syzbot

unknown

map[Benign:true Confident:true Explanation:The data race occurs between `shmem_fallocate()` and `shmem_writeout()`. The field being accessed is `shmem_falloc.next`, which is part of an on-stack structure in `shmem_fallocate()` that is temporarily pointed to by `inode->i_private`.

### Analysis:
1.  **Context**: `shmem_fallocate()` uses the `shmem_falloc` structure to track its progress during a preallocation operation. It updates `shmem_falloc.next` to the next index it is about to process. Meanwhile, `shmem_writeout()` (called during page reclaim) checks this structure to see if the folio it's trying to reclaim is currently being fallocated. If it is, it redirties the folio to avoid swapping out a folio that might need to be rolled back if `fallocate` fails.
2.  **Synchronization**: The code relies on the **folio lock** (page lock) for synchronization. 
    *   In `shmem_fallocate()`, the update to `shmem_falloc.next` happens while the current folio is locked (lines 3806-3816 in `mm/shmem.c`). 
    *   In `shmem_writeout()`, the folio being processed is also locked (held by the reclaimer in `shrink_folio_list()`).
3.  **Correctness**: Because both functions hold the lock for the folio at `index`, they cannot race on the specific transition of `next` that would change the result of the comparison `index < shmem_falloc->next`.
    *   If `shmem_writeout()` holds the lock for folio `N`, `shmem_fallocate()` has either not yet reached folio `N` (so `next <= N`) or has already finished it and moved on (so `next >= N+1`).
    *   The transition from `next=N` to `next=N+1` is protected by the lock on folio `N`. 
    *   Any concurrent updates to `next` for *other* folios (e.g., from `N+1` to `N+2`) do not change the fact that `N < next` is true, so the result of the check in `shmem_writeout()` remains consistent.
4.  **Developer Intent**: A comment in `mm/shmem.c` specifically states: 
    ```c
    /*
     * Inform shmem_writeout() how far we have reached.
     * No need for lock or barrier: we have the page lock.
     */
    ```
    This confirms the lack of explicit atomic markers or locks is intentional and based on the folio lock synchronization logic.

### Conclusion:
The data race is **benign**. It is a lockless optimization where the consistency of the logic is guaranteed by the page cache's existing folio-level locking. While KCSAN correctly identifies it as a data race because the fields aren't marked with `READ_ONCE`/`WRITE_ONCE`, it does not lead to any functional error, memory corruption, or incorrect kernel state.

The value change reported (`0x1cf` -> `0x1d0`) corresponds to the increment of the page index (`next`), which is expected behavior as `shmem_fallocate` progresses.]

unknown

map[KernelSrc:/usr/local/google/home/dvyukov/syzkaller/agent/workdir/cache/src/64852846520fd92dadcc50f615d7fcf6d7862819]

unknown

map[KernelObj:/usr/local/google/home/dvyukov/syzkaller/agent/workdir/cache/build/5222a2ad2a8a82561c0e601d566d172db145bd6e]

unknown

map[Index:codesearch-index]

unknown

map[Benign:true Confident:true]

You are an experienced Linux kernel developer tasked with determining if the given kernel
data race is benign or not. The data race report is from KCSAN tool.
It contains 2 stack traces of the memory accesses that constitute a data race.

A "benign" data races are on a simple int/bool variable or similar field,
and the accesses are not supposed to be protected by any mutual exclusion primitives.
Common examples of such "benign" data races are accesses to various flags fields,
statistics counters, and similar. A "benign" data race does not lead to memory corruption/crash
with a conservative compiler that compiles memory accesses to primitive types
effectively as atomic.

A non-benign (or "harmful" data race) can lead to corruption/crash even with
a conservative compiler that compiles memory accesses to primitive types
effectively as atomic. A common example of a "harmful" data races is race on
a complex container (list/hashmap/etc), where accesses are supposed to be protected
by a mutual exclusion primitive.

In the final reply explain why you think the given data race is benign or is harmful.

Use the provided tools to confirm any assumptions, variables/fields being accessed, etc.
In particular, don't make assumptions about the kernel source code,
use codesearch tools to read the actual source code.


Use set-results tool to provide results of the analysis.
It must be called exactly once before the final reply.
Ignore results of this tool.

The data race report is:

==================================================================
BUG: KCSAN: data-race in shmem_fallocate / shmem_writeout

write to 0xffffc9000c3c3cb0 of 8 bytes by task 8171 on cpu 0:
 shmem_fallocate+0x724/0x920 mm/shmem.c:3807
 vfs_fallocate+0x3b6/0x400 fs/open.c:339
 ioctl_preallocate fs/ioctl.c:289 [inline]
 file_ioctl+0x4e3/0x5c0 fs/ioctl.c:-1
 do_vfs_ioctl+0x7c9/0xe70 fs/ioctl.c:576
 __do_sys_ioctl fs/ioctl.c:595 [inline]
 __se_sys_ioctl+0x82/0x140 fs/ioctl.c:583
 __x64_sys_ioctl+0x43/0x50 fs/ioctl.c:583
 x64_sys_call+0x14b0/0x3000 arch/x86/include/generated/asm/syscalls_64.h:17
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xc0/0x2a0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

read to 0xffffc9000c3c3cb0 of 8 bytes by task 8167 on cpu 1:
 shmem_writeout+0x2c1/0x920 mm/shmem.c:1626
 writeout mm/vmscan.c:649 [inline]
 pageout mm/vmscan.c:698 [inline]
 shrink_folio_list+0x1e75/0x2710 mm/vmscan.c:1418
 evict_folios+0x2a4e/0x35b0 mm/vmscan.c:4711
 try_to_shrink_lruvec+0x5f6/0x960 mm/vmscan.c:4874
 lru_gen_shrink_lruvec mm/vmscan.c:5023 [inline]
 shrink_lruvec+0x24e/0x1bc0 mm/vmscan.c:5784
 shrink_node_memcgs mm/vmscan.c:6020 [inline]
 shrink_node+0x68e/0x2000 mm/vmscan.c:6061
 shrink_zones mm/vmscan.c:6300 [inline]
 do_try_to_free_pages+0x404/0xcc0 mm/vmscan.c:6362
 try_to_free_mem_cgroup_pages+0x222/0x470 mm/vmscan.c:6690
 try_charge_memcg+0x37e/0xa10 mm/memcontrol.c:2388
 obj_cgroup_charge_pages+0xa6/0x150 mm/memcontrol.c:2823
 __memcg_kmem_charge_page+0x9e/0x170 mm/memcontrol.c:2867
 __alloc_frozen_pages_noprof+0x18a/0x350 mm/page_alloc.c:5257
 alloc_pages_mpol+0xb3/0x260 mm/mempolicy.c:2486
 alloc_frozen_pages_noprof mm/mempolicy.c:2557 [inline]
 alloc_pages_noprof+0x8f/0x130 mm/mempolicy.c:2577
 vm_area_alloc_pages mm/vmalloc.c:3718 [inline]
 __vmalloc_area_node mm/vmalloc.c:3863 [inline]
 __vmalloc_node_range_noprof+0xa46/0x12b0 mm/vmalloc.c:4051
 __kvmalloc_node_noprof+0x471/0x680 mm/slub.c:7164
 ip_set_alloc+0x24/0x30 net/netfilter/ipset/ip_set_core.c:261
 hash_netiface_create+0x282/0x740 net/netfilter/ipset/ip_set_hash_gen.h:1568
 ip_set_create+0x3cf/0x970 net/netfilter/ipset/ip_set_core.c:1109
 nfnetlink_rcv_msg+0x509/0x5d0 net/netfilter/nfnetlink.c:302
 netlink_rcv_skb+0x123/0x220 net/netlink/af_netlink.c:2550
 nfnetlink_rcv+0x167/0x1720 net/netfilter/nfnetlink.c:669
 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline]
 netlink_unicast+0x5c0/0x690 net/netlink/af_netlink.c:1344
 netlink_sendmsg+0x5c8/0x6f0 net/netlink/af_netlink.c:1894
 sock_sendmsg_nosec net/socket.c:727 [inline]
 __sock_sendmsg+0x145/0x170 net/socket.c:742
 ____sys_sendmsg+0x31e/0x4a0 net/socket.c:2592
 ___sys_sendmsg+0x195/0x1e0 net/socket.c:2646
 __sys_sendmsg net/socket.c:2678 [inline]
 __do_sys_sendmsg net/socket.c:2683 [inline]
 __se_sys_sendmsg net/socket.c:2681 [inline]
 __x64_sys_sendmsg+0xd4/0x160 net/socket.c:2681
 x64_sys_call+0x17ba/0x3000 arch/x86/include/generated/asm/syscalls_64.h:47
 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline]
 do_syscall_64+0xc0/0x2a0 arch/x86/entry/syscall_64.c:94
 entry_SYSCALL_64_after_hwframe+0x77/0x7f

value changed: 0x00000000000001cf -> 0x00000000000001d0

Reported by Kernel Concurrency Sanitizer on:
CPU: 1 UID: 0 PID: 8167 Comm: syz.4.11146 Tainted: G        W           syzkaller #0 PREEMPT(voluntary) 
Tainted: [W]=WARN
Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025
==================================================================

The data race occurs between `shmem_fallocate()` and `shmem_writeout()`. The field being accessed is `shmem_falloc.next`, which is part of an on-stack structure in `shmem_fallocate()` that is temporarily pointed to by `inode->i_private`.

### Analysis:
1.  **Context**: `shmem_fallocate()` uses the `shmem_falloc` structure to track its progress during a preallocation operation. It updates `shmem_falloc.next` to the next index it is about to process. Meanwhile, `shmem_writeout()` (called during page reclaim) checks this structure to see if the folio it's trying to reclaim is currently being fallocated. If it is, it redirties the folio to avoid swapping out a folio that might need to be rolled back if `fallocate` fails.
2.  **Synchronization**: The code relies on the **folio lock** (page lock) for synchronization. 
    *   In `shmem_fallocate()`, the update to `shmem_falloc.next` happens while the current folio is locked (lines 3806-3816 in `mm/shmem.c`). 
    *   In `shmem_writeout()`, the folio being processed is also locked (held by the reclaimer in `shrink_folio_list()`).
3.  **Correctness**: Because both functions hold the lock for the folio at `index`, they cannot race on the specific transition of `next` that would change the result of the comparison `index < shmem_falloc->next`.
    *   If `shmem_writeout()` holds the lock for folio `N`, `shmem_fallocate()` has either not yet reached folio `N` (so `next <= N`) or has already finished it and moved on (so `next >= N+1`).
    *   The transition from `next=N` to `next=N+1` is protected by the lock on folio `N`. 
    *   Any concurrent updates to `next` for *other* folios (e.g., from `N+1` to `N+2`) do not change the fact that `N < next` is true, so the result of the check in `shmem_writeout()` remains consistent.
4.  **Developer Intent**: A comment in `mm/shmem.c` specifically states: 
    ```c
    /*
     * Inform shmem_writeout() how far we have reached.
     * No need for lock or barrier: we have the page lock.
     */
    ```
    This confirms the lack of explicit atomic markers or locks is intentional and based on the folio lock synchronization logic.

### Conclusion:
The data race is **benign**. It is a lockless optimization where the consistency of the logic is guaranteed by the page cache's existing folio-level locking. While KCSAN correctly identifies it as a data race because the fields aren't marked with `READ_ONCE`/`WRITE_ONCE`, it does not lead to any functional error, memory corruption, or incorrect kernel state.

The value change reported (`0x1cf` -> `0x1d0`) corresponds to the increment of the page index (`next`), which is expected behavior as `shmem_fallocate` progresses.

unknown

**Debugging a Memory Contention Issue**

Alright, this report has caught my attention. It looks like we've got a classic data race on our hands – specifically, between `shmem_fallocate` and `shmem_writeout`. The report flags a memory address, `0xffffc9000c3c3cb0`, where the value flipped from `0x1cf` to `0x1d0`.  That's a tell-tale sign of concurrent access.

Let's dive into the stack traces.  It looks like Task 8171, in `shmem_fallocate`, at `mm/shmem.c:3807`, is the one doing the writing, while Task 8167, running `shmem_writeout` at `mm/shmem.c:1626`, is the one reading.  This immediately tells me where to focus my attention. Now, it's time to dig into the code at those precise locations within `mm/shmem.c` and figure out what's going on. I need to understand the logic in those routines and identify the exact sequence of events that's leading to this race condition. I anticipate there might be missing synchronization that's causing this issue.

unknown

map[IncludeLines:true Name:shmem_fallocate SourceFile:mm/shmem.c]

map[Missing:false SourceCode:3672:	static long shmem_fallocate(struct file *file, int mode, loff_t offset,
3673:								 loff_t len)
3674:	{
3675:		struct inode *inode = file_inode(file);
3676:		struct shmem_sb_info *sbinfo = SHMEM_SB(inode->i_sb);
3677:		struct shmem_inode_info *info = SHMEM_I(inode);
3678:		struct shmem_falloc shmem_falloc;
3679:		pgoff_t start, index, end, undo_fallocend;
3680:		int error;
3681:	
3682:		if (mode & ~(FALLOC_FL_KEEP_SIZE | FALLOC_FL_PUNCH_HOLE))
3683:			return -EOPNOTSUPP;
3684:	
3685:		inode_lock(inode);
3686:	
3687:		if (info->flags & SHMEM_F_MAPPING_FROZEN) {
3688:			error = -EPERM;
3689:			goto out;
3690:		}
3691:	
3692:		if (mode & FALLOC_FL_PUNCH_HOLE) {
3693:			struct address_space *mapping = file->f_mapping;
3694:			loff_t unmap_start = round_up(offset, PAGE_SIZE);
3695:			loff_t unmap_end = round_down(offset + len, PAGE_SIZE) - 1;
3696:			DECLARE_WAIT_QUEUE_HEAD_ONSTACK(shmem_falloc_waitq);
3697:	
3698:			/* protected by i_rwsem */
3699:			if (info->seals & (F_SEAL_WRITE | F_SEAL_FUTURE_WRITE)) {
3700:				error = -EPERM;
3701:				goto out;
3702:			}
3703:	
3704:			shmem_falloc.waitq = &shmem_falloc_waitq;
3705:			shmem_falloc.start = (u64)unmap_start >> PAGE_SHIFT;
3706:			shmem_falloc.next = (unmap_end + 1) >> PAGE_SHIFT;
3707:			spin_lock(&inode->i_lock);
3708:			inode->i_private = &shmem_falloc;
3709:			spin_unlock(&inode->i_lock);
3710:	
3711:			if ((u64)unmap_end > (u64)unmap_start)
3712:				unmap_mapping_range(mapping, unmap_start,
3713:						    1 + unmap_end - unmap_start, 0);
3714:			shmem_truncate_range(inode, offset, offset + len - 1);
3715:			/* No need to unmap again: hole-punching leaves COWed pages */
3716:	
3717:			spin_lock(&inode->i_lock);
3718:			inode->i_private = NULL;
3719:			wake_up_all(&shmem_falloc_waitq);
3720:			WARN_ON_ONCE(!list_empty(&shmem_falloc_waitq.head));
3721:			spin_unlock(&inode->i_lock);
3722:			error = 0;
3723:			goto out;
3724:		}
3725:	
3726:		/* We need to check rlimit even when FALLOC_FL_KEEP_SIZE */
3727:		error = inode_newsize_ok(inode, offset + len);
3728:		if (error)
3729:			goto out;
3730:	
3731:		if ((info->seals & F_SEAL_GROW) && offset + len > inode->i_size) {
3732:			error = -EPERM;
3733:			goto out;
3734:		}
3735:	
3736:		start = offset >> PAGE_SHIFT;
3737:		end = (offset + len + PAGE_SIZE - 1) >> PAGE_SHIFT;
3738:		/* Try to avoid a swapstorm if len is impossible to satisfy */
3739:		if (sbinfo->max_blocks && end - start > sbinfo->max_blocks) {
3740:			error = -ENOSPC;
3741:			goto out;
3742:		}
3743:	
3744:		shmem_falloc.waitq = NULL;
3745:		shmem_falloc.start = start;
3746:		shmem_falloc.next  = start;
3747:		shmem_falloc.nr_falloced = 0;
3748:		shmem_falloc.nr_unswapped = 0;
3749:		spin_lock(&inode->i_lock);
3750:		inode->i_private = &shmem_falloc;
3751:		spin_unlock(&inode->i_lock);
3752:	
3753:		/*
3754:		 * info->fallocend is only relevant when huge pages might be
3755:		 * involved: to prevent split_huge_page() freeing fallocated
3756:		 * pages when FALLOC_FL_KEEP_SIZE committed beyond i_size.
3757:		 */
3758:		undo_fallocend = info->fallocend;
3759:		if (info->fallocend < end)
3760:			info->fallocend = end;
3761:	
3762:		for (index = start; index < end; ) {
3763:			struct folio *folio;
3764:	
3765:			/*
3766:			 * Check for fatal signal so that we abort early in OOM
3767:			 * situations. We don't want to abort in case of non-fatal
3768:			 * signals as large fallocate can take noticeable time and
3769:			 * e.g. periodic timers may result in fallocate constantly
3770:			 * restarting.
3771:			 */
3772:			if (fatal_signal_pending(current))
3773:				error = -EINTR;
3774:			else if (shmem_falloc.nr_unswapped > shmem_falloc.nr_falloced)
3775:				error = -ENOMEM;
3776:			else
3777:				error = shmem_get_folio(inode, index, offset + len,
3778:							&folio, SGP_FALLOC);
3779:			if (error) {
3780:				info->fallocend = undo_fallocend;
3781:				/* Remove the !uptodate folios we added */
3782:				if (index > start) {
3783:					shmem_undo_range(inode,
3784:					    (loff_t)start << PAGE_SHIFT,
3785:					    ((loff_t)index << PAGE_SHIFT) - 1, true);
3786:				}
3787:				goto undone;
3788:			}
3789:	
3790:			/*
3791:			 * Here is a more important optimization than it appears:
3792:			 * a second SGP_FALLOC on the same large folio will clear it,
3793:			 * making it uptodate and un-undoable if we fail later.
3794:			 */
3795:			index = folio_next_index(folio);
3796:			/* Beware 32-bit wraparound */
3797:			if (!index)
3798:				index--;
3799:	
3800:			/*
3801:			 * Inform shmem_writeout() how far we have reached.
3802:			 * No need for lock or barrier: we have the page lock.
3803:			 */
3804:			if (!folio_test_uptodate(folio))
3805:				shmem_falloc.nr_falloced += index - shmem_falloc.next;
3806:			shmem_falloc.next = index;
3807:	
3808:			/*
3809:			 * If !uptodate, leave it that way so that freeable folios
3810:			 * can be recognized if we need to rollback on error later.
3811:			 * But mark it dirty so that memory pressure will swap rather
3812:			 * than free the folios we are allocating (and SGP_CACHE folios
3813:			 * might still be clean: we now need to mark those dirty too).
3814:			 */
3815:			folio_mark_dirty(folio);
3816:			folio_unlock(folio);
3817:			folio_put(folio);
3818:			cond_resched();
3819:		}
3820:	
3821:		if (!(mode & FALLOC_FL_KEEP_SIZE) && offset + len > inode->i_size)
3822:			i_size_write(inode, offset + len);
3823:	undone:
3824:		spin_lock(&inode->i_lock);
3825:		inode->i_private = NULL;
3826:		spin_unlock(&inode->i_lock);
3827:	out:
3828:		if (!error)
3829:			file_modified(file);
3830:		inode_unlock(inode);
3831:		return error;
3832:	}
 SourceFile:mm/shmem.c]

unknown

**Dissecting a Potential Write in shmem_fallocate**

Okay, so the report points to `shmem_fallocate+0x724/0x920 mm/shmem.c:3807` as the location of the write. That's immediately suspect because line 3807 in the code snippet is just a blank line. That's a classic sign of the reported line number being slightly off due to optimization, but it should be very close. Let's re-examine that section of code:

```c
3804:		if (!folio_test_uptodate(folio))
3805:			shmem_falloc.nr_falloced += index - shmem_falloc.next;
3806:		shmem_falloc.next = index;
3807:	
3808:		/*
```

Alright, now it's clear. The stack trace is *probably* referring to either line 3805 or 3806; the change described was from `0x1cf` to `0x1d0`, which are likely indices (`pgoff_t`). The `shmem_falloc.next = index;` on line 3806 is the most obvious candidate for the direct write, given the index update. However, line 3805 also modifies `shmem_falloc.nr_falloced` which is also potentially interesting. Now, my next step is to examine the context of this write. Let's look at `shmem_writeout`...

unknown

map[IncludeLines:true Name:shmem_writeout SourceFile:mm/shmem.c]

map[Missing:false SourceCode:1553:	/**
1554:	 * shmem_writeout - Write the folio to swap
1555:	 * @folio: The folio to write
1556:	 * @plug: swap plug
1557:	 * @folio_list: list to put back folios on split
1558:	 *
1559:	 * Move the folio from the page cache to the swap cache.
1560:	 */
1561:	int shmem_writeout(struct folio *folio, struct swap_iocb **plug,
1562:			struct list_head *folio_list)
1563:	{
1564:		struct address_space *mapping = folio->mapping;
1565:		struct inode *inode = mapping->host;
1566:		struct shmem_inode_info *info = SHMEM_I(inode);
1567:		struct shmem_sb_info *sbinfo = SHMEM_SB(inode->i_sb);
1568:		pgoff_t index;
1569:		int nr_pages;
1570:		bool split = false;
1571:	
1572:		if ((info->flags & SHMEM_F_LOCKED) || sbinfo->noswap)
1573:			goto redirty;
1574:	
1575:		if (!total_swap_pages)
1576:			goto redirty;
1577:	
1578:		/*
1579:		 * If CONFIG_THP_SWAP is not enabled, the large folio should be
1580:		 * split when swapping.
1581:		 *
1582:		 * And shrinkage of pages beyond i_size does not split swap, so
1583:		 * swapout of a large folio crossing i_size needs to split too
1584:		 * (unless fallocate has been used to preallocate beyond EOF).
1585:		 */
1586:		if (folio_test_large(folio)) {
1587:			index = shmem_fallocend(inode,
1588:				DIV_ROUND_UP(i_size_read(inode), PAGE_SIZE));
1589:			if ((index > folio->index && index < folio_next_index(folio)) ||
1590:			    !IS_ENABLED(CONFIG_THP_SWAP))
1591:				split = true;
1592:		}
1593:	
1594:		if (split) {
1595:	try_split:
1596:			/* Ensure the subpages are still dirty */
1597:			folio_test_set_dirty(folio);
1598:			if (split_folio_to_list(folio, folio_list))
1599:				goto redirty;
1600:			folio_clear_dirty(folio);
1601:		}
1602:	
1603:		index = folio->index;
1604:		nr_pages = folio_nr_pages(folio);
1605:	
1606:		/*
1607:		 * This is somewhat ridiculous, but without plumbing a SWAP_MAP_FALLOC
1608:		 * value into swapfile.c, the only way we can correctly account for a
1609:		 * fallocated folio arriving here is now to initialize it and write it.
1610:		 *
1611:		 * That's okay for a folio already fallocated earlier, but if we have
1612:		 * not yet completed the fallocation, then (a) we want to keep track
1613:		 * of this folio in case we have to undo it, and (b) it may not be a
1614:		 * good idea to continue anyway, once we're pushing into swap.  So
1615:		 * reactivate the folio, and let shmem_fallocate() quit when too many.
1616:		 */
1617:		if (!folio_test_uptodate(folio)) {
1618:			if (inode->i_private) {
1619:				struct shmem_falloc *shmem_falloc;
1620:				spin_lock(&inode->i_lock);
1621:				shmem_falloc = inode->i_private;
1622:				if (shmem_falloc &&
1623:				    !shmem_falloc->waitq &&
1624:				    index >= shmem_falloc->start &&
1625:				    index < shmem_falloc->next)
1626:					shmem_falloc->nr_unswapped += nr_pages;
1627:				else
1628:					shmem_falloc = NULL;
1629:				spin_unlock(&inode->i_lock);
1630:				if (shmem_falloc)
1631:					goto redirty;
1632:			}
1633:			folio_zero_range(folio, 0, folio_size(folio));
1634:			flush_dcache_folio(folio);
1635:			folio_mark_uptodate(folio);
1636:		}
1637:	
1638:		if (!folio_alloc_swap(folio)) {
1639:			bool first_swapped = shmem_recalc_inode(inode, 0, nr_pages);
1640:			int error;
1641:	
1642:			/*
1643:			 * Add inode to shmem_unuse()'s list of swapped-out inodes,
1644:			 * if it's not already there.  Do it now before the folio is
1645:			 * removed from page cache, when its pagelock no longer
1646:			 * protects the inode from eviction.  And do it now, after
1647:			 * we've incremented swapped, because shmem_unuse() will
1648:			 * prune a !swapped inode from the swaplist.
1649:			 */
1650:			if (first_swapped) {
1651:				spin_lock(&shmem_swaplist_lock);
1652:				if (list_empty(&info->swaplist))
1653:					list_add(&info->swaplist, &shmem_swaplist);
1654:				spin_unlock(&shmem_swaplist_lock);
1655:			}
1656:	
1657:			swap_shmem_alloc(folio->swap, nr_pages);
1658:			shmem_delete_from_page_cache(folio, swp_to_radix_entry(folio->swap));
1659:	
1660:			BUG_ON(folio_mapped(folio));
1661:			error = swap_writeout(folio, plug);
1662:			if (error != AOP_WRITEPAGE_ACTIVATE) {
1663:				/* folio has been unlocked */
1664:				return error;
1665:			}
1666:	
1667:			/*
1668:			 * The intention here is to avoid holding on to the swap when
1669:			 * zswap was unable to compress and unable to writeback; but
1670:			 * it will be appropriate if other reactivate cases are added.
1671:			 */
1672:			error = shmem_add_to_page_cache(folio, mapping, index,
1673:					swp_to_radix_entry(folio->swap),
1674:					__GFP_HIGH | __GFP_NOMEMALLOC | __GFP_NOWARN);
1675:			/* Swap entry might be erased by racing shmem_free_swap() */
1676:			if (!error) {
1677:				shmem_recalc_inode(inode, 0, -nr_pages);
1678:				swap_free_nr(folio->swap, nr_pages);
1679:			}
1680:	
1681:			/*
1682:			 * The swap_cache_del_folio() below could be left for
1683:			 * shrink_folio_list()'s folio_free_swap() to dispose of;
1684:			 * but I'm a little nervous about letting this folio out of
1685:			 * shmem_writeout() in a hybrid half-tmpfs-half-swap state
1686:			 * e.g. folio_mapping(folio) might give an unexpected answer.
1687:			 */
1688:			swap_cache_del_folio(folio);
1689:			goto redirty;
1690:		}
1691:		if (nr_pages > 1)
1692:			goto try_split;
1693:	redirty:
1694:		folio_mark_dirty(folio);
1695:		return AOP_WRITEPAGE_ACTIVATE;	/* Return with folio locked */
1696:	}
 SourceFile:mm/shmem.c]

unknown

**KCSAN Data Race Analysis in shmem_fallocate/shmem_writeout**

Okay, so I'm diving into this KCSAN data race report, specifically focusing on the interaction between `shmem_fallocate` and `shmem_writeout` in the shared memory (shmem) subsystem. The report flags a potential race condition when accessing `shmem_falloc->next`. I've got to understand if this is a real issue and, if so, the implications.

First, I see the read of `shmem_falloc->next` in `shmem_writeout` (line 1625) is protected by `inode->i_lock`. This is good, at least for atomicity. The write to `shmem_falloc->next`, however, happens within `shmem_fallocate` (line 3806) and is NOT under the same lock. That's the core of the problem. Both functions are using the same struct, but the locking is different.

`shmem_fallocate` uses an on-stack `shmem_falloc` structure. `inode->i_private` points to this structure while `shmem_fallocate` is running. So, the key is understanding *how* these two functions interact. `shmem_writeout` is called during page reclaim and checks `inode->i_private`.

The comment in `shmem_fallocate` says that there is no need for a lock because "we have the page lock". My mental model here is that they are synchronizing using folio locks. In `shmem_fallocate`, the folio is locked with `shmem_get_folio`. In `shmem_writeout`, the folio lock also comes into play. If `shmem_writeout` is working on a folio at `index`, it has the lock and then the synchronization is via the folio lock. If they're working on the *same* folio at the *same* index, we have synchronization. The problem happens if they are working on *different* folios, at *different* indices.

`shmem_fallocate` updates `shmem_falloc.next` *after* it's done with a folio, before unlocking. It's setting `shmem_falloc->next` to the *next* index. Then `shmem_writeout` is trying to reclaim a folio, it's checking `index < shmem_falloc->next`. If `index < shmem_falloc->next` it means that `shmem_fallocate` has already unlocked that folio and moved onto the next. So there shouldn't be a race on the folio itself. BUT, there is definitely a race on `shmem_falloc->next`. That's where KCSAN is correct. `shmem_fallocate` is writing it without holding `i_lock`. `shmem_writeout` is reading under `i_lock`. Since they don't hold the same lock, there's a data race.

The question then becomes, is this race benign? If `shmem_writeout` reads a stale value of `next` (smaller), it might miss the condition `index < shmem_falloc->next`. The code path depends on this condition: `!folio_test_uptodate(folio)`. If that condition IS met, the folio gets zeroed and is marked uptodate. This is not what we want.

The comment says that this is okay for a previously fallocated folio. But not for ones we're in the middle of fallocating. The intent is to keep track of these and redirty the folio. `shmem_fallocate` leaves the folio NOT uptodate but dirty.

In the case where we don't increment `nr_unswapped` and don't redirty, we end up zeroing a folio that *shouldn't* be zeroed. It won't increment `nr_unswapped` in this case. This defeats the "undo" logic. If `shmem_fallocate` later fails, a folio that should have been "undone" will get skipped because it's marked uptodate. We would like for this not to happen.

So, yeah, there *is* a race here, and it looks like it can lead to incorrect behavior. We may miss re-dirtying pages that *should* be re-dirtied. I need to dig more into the implications of `shmem_undo_range` to see if that's where things break down.

unknown

map[IncludeLines:true Name:shmem_undo_range SourceFile:mm/shmem.c]

map[Missing:false SourceCode:1091:	/*
1092:	 * Remove range of pages and swap entries from page cache, and free them.
1093:	 * If !unfalloc, truncate or punch hole; if unfalloc, undo failed fallocate.
1094:	 */
1095:	static void shmem_undo_range(struct inode *inode, loff_t lstart, uoff_t lend,
1096:									 bool unfalloc)
1097:	{
1098:		struct address_space *mapping = inode->i_mapping;
1099:		struct shmem_inode_info *info = SHMEM_I(inode);
1100:		pgoff_t start = (lstart + PAGE_SIZE - 1) >> PAGE_SHIFT;
1101:		pgoff_t end = (lend + 1) >> PAGE_SHIFT;
1102:		struct folio_batch fbatch;
1103:		pgoff_t indices[PAGEVEC_SIZE];
1104:		struct folio *folio;
1105:		bool same_folio;
1106:		long nr_swaps_freed = 0;
1107:		pgoff_t index;
1108:		int i;
1109:	
1110:		if (lend == -1)
1111:			end = -1;	/* unsigned, so actually very big */
1112:	
1113:		if (info->fallocend > start && info->fallocend <= end && !unfalloc)
1114:			info->fallocend = start;
1115:	
1116:		folio_batch_init(&fbatch);
1117:		index = start;
1118:		while (index < end && find_lock_entries(mapping, &index, end - 1,
1119:				&fbatch, indices)) {
1120:			for (i = 0; i < folio_batch_count(&fbatch); i++) {
1121:				folio = fbatch.folios[i];
1122:	
1123:				if (xa_is_value(folio)) {
1124:					if (unfalloc)
1125:						continue;
1126:					nr_swaps_freed += shmem_free_swap(mapping,
1127:								indices[i], folio);
1128:					continue;
1129:				}
1130:	
1131:				if (!unfalloc || !folio_test_uptodate(folio))
1132:					truncate_inode_folio(mapping, folio);
1133:				folio_unlock(folio);
1134:			}
1135:			folio_batch_remove_exceptionals(&fbatch);
1136:			folio_batch_release(&fbatch);
1137:			cond_resched();
1138:		}
1139:	
1140:		/*
1141:		 * When undoing a failed fallocate, we want none of the partial folio
1142:		 * zeroing and splitting below, but shall want to truncate the whole
1143:		 * folio when !uptodate indicates that it was added by this fallocate,
1144:		 * even when [lstart, lend] covers only a part of the folio.
1145:		 */
1146:		if (unfalloc)
1147:			goto whole_folios;
1148:	
1149:		same_folio = (lstart >> PAGE_SHIFT) == (lend >> PAGE_SHIFT);
1150:		folio = shmem_get_partial_folio(inode, lstart >> PAGE_SHIFT);
1151:		if (folio) {
1152:			same_folio = lend < folio_next_pos(folio);
1153:			folio_mark_dirty(folio);
1154:			if (!truncate_inode_partial_folio(folio, lstart, lend)) {
1155:				start = folio_next_index(folio);
1156:				if (same_folio)
1157:					end = folio->index;
1158:			}
1159:			folio_unlock(folio);
1160:			folio_put(folio);
1161:			folio = NULL;
1162:		}
1163:	
1164:		if (!same_folio)
1165:			folio = shmem_get_partial_folio(inode, lend >> PAGE_SHIFT);
1166:		if (folio) {
1167:			folio_mark_dirty(folio);
1168:			if (!truncate_inode_partial_folio(folio, lstart, lend))
1169:				end = folio->index;
1170:			folio_unlock(folio);
1171:			folio_put(folio);
1172:		}
1173:	
1174:	whole_folios:
1175:	
1176:		index = start;
1177:		while (index < end) {
1178:			cond_resched();
1179:	
1180:			if (!find_get_entries(mapping, &index, end - 1, &fbatch,
1181:					indices)) {
1182:				/* If all gone or hole-punch or unfalloc, we're done */
1183:				if (index == start || end != -1)
1184:					break;
1185:				/* But if truncating, restart to make sure all gone */
1186:				index = start;
1187:				continue;
1188:			}
1189:			for (i = 0; i < folio_batch_count(&fbatch); i++) {
1190:				folio = fbatch.folios[i];
1191:	
1192:				if (xa_is_value(folio)) {
1193:					long swaps_freed;
1194:	
1195:					if (unfalloc)
1196:						continue;
1197:					swaps_freed = shmem_free_swap(mapping, indices[i], folio);
1198:					if (!swaps_freed) {
1199:						/* Swap was replaced by page: retry */
1200:						index = indices[i];
1201:						break;
1202:					}
1203:					nr_swaps_freed += swaps_freed;
1204:					continue;
1205:				}
1206:	
1207:				folio_lock(folio);
1208:	
1209:				if (!unfalloc || !folio_test_uptodate(folio)) {
1210:					if (folio_mapping(folio) != mapping) {
1211:						/* Page was replaced by swap: retry */
1212:						folio_unlock(folio);
1213:						index = indices[i];
1214:						break;
1215:					}
1216:					VM_BUG_ON_FOLIO(folio_test_writeback(folio),
1217:							folio);
1218:	
1219:					if (!folio_test_large(folio)) {
1220:						truncate_inode_folio(mapping, folio);
1221:					} else if (truncate_inode_partial_folio(folio, lstart, lend)) {
1222:						/*
1223:						 * If we split a page, reset the loop so
1224:						 * that we pick up the new sub pages.
1225:						 * Otherwise the THP was entirely
1226:						 * dropped or the target range was
1227:						 * zeroed, so just continue the loop as
1228:						 * is.
1229:						 */
1230:						if (!folio_test_large(folio)) {
1231:							folio_unlock(folio);
1232:							index = start;
1233:							break;
1234:						}
1235:					}
1236:				}
1237:				folio_unlock(folio);
1238:			}
1239:			folio_batch_remove_exceptionals(&fbatch);
1240:			folio_batch_release(&fbatch);
1241:		}
1242:	
1243:		shmem_recalc_inode(inode, 0, -nr_swaps_freed);
1244:	}
 SourceFile:mm/shmem.c]

unknown

**A Deep Dive into the `shmem_fallocate` and `shmem_writeout` Synchronization**

Okay, so I've been wrestling with this `shmem` code, specifically the interaction between `shmem_fallocate` and `shmem_writeout`. It all started with this potential data race identified by KCSAN on `shmem_falloc->next`. The core of the problem, as I see it, is how they coordinate their work on folios when `fallocate` is adding space to a shared memory file.

The initial thought was that if `unfalloc` is set to true in `shmem_undo_range`, which happens on errors, it only truncates if the folio isn't uptodate. This seemed odd because, if `shmem_writeout` races with an `shmem_fallocate` operation and marks a folio uptodate, then `shmem_undo_range` won't truncate it. The `fallocate` could leave a zeroed folio which isn't what we wanted, but might be okay. If a `fallocate` operation fails, the goal is to roll back and leave the file how it was, and a zeroed page is effectively allocated, but maybe not the way we intended.

This lead to a look at the fact that `shmem_writeout` can "finish" a folio by zeroing it if it's not marked `uptodate`. The critical part here is that `shmem_writeout` specifically *avoids* doing this when a folio is part of an ongoing `fallocate` because the page might need to be rolled back. If `shmem_writeout` does miss this check, and the folio ends up getting "finished" prematurely, the rollback is no longer possible for that specific folio. However, even if the folio stays in the cache, the user asked for this space by issuing the `fallocate` command.

The next concern was related to memory pressure. There's this `nr_unswapped` counter to detect swapping during fallocation. If `shmem_writeout` misses the check for `shmem_falloc`, it doesn't increment `nr_unswapped`, which means the swap detection might be delayed.

Now, the core issue seems to be the `next` value, which is updated after each folio, and is used to inform `shmem_writeout` how far `shmem_fallocate` has progressed. The comment suggests the page lock is enough. But that's where the race detected by KCSAN comes into play. I thought: `shmem_writeout` has the folio lock and looks at `shmem_falloc->next`, so where is the problem?

I worked through the timing, if `shmem_writeout` is holding the lock on folio N, then `shmem_fallocate` can't be at the same time between steps 1 and 3 on that folio. Either the `shmem_fallocate` has not reached the folio or it has already finished.

It's clear the comment is too simplistic. The page locks provide the necessary synchronization. The page lock on a folio prevents both `shmem_writeout` and `shmem_fallocate` from concurrently operating on *that* specific folio. However, `shmem_fallocate` might be working on folio `M` while `shmem_writeout` is working on folio `N`, where `N < M`.  That's where the data race exists. One CPU is reading `shmem_falloc->next` while another is writing it.

So, the data race is real, but is it harmful? Given the code logic, the race won't affect the correct outcome of the folio comparison.

Since `shmem_writeout` is called from `shrink_folio_list` which holds the folio lock, and `shmem_fallocate` holds the folio lock when working on the folio, the page lock and the specific updates to `next` seem to synchronize things. The read in `shmem_writeout` has acquire semantics, so we should always see the correct updated value of `next`.  The only thing to be mindful of is the atomic nature of the store on `next` to prevent data tearing. It's a `pgoff_t`, which should be atomic on x86_64 when aligned (which it should be, being on the stack).

So, in the end, although the KCSAN report is correct about the data race, it doesn't seem to be a practical problem due to the logic and the page locks. The race could cause `shmem_writeout` to read a stale value of `next`, but that doesn't affect the code flow.

unknown

map[IncludeLines:true Name:shmem_falloc SourceFile:mm/shmem.c]

map[Missing:true SourceCode: SourceFile:]

unknown

Here's the summary, assuming you are a seasoned kernel developer:

**Hunting Down That Definition**

Right, so I need to find the definition for this thing. Given the context, it's almost certainly related to shared memory, which means I should start by looking in the core shared memory code. My intuition is screaming `mm/shmem.c`. That's where all the fundamental shmem structures and functions typically reside. If it isn't in the main source file, the definition might well be in one of the internal header files included within that directory, or possibly declared in a header that is included by the primary `shmem.c` file. Time to crack open the editor and start tracing!

unknown

map[SourceFile:mm/shmem.c]

map[Entities:[map[Kind:function Name:SHMEM_SB] map[Kind:function Name:__shmem_file_setup] map[Kind:function Name:__shmem_get_inode] map[Kind:function Name:__shmem_zero_setup] map[Kind:function Name:limit_gfp_mask] map[Kind:function Name:shmem_acct_blocks] map[Kind:function Name:shmem_acct_size] map[Kind:function Name:shmem_add_to_page_cache] map[Kind:function Name:shmem_alloc_and_add_folio] map[Kind:function Name:shmem_alloc_folio] map[Kind:function Name:shmem_alloc_inode] map[Kind:function Name:shmem_charge] map[Kind:function Name:shmem_confirm_swap] map[Kind:function Name:shmem_create] map[Kind:function Name:shmem_default_max_blocks] map[Kind:function Name:shmem_default_max_inodes] map[Kind:function Name:shmem_delete_from_page_cache] map[Kind:function Name:shmem_destroy_inode] map[Kind:function Name:shmem_destroy_inodecache] map[Kind:function Name:shmem_encode_fh] map[Kind:function Name:shmem_error_remove_folio] map[Kind:function Name:shmem_evict_inode] map[Kind:function Name:shmem_falloc_wait] map[Kind:function Name:shmem_fallocate] map[Kind:function Name:shmem_fault] map[Kind:function Name:shmem_fh_to_dentry] map[Kind:function Name:shmem_file_llseek] map[Kind:function Name:shmem_file_open] map[Kind:function Name:shmem_file_read_iter] map[Kind:function Name:shmem_file_setup] map[Kind:function Name:shmem_file_setup] map[Kind:function Name:shmem_file_setup_with_mnt] map[Kind:function Name:shmem_file_setup_with_mnt] map[Kind:function Name:shmem_file_splice_read] map[Kind:function Name:shmem_file_write_iter] map[Kind:function Name:shmem_fileattr_get] map[Kind:function Name:shmem_fileattr_set] map[Kind:function Name:shmem_fill_super] map[Kind:function Name:shmem_find_alias] map[Kind:function Name:shmem_find_swap_entries] map[Kind:function Name:shmem_free_fc] map[Kind:function Name:shmem_free_in_core_inode] map[Kind:function Name:shmem_free_inode] map[Kind:function Name:shmem_free_swap] map[Kind:function Name:shmem_get_folio] map[Kind:function Name:shmem_get_folio] map[Kind:function Name:shmem_get_folio_gfp] map[Kind:function Name:shmem_get_inode] map[Kind:function Name:shmem_get_link] map[Kind:function Name:shmem_get_offset_ctx] map[Kind:function Name:shmem_get_parent] map[Kind:function Name:shmem_get_partial_folio] map[Kind:function Name:shmem_get_pgoff_policy] map[Kind:function Name:shmem_get_pgoff_policy] map[Kind:function Name:shmem_get_policy] map[Kind:function Name:shmem_get_sbmpol] map[Kind:function Name:shmem_get_tree] map[Kind:function Name:shmem_get_unmapped_area] map[Kind:function Name:shmem_getattr] map[Kind:function Name:shmem_huge_global_enabled] map[Kind:function Name:shmem_init] map[Kind:function Name:shmem_init_fs_context] map[Kind:function Name:shmem_init_inode] map[Kind:function Name:shmem_init_inodecache] map[Kind:function Name:shmem_initxattrs] map[Kind:function Name:shmem_initxattrs] map[Kind:function Name:shmem_inode_acct_blocks] map[Kind:function Name:shmem_inode_casefold_flags] map[Kind:function Name:shmem_inode_unacct_blocks] map[Kind:function Name:shmem_kernel_file_setup] map[Kind:function Name:shmem_kernel_file_setup] map[Kind:function Name:shmem_link] map[Kind:function Name:shmem_listxattr] map[Kind:function Name:shmem_lock] map[Kind:function Name:shmem_mapping] map[Kind:function Name:shmem_mapping] map[Kind:function Name:shmem_match] map[Kind:function Name:shmem_mkdir] map[Kind:function Name:shmem_mknod] map[Kind:function Name:shmem_mmap_prepare] map[Kind:function Name:shmem_next_opt] map[Kind:function Name:shmem_parse_monolithic] map[Kind:function Name:shmem_parse_one] map[Kind:function Name:shmem_parse_opt_casefold] map[Kind:function Name:shmem_partial_swap_usage] map[Kind:function Name:shmem_put_link] map[Kind:function Name:shmem_put_super] map[Kind:function Name:shmem_reacct_size] map[Kind:function Name:shmem_read_folio_gfp] map[Kind:function Name:shmem_read_folio_gfp] map[Kind:function Name:shmem_read_mapping_page_gfp] map[Kind:function Name:shmem_read_mapping_page_gfp] map[Kind:function Name:shmem_recalc_inode] map[Kind:function Name:shmem_reconfigure] map[Kind:function Name:shmem_rename2] map[Kind:function Name:shmem_replace_entry] map[Kind:function Name:shmem_replace_folio] map[Kind:function Name:shmem_reserve_inode] map[Kind:function Name:shmem_rmdir] map[Kind:function Name:shmem_set_folio_swapin_error] map[Kind:function Name:shmem_set_inode_flags] map[Kind:function Name:shmem_set_policy] map[Kind:function Name:shmem_setattr] map[Kind:function Name:shmem_should_replace_folio] map[Kind:function Name:shmem_show_mpol] map[Kind:function Name:shmem_show_options] map[Kind:function Name:shmem_split_large_entry] map[Kind:function Name:shmem_statfs] map[Kind:function Name:shmem_suitable_orders] map[Kind:function Name:shmem_swap_alloc_folio] map[Kind:function Name:shmem_swap_usage] map[Kind:function Name:shmem_swapin_cluster] map[Kind:function Name:shmem_swapin_folio] map[Kind:function Name:shmem_swapin_folio] map[Kind:function Name:shmem_symlink] map[Kind:function Name:shmem_tmpfile] map[Kind:function Name:shmem_truncate_range] map[Kind:function Name:shmem_truncate_range] map[Kind:function Name:shmem_unacct_blocks] map[Kind:function Name:shmem_unacct_size] map[Kind:function Name:shmem_uncharge] map[Kind:function Name:shmem_undo_range] map[Kind:function Name:shmem_unlink] map[Kind:function Name:shmem_unlock_mapping] map[Kind:function Name:shmem_unuse] map[Kind:function Name:shmem_unuse_inode] map[Kind:function Name:shmem_unuse_swap_entries] map[Kind:function Name:shmem_unused_huge_shrink] map[Kind:function Name:shmem_update_stats] map[Kind:function Name:shmem_whiteout] map[Kind:function Name:shmem_write_begin] map[Kind:function Name:shmem_write_end] map[Kind:function Name:shmem_writeout] map[Kind:function Name:shmem_writeout] map[Kind:function Name:shmem_xattr_handler_get] map[Kind:function Name:shmem_xattr_handler_set] map[Kind:function Name:shmem_zero_setup] map[Kind:function Name:shmem_zero_setup_desc] map[Kind:function Name:splice_zeropage_into_pipe] map[Kind:function Name:synchronous_wake_function] map[Kind:function Name:tmpfs_sysfs_init] map[Kind:function Name:vma_is_anon_shmem] map[Kind:function Name:vma_is_shmem] map[Kind:function Name:zero_pipe_buf_get] map[Kind:function Name:zero_pipe_buf_release] map[Kind:function Name:zero_pipe_buf_try_steal]] Missing:false]

unknown

Okay, let's see... I'm looking at `mm/shmem.c`, and I'm scanning through the declared functions and structs, trying to find `shmem_falloc`. Hmm, that's odd, it doesn't seem to be explicitly listed. I know that function's related to shared memory allocation though, so it should be around here. Ah, right! It clicks. *shmem_falloc* isn't a standalone function itself; it's a *struct* that's used within `shmem_fallocate`. Okay, that explains its absence from the main function list. That's a classic case of overlooking something because I was expecting it to be one thing, but it's used differently within the code. Now, where is that struct definition? Let me locate that so I'm clear on how it's defined and utilized...

unknown

map[IncludeLines:true Name:shmem_falloc SourceFile:mm/shmem.c]

map[Missing:true SourceCode: SourceFile:]

unknown

**Tracing Down a Kernel Structure**

Okay, so I'm trying to figure out where this structure, `shmem_falloc`, is defined. My first instinct, given it's related to shared memory, is to check the typical header file, `include/linux/shmem_fs.h`. But, hang on... usually internal, implementation-specific structures like this are tucked away in the associated source file, right? So, `mm/shmem.c` is probably a better bet.

Hmm, let me try a quick search. Perhaps `codesearch-definition-source` could help, but first, I've got to find the actual *definition*. Wait a minute! I vaguely recall seeing it when I was just browsing the code around `shmem_fallocate`. Ah, yes! Here it is:

```c
3678:		struct shmem_falloc shmem_falloc;
```

Right, it's defined within the context of `mm/shmem.c`. Now, let's go back and see if the definition provides any further context.

unknown

map[IncludeLines:true Name:shmem_sb_info SourceFile:mm/shmem.c]

map[Missing:true SourceCode: SourceFile:]

unknown

Okay, here's my summary, taking the perspective of someone deeply familiar with kernel internals and memory management:

**Initial Dive into `mm/shmem.c`**

Alright, let's get down to brass tacks. I'm going to start by taking a look at `mm/shmem.c`. I need a quick refresher on shared memory implementation, particularly the details of how it's handled at the code level. No need to get bogged down in the whole file, just the beginning is what I'm aiming for. I have a general idea of the overall architecture, but there might be some specific nuances I need to quickly recall. Let's see what stands out immediately.

unknown

map[SourceFile:mm/shmem.c]

map[Entities:[map[Kind:function Name:SHMEM_SB] map[Kind:function Name:__shmem_file_setup] map[Kind:function Name:__shmem_get_inode] map[Kind:function Name:__shmem_zero_setup] map[Kind:function Name:limit_gfp_mask] map[Kind:function Name:shmem_acct_blocks] map[Kind:function Name:shmem_acct_size] map[Kind:function Name:shmem_add_to_page_cache] map[Kind:function Name:shmem_alloc_and_add_folio] map[Kind:function Name:shmem_alloc_folio] map[Kind:function Name:shmem_alloc_inode] map[Kind:function Name:shmem_charge] map[Kind:function Name:shmem_confirm_swap] map[Kind:function Name:shmem_create] map[Kind:function Name:shmem_default_max_blocks] map[Kind:function Name:shmem_default_max_inodes] map[Kind:function Name:shmem_delete_from_page_cache] map[Kind:function Name:shmem_destroy_inode] map[Kind:function Name:shmem_destroy_inodecache] map[Kind:function Name:shmem_encode_fh] map[Kind:function Name:shmem_error_remove_folio] map[Kind:function Name:shmem_evict_inode] map[Kind:function Name:shmem_falloc_wait] map[Kind:function Name:shmem_fallocate] map[Kind:function Name:shmem_fault] map[Kind:function Name:shmem_fh_to_dentry] map[Kind:function Name:shmem_file_llseek] map[Kind:function Name:shmem_file_open] map[Kind:function Name:shmem_file_read_iter] map[Kind:function Name:shmem_file_setup] map[Kind:function Name:shmem_file_setup] map[Kind:function Name:shmem_file_setup_with_mnt] map[Kind:function Name:shmem_file_setup_with_mnt] map[Kind:function Name:shmem_file_splice_read] map[Kind:function Name:shmem_file_write_iter] map[Kind:function Name:shmem_fileattr_get] map[Kind:function Name:shmem_fileattr_set] map[Kind:function Name:shmem_fill_super] map[Kind:function Name:shmem_find_alias] map[Kind:function Name:shmem_find_swap_entries] map[Kind:function Name:shmem_free_fc] map[Kind:function Name:shmem_free_in_core_inode] map[Kind:function Name:shmem_free_inode] map[Kind:function Name:shmem_free_swap] map[Kind:function Name:shmem_get_folio] map[Kind:function Name:shmem_get_folio] map[Kind:function Name:shmem_get_folio_gfp] map[Kind:function Name:shmem_get_inode] map[Kind:function Name:shmem_get_link] map[Kind:function Name:shmem_get_offset_ctx] map[Kind:function Name:shmem_get_parent] map[Kind:function Name:shmem_get_partial_folio] map[Kind:function Name:shmem_get_pgoff_policy] map[Kind:function Name:shmem_get_pgoff_policy] map[Kind:function Name:shmem_get_policy] map[Kind:function Name:shmem_get_sbmpol] map[Kind:function Name:shmem_get_tree] map[Kind:function Name:shmem_get_unmapped_area] map[Kind:function Name:shmem_getattr] map[Kind:function Name:shmem_huge_global_enabled] map[Kind:function Name:shmem_init] map[Kind:function Name:shmem_init_fs_context] map[Kind:function Name:shmem_init_inode] map[Kind:function Name:shmem_init_inodecache] map[Kind:function Name:shmem_initxattrs] map[Kind:function Name:shmem_initxattrs] map[Kind:function Name:shmem_inode_acct_blocks] map[Kind:function Name:shmem_inode_casefold_flags] map[Kind:function Name:shmem_inode_unacct_blocks] map[Kind:function Name:shmem_kernel_file_setup] map[Kind:function Name:shmem_kernel_file_setup] map[Kind:function Name:shmem_link] map[Kind:function Name:shmem_listxattr] map[Kind:function Name:shmem_lock] map[Kind:function Name:shmem_mapping] map[Kind:function Name:shmem_mapping] map[Kind:function Name:shmem_match] map[Kind:function Name:shmem_mkdir] map[Kind:function Name:shmem_mknod] map[Kind:function Name:shmem_mmap_prepare] map[Kind:function Name:shmem_next_opt] map[Kind:function Name:shmem_parse_monolithic] map[Kind:function Name:shmem_parse_one] map[Kind:function Name:shmem_parse_opt_casefold] map[Kind:function Name:shmem_partial_swap_usage] map[Kind:function Name:shmem_put_link] map[Kind:function Name:shmem_put_super] map[Kind:function Name:shmem_reacct_size] map[Kind:function Name:shmem_read_folio_gfp] map[Kind:function Name:shmem_read_folio_gfp] map[Kind:function Name:shmem_read_mapping_page_gfp] map[Kind:function Name:shmem_read_mapping_page_gfp] map[Kind:function Name:shmem_recalc_inode] map[Kind:function Name:shmem_reconfigure] map[Kind:function Name:shmem_rename2] map[Kind:function Name:shmem_replace_entry] map[Kind:function Name:shmem_replace_folio] map[Kind:function Name:shmem_reserve_inode] map[Kind:function Name:shmem_rmdir] map[Kind:function Name:shmem_set_folio_swapin_error] map[Kind:function Name:shmem_set_inode_flags] map[Kind:function Name:shmem_set_policy] map[Kind:function Name:shmem_setattr] map[Kind:function Name:shmem_should_replace_folio] map[Kind:function Name:shmem_show_mpol] map[Kind:function Name:shmem_show_options] map[Kind:function Name:shmem_split_large_entry] map[Kind:function Name:shmem_statfs] map[Kind:function Name:shmem_suitable_orders] map[Kind:function Name:shmem_swap_alloc_folio] map[Kind:function Name:shmem_swap_usage] map[Kind:function Name:shmem_swapin_cluster] map[Kind:function Name:shmem_swapin_folio] map[Kind:function Name:shmem_swapin_folio] map[Kind:function Name:shmem_symlink] map[Kind:function Name:shmem_tmpfile] map[Kind:function Name:shmem_truncate_range] map[Kind:function Name:shmem_truncate_range] map[Kind:function Name:shmem_unacct_blocks] map[Kind:function Name:shmem_unacct_size] map[Kind:function Name:shmem_uncharge] map[Kind:function Name:shmem_undo_range] map[Kind:function Name:shmem_unlink] map[Kind:function Name:shmem_unlock_mapping] map[Kind:function Name:shmem_unuse] map[Kind:function Name:shmem_unuse_inode] map[Kind:function Name:shmem_unuse_swap_entries] map[Kind:function Name:shmem_unused_huge_shrink] map[Kind:function Name:shmem_update_stats] map[Kind:function Name:shmem_whiteout] map[Kind:function Name:shmem_write_begin] map[Kind:function Name:shmem_write_end] map[Kind:function Name:shmem_writeout] map[Kind:function Name:shmem_writeout] map[Kind:function Name:shmem_xattr_handler_get] map[Kind:function Name:shmem_xattr_handler_set] map[Kind:function Name:shmem_zero_setup] map[Kind:function Name:shmem_zero_setup_desc] map[Kind:function Name:splice_zeropage_into_pipe] map[Kind:function Name:synchronous_wake_function] map[Kind:function Name:tmpfs_sysfs_init] map[Kind:function Name:vma_is_anon_shmem] map[Kind:function Name:vma_is_shmem] map[Kind:function Name:zero_pipe_buf_get] map[Kind:function Name:zero_pipe_buf_release] map[Kind:function Name:zero_pipe_buf_try_steal]] Missing:false]

unknown

Here's the summary, tailored to an expert like you:

**Investigating `codesearch-file-index`'s Limitations**

Right, it looks like `codesearch-file-index` is falling down on the job. It's not listing structs in its index. A bit annoying, but not the end of the world. Time to go around the problem. I'll just skip the index entirely and head straight for the source. Specifically, I need to hunt down the definition of `struct shmem_falloc`. That should be straightforward enough with a targeted search.

unknown

map[IncludeLines:true Name:shmem_falloc SourceFile:mm/shmem.c]

map[Missing:true SourceCode: SourceFile:]

unknown

Here's my thought process, as if I were the one thinking it:

**Finding the `shmem_falloc` Structure**

Okay, I'm momentarily blanking. Wait a second... I can't believe I almost forgot the simplest approach! I can just search the entire file for the string "struct shmem_falloc {".  That's basic string searching. The problem is, I don't have a specific tool open for that right now.

Right, let me see if I can use `codesearch-definition-source` with a valid name. That's a good fallback.

Hold on, I see the structure usage now! It's in the `shmem_fallocate` function. That jogs my memory. Now I remember where to look, it should be around line 80 of `mm/shmem.c`. Let me just jump there and take a look.

unknown

map[IncludeLines:true Name:SHMEM_I SourceFile:mm/shmem.c]

map[Missing:false SourceCode:  93:	static inline struct shmem_inode_info *SHMEM_I(struct inode *inode)
  94:	{
  95:		return container_of(inode, struct shmem_inode_info, vfs_inode);
  96:	}
 SourceFile:include/linux/shmem_fs.h]

unknown

Okay, here we go... let's see, where was that definition again? Right, right, it's poking at something related to shared memory, so it'll be under the shared memory filesystem header. Specifically, I'm pretty sure I saw it in `include/linux/shmem_fs.h`. Alright, let's open that file and get to it.

unknown

map[IncludeLines:true Name:shmem_inode_info SourceFile:include/linux/shmem_fs.h]

map[Missing:true SourceCode: SourceFile:]

unknown

Okay, here's my take on those thoughts, as if I were the one having them:

**Navigating the `shmem` Code**

Alright, let me think this through. I was just looking at `SHMEM_I` and I remember that being defined in `include/linux/shmem_fs.h`. That's where all the fundamental `shmem` structures and macros are defined, right? So, logically, `shmem_inode_info` -- that key structure related to shared memory inodes -- should also be defined within that header file or at least in a closely related file within the same directory. I'll check there first. That's the most efficient way to start, anyway.

unknown

map[SourceFile:include/linux/shmem_fs.h]

map[Entities:[map[Kind:function Name:SHMEM_I] map[Kind:function Name:shmem_allowable_huge_orders] map[Kind:function Name:shmem_charge] map[Kind:function Name:shmem_fallocend] map[Kind:function Name:shmem_file] map[Kind:function Name:shmem_file_setup] map[Kind:function Name:shmem_file_setup_with_mnt] map[Kind:function Name:shmem_freeze] map[Kind:function Name:shmem_get_folio] map[Kind:function Name:shmem_get_unmapped_area] map[Kind:function Name:shmem_hpage_pmd_enabled] map[Kind:function Name:shmem_init] map[Kind:function Name:shmem_init_fs_context] map[Kind:function Name:shmem_kernel_file_setup] map[Kind:function Name:shmem_lock] map[Kind:function Name:shmem_mapping] map[Kind:function Name:shmem_partial_swap_usage] map[Kind:function Name:shmem_read_folio] map[Kind:function Name:shmem_read_folio_gfp] map[Kind:function Name:shmem_read_mapping_page] map[Kind:function Name:shmem_read_mapping_page_gfp] map[Kind:function Name:shmem_swap_usage] map[Kind:function Name:shmem_truncate_range] map[Kind:function Name:shmem_uncharge] map[Kind:function Name:shmem_unlock_mapping] map[Kind:function Name:shmem_unuse] map[Kind:function Name:shmem_writeout] map[Kind:function Name:shmem_zero_setup] map[Kind:function Name:shmem_zero_setup_desc]] Missing:false]

unknown

Here's my attempt at summarizing the thought process, as if I were the one thinking it:

**Digging into Shmem, Again**

Right, still no luck with those structs I was hoping to find. Time to revisit `mm/shmem.c`. I'm going to start by just doing a quick scan of the beginning of the file, maybe the first few hundred lines or so. Hopefully, I can jog my memory and see if something jumps out at me this time. Let's see if something different clicks today.

unknown

map[IncludeLines:true Name:shmem_falloc_wait SourceFile:mm/shmem.c]

map[Missing:false SourceCode:2679:	/*
2680:	 * Trinity finds that probing a hole which tmpfs is punching can
2681:	 * prevent the hole-punch from ever completing: which in turn
2682:	 * locks writers out with its hold on i_rwsem.  So refrain from
2683:	 * faulting pages into the hole while it's being punched.  Although
2684:	 * shmem_undo_range() does remove the additions, it may be unable to
2685:	 * keep up, as each new page needs its own unmap_mapping_range() call,
2686:	 * and the i_mmap tree grows ever slower to scan if new vmas are added.
2687:	 *
2688:	 * It does not matter if we sometimes reach this check just before the
2689:	 * hole-punch begins, so that one fault then races with the punch:
2690:	 * we just need to make racing faults a rare case.
2691:	 *
2692:	 * The implementation below would be much simpler if we just used a
2693:	 * standard mutex or completion: but we cannot take i_rwsem in fault,
2694:	 * and bloating every shmem inode for this unlikely case would be sad.
2695:	 */
2696:	static vm_fault_t shmem_falloc_wait(struct vm_fault *vmf, struct inode *inode)
2697:	{
2698:		struct shmem_falloc *shmem_falloc;
2699:		struct file *fpin = NULL;
2700:		vm_fault_t ret = 0;
2701:	
2702:		spin_lock(&inode->i_lock);
2703:		shmem_falloc = inode->i_private;
2704:		if (shmem_falloc &&
2705:		    shmem_falloc->waitq &&
2706:		    vmf->pgoff >= shmem_falloc->start &&
2707:		    vmf->pgoff < shmem_falloc->next) {
2708:			wait_queue_head_t *shmem_falloc_waitq;
2709:			DEFINE_WAIT_FUNC(shmem_fault_wait, synchronous_wake_function);
2710:	
2711:			ret = VM_FAULT_NOPAGE;
2712:			fpin = maybe_unlock_mmap_for_io(vmf, NULL);
2713:			shmem_falloc_waitq = shmem_falloc->waitq;
2714:			prepare_to_wait(shmem_falloc_waitq, &shmem_fault_wait,
2715:					TASK_UNINTERRUPTIBLE);
2716:			spin_unlock(&inode->i_lock);
2717:			schedule();
2718:	
2719:			/*
2720:			 * shmem_falloc_waitq points into the shmem_fallocate()
2721:			 * stack of the hole-punching task: shmem_falloc_waitq
2722:			 * is usually invalid by the time we reach here, but
2723:			 * finish_wait() does not dereference it in that case;
2724:			 * though i_lock needed lest racing with wake_up_all().
2725:			 */
2726:			spin_lock(&inode->i_lock);
2727:			finish_wait(shmem_falloc_waitq, &shmem_fault_wait);
2728:		}
2729:		spin_unlock(&inode->i_lock);
2730:		if (fpin) {
2731:			fput(fpin);
2732:			ret = VM_FAULT_RETRY;
2733:		}
2734:		return ret;
2735:	}
 SourceFile:mm/shmem.c]

unknown

Okay, here's the summary of my thought process:

**Pinpointing the Struct's Location**

Alright, I've tracked down some prior mentions of this thing, which is a good start. My understanding of the Linux kernel's memory management has me reasonably confident that it *has* to be defined within `mm/shmem.c`. Let me dive back into that file and see if I can find it directly. Time to hone in on the precise definition.

unknown

map[IncludeLines:true Name:shmem_inode_info SourceFile:mm/shmem.c]

map[Missing:true SourceCode: SourceFile:]

unknown

Here's a summary of my thought process:

**Investigating the `shmem_inode_info` Structure**

Okay, so I'm looking at something related to shared memory inodes. The name `shmem_inode_info` immediately rings a bell as a `struct`. Given my experience, I think my next move is clear. I need to get a clear understanding of that `shmem_inode_info` struct and its definition. To do that, I'll leverage a tool that I've found incredibly useful in the past for this sort of deep dive: `codesearch-definition-source`. I'll run it specifically on `shmem_inode_info`, targeting the `include/linux/shmem_fs.h` header file. This should give me the precise definition and declaration, allowing me to start tracing its usage and dependencies within the kernel's shared memory implementation. This should provide the foundational context I need to proceed.

unknown

map[IncludeLines:true Name:shmem_inode_info SourceFile:include/linux/shmem_fs.h]

map[Missing:true SourceCode: SourceFile:]

unknown

**Analyzing a Data Race in shmem_fallocate/shmem_writeout**

Okay, I'm diving into this KCSAN report. The kernel is flagging a potential data race between `shmem_fallocate` and `shmem_writeout`, specifically on the `shmem_falloc` struct, likely the `next` field. My initial thought is to trace the execution and see if this is a "real" bug or a benign race, which is quite common in lockless optimizations.

I recall the core logic: `shmem_fallocate` preallocates memory, and `shmem_writeout` potentially redirties pages based on the progress of that preallocation.  I'm focusing on how `shmem_fallocate` updates `shmem_falloc.next` to communicate "how far it's gone" to `shmem_writeout`.  The reported line numbers are a bit off, probably because of some kernel version differences.  The key lines for `shmem_fallocate` are around lines 3700-3810, specifically where the loop increments `next`.

```c
3704:		    shmem_falloc.waitq = &shmem_falloc_waitq;
3705:		    shmem_falloc.start = (u64)unmap_start >> PAGE_SHIFT;
3706:		    shmem_falloc.next = (unmap_end + 1) >> PAGE_SHIFT;
```
```c
3744:		shmem_falloc.waitq = NULL;
3745:		shmem_falloc.start = start;
3746:		shmem_falloc.next  = start;
3747:		shmem_falloc.nr_falloced = 0;
3748:		shmem_falloc.nr_unswapped = 0;
```
```c
3805:				shmem_falloc.nr_falloced += index - shmem_falloc.next;
3806:			shmem_falloc.next = index;
```

I see `next` is a `pgoff_t`, essentially a page index, and it's being updated inside the `shmem_fallocate` loop. The report says the race is on an 8-byte read/write at the same address.  The value change from `0x1cf` (463) to `0x1d0` (464) strongly suggests this is the increment of `next` as it preallocates pages, specifically, the variable being updated to `index`.

Now, the important question: why is this race benign? I recall that `shmem_writeout` checks if a folio is "in progress" using the `index < next` comparison, but crucially, it's synchronized by the page lock for that index.  The page lock protects the *critical transition point* and thus ensures consistency for that specific index. Other indices may see a stale `next`, but that doesn't change the correctness because of the monotonic (always increasing) nature of `next` during preallocation. If it hasn't reached an index yet, the comparison will be true either way. Once the page lock is taken for a given index, the page's status will be consistent.

The comment in the code explicitly states this is intended:
```c
3801:			/*
3802:			 * Inform shmem_writeout() how far we have reached.
3803:			 * No need for lock or barrier: we have the page lock.
3804:			 */
```
The programmer is explicitly relying on the page lock's synchronization.

Is there a risk of unaligned access and tearing? Probably not. The compiler should align the `shmem_falloc` struct, but even if there were tearing, the worst outcome is likely harmless in the context of a temporary file system. A potentially zeroed page or an extra redirty operation are minor issues.

Let's confirm the write and read points. KCSAN says `shmem_fallocate` (task 8171) writes to `0xffffc9000c3c3cb0`, and `shmem_writeout` (task 8167) reads from the *same* address. The important lines are:
```c
1625:	index < shmem_falloc->next
1626:	shmem_falloc->nr_unswapped += nr_pages;
```
```

unknown

map[Benign:true Confident:true]

map[Benign:true Confident:true]

unknown

**Reasoning Behind the Benign Data Race**

Okay, so I'm being asked to explain why this data race is harmless. Here's my understanding:

First, the race is between `shmem_fallocate`, which is writing to `shmem_falloc.next`, and `shmem_writeout`, which is reading it. `shmem_falloc` itself is an on-stack structure used within `shmem_fallocate`, and a pointer to this structure is stored in `inode->i_private` during the operation.

Now, here's where the synchronization comes in. `shmem_fallocate` updates `next` *after* it's processed each folio (that's key), and importantly, it holds the folio lock while it does so.  `shmem_writeout`, on the other hand, is invoked during page reclaim and *also* holds the lock for the folio it's currently working on.

This is the linchpin of the argument. Because both `shmem_fallocate` and `shmem_writeout` are using the folio lock, `shmem_writeout` can only ever see a value for `next` that's either: 1) less than its current index (if `fallocate` hasn't reached it yet), or 2) greater than or equal to its current index (if `fallocate` has completed it). The critical transition – when `next` goes from the current index to the next index – is *protected* by the folio lock.

For any other transition in `next` related to different folios, the comparison `index < next` in `shmem_writeout` remains stable: it's either consistently true or consistently false. The folio locks ensure this, so the race doesn't affect the logical flow.

The developer's comment is also very telling; it explicitly states that no locks are needed because of this page lock synchronization.

This entire design, then, seems to be a deliberate lockless optimization. It leverages the inherent atomicity of 64-bit aligned accesses on x86_64, which is the stated architecture. It’s safe because the synchronization on the individual folio locks guarantees the consistency of `next` from the perspective of any single folio. Therefore, it's not a true data race that could cause issues.