[PATCH 1/1] bcache: fix stale data race between read cache miss and bypass write

[Ankit Kapoor]

A race condition exists between a read cache miss and a bypass write
due to either congestion or sequential bypass, that causes stale data
to be cached when the read cache miss runs concurrently with a bypass
write targeting the same sectors. If the read cache miss fetches data
from the backing device before the write to the backing device,
stale data populates the cache.

The root cause is that bcache currently executes btree key
invalidation in parallel with (or prior to) writing the actual data
payload to the backing device. Under this sequence, a concurrent
read path can register a cache miss and insert a placeholder key.
If the write's btree key invalidation completes before the read finishes
fetching old data from the backing device, the read's subsequent
key replacement will not detect a collision, allowing stale data
to persist in the cache.

Fix this by deferring the btree key invalidation until after the
backing device write completes successfully. Enforcing this
sequential execution ensures that a stale read is always detected
and invalidated.

Signed-off-by: Ankit Kapoor <ankitkap@xxxxxxxxxx>
---
 drivers/md/bcache/request.c | 13 +++++++++++++
 1 file changed, 13 insertions(+)

diff --git a/drivers/md/bcache/request.c b/drivers/md/bcache/request.c
index af345dc6fde1..ef2cf55df3bb 100644
--- a/drivers/md/bcache/request.c
+++ b/drivers/md/bcache/request.c
@@ -978,6 +978,14 @@ static CLOSURE_CALLBACK(cached_dev_write_complete)
 	cached_dev_bio_complete(&cl->work);
 }
 
+static CLOSURE_CALLBACK(backing_device_bypass_write_complete)
+{
+	closure_type(s, struct search, cl);
+
+	closure_call(&s->iop.cl, bch_data_insert, NULL, cl);
+	continue_at(cl, cached_dev_write_complete, NULL);
+}
+
 static void cached_dev_write(struct cached_dev *dc, struct search *s)
 {
 	struct closure *cl = &s->cl;
@@ -1058,6 +1066,11 @@ static void cached_dev_write(struct cached_dev *dc, struct search *s)
 	}
 
 insert_data:
+	if (s->iop.bypass) {
+		continue_at(cl, backing_device_bypass_write_complete, NULL);
+		return;
+	}
+
 	closure_call(&s->iop.cl, bch_data_insert, NULL, cl);
 	continue_at(cl, cached_dev_write_complete, NULL);
 }
-- 
2.54.0.669.g59709faab0-goog