
index 813e5a9f57eb..2069534bb0c1 100644
--- a/fs/xfs/xfs_trace.h
+++ b/fs/xfs/xfs_trace.h
@@ -895,7 +895,7 @@ DECLARE_EVENT_CLASS(xfs_buf_item_class,
 	),
 	TP_fast_assign(
 		__entry->dev =3D bip->bli_buf->b_target->bt_dev;
-		__entry->bli_flags =3D bip->bli_flags;
+		__entry->bli_flags =3D READ_ONCE(bip->bli_flags);
 		__entry->bli_recur =3D bip->bli_recur;
 		__entry->bli_refcount =3D atomic_read(&bip->bli_refcount);
 		__entry->buf_bno =3D xfs_buf_daddr(bip->bli_buf);
--=20
2.34.1