Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp2653560imm; Fri, 20 Jul 2018 02:28:28 -0700 (PDT) X-Google-Smtp-Source: AAOMgpdGoBQXj3411zo1smKrH1SbVeiXbjDIh+d311P8qPdw0ApcDMRbBUnw9kcJVc5Q5kD8j09u X-Received: by 2002:a63:8c51:: with SMTP id q17-v6mr1381327pgn.236.1532078908218; Fri, 20 Jul 2018 02:28:28 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532078908; cv=none; d=google.com; s=arc-20160816; b=H5Mb+PmtzEbCePDUfvSOgyrOHYBoWJUt4TzPzAqizJfNUm620m2103A+Cgf1UcWmXw picMch91iMxf2eBEmvV9iA/yuKrPrU/SlpkumpnJam3FgUPdKj6BQL2x+JIxIYlBDdBy QkT1d42qU9K9oJtPAzfpmf5KVBu1UIwWcH5GAgxajfahJWRsJUMh9SP67IP0kUXjrWyu YM2ulvpejXX1KL1ysvPsR+XYUJpFcgZRryu9Pr5VjJq1mFlTysBd8TdXsFEU2AJLq4Ef b9lPK3g6C31UyvMKO4SiTj41yJJLeH0hgeP5IfQafmwQiY1hTPVzirVcP0Tr+iSts4zJ hpjg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=idb1mXY0Z7rqmiUMtg8HSu3iIEEwRY3Iy++nCpxALIg=; b=cj0u2PNlEA085E0jAqKK/d+HBYlw2/OTMYwFydfPwT8zoiaJmcFEnrUZ7SIyQaKRet m2nkc/5vbLnOVVmp5GXt5aECYStBx3NmrxJSiSBzKm6wn/MHwCxAaSBfyAwvWAa2PDmR 5i8CVb+itUu8OkukPifyo1jm01krPQE/Z4y8VnHYdtBw1uPO9LnG4MRaMZm33NY871pc yWlrG1atGVsQhm9lMo285zj/PytCtIxFrI16ODu0Gx3iIdCupsVS2vHumqk+m+fpOyZT t5Ud9gYQl5gXRqoHVzPGMhFmmkfuuLEW/xnu9ykunawE74esjdne/j+l0ojnJNJ1BLm2 c7bA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="Ub/5mo8c"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id e11-v6si1432320pga.150.2018.07.20.02.28.13; Fri, 20 Jul 2018 02:28:28 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b="Ub/5mo8c"; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728036AbeGTKPB (ORCPT + 99 others); Fri, 20 Jul 2018 06:15:01 -0400 Received: from mail-lj1-f195.google.com ([209.85.208.195]:38132 "EHLO mail-lj1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727518AbeGTKPB (ORCPT ); Fri, 20 Jul 2018 06:15:01 -0400 Received: by mail-lj1-f195.google.com with SMTP id p6-v6so10574695ljc.5; Fri, 20 Jul 2018 02:27:39 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=idb1mXY0Z7rqmiUMtg8HSu3iIEEwRY3Iy++nCpxALIg=; b=Ub/5mo8cOJPeLHGakNNFBI1k9+ZXKDxDpVsDIvtFssnHW7yh53MlcW2P/WzDjHWpzW 7EqAskmnBUXSs/j8QPs8B01WCPoIE2h3aiSYKjsKXuHqlP4oDzx0tcm7sb9ev1NF5gnN pXsOgZkbYjBdgIU2DL7MQ4MJAkoNGpcDuaApr/V4LeiAxHPrZRQjaIq8nzxT/1TrYgik z2gvRbq1dI7v8dUocWgJI4qLndAg6k4txUEunIpQe9Xvnu83DZSl7Ak0DhCU1DeQT0XM KkaZv58JLVZr1Ad+mqjkWyBWU5YqVcdLffwruJ05Lu2/SZBYpHhQ6Epked2G2S0mxZZw 4qJw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=idb1mXY0Z7rqmiUMtg8HSu3iIEEwRY3Iy++nCpxALIg=; b=IZW1WFbGDskdOF/VaeYvOThi5ad0Emf7Ed59C0+joJ0cjncbduBAZSG/Mh2VT8BVke h1CtlXHMYq2rmPILKaJdttgXm0bVT0sfJzPX49fKDOWJ40yHdwZH8RPVqxZ5VSocsUAC nAQsJn5YSPonDEFDqGTv7EK7MlRhGcq/zhdxuWeuFqYT9LLBBR5zEliQ4tzlgIMXqYVe bFSKuHtXDE39EVpyYfCF8G2FDv4u7ECegGhGrDEcDxoM/oyG9heMD4A+oFgA4QQdE7Va SdyjDsg+BtcEfkL2KDyPhk+Je7xDMi31FsTuXFfLy1cE4D9aXKNWLSTMF6jqRlcd4UPE oKuw== X-Gm-Message-State: AOUpUlHk5QgZAnYUMZs+5KCWUi/PsYa8xEh3tFtGVTEALVSIMVFfJzwA LdnutIyULwYlkD2IQAHhOGM= X-Received: by 2002:a2e:944:: with SMTP id 65-v6mr1085436ljj.30.1532078858214; Fri, 20 Jul 2018 02:27:38 -0700 (PDT) Received: from debian-tom.lan ([2001:2012:22e:1b00:f2e2:9015:9262:3fde]) by smtp.gmail.com with ESMTPSA id q19-v6sm264854lje.29.2018.07.20.02.27.36 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 20 Jul 2018 02:27:37 -0700 (PDT) From: Tomas Bortoli To: ericvh@gmail.com, rminnich@sandia.gov, lucho@ionkov.net Cc: jiangyiwen@huawei.com, davem@davemloft.net, v9fs-developer@lists.sourceforge.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller@googlegroups.com, Tomas Bortoli Subject: [PATCH] [V9fs-developer] [PATCH] /net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree() Date: Fri, 20 Jul 2018 11:27:30 +0200 Message-Id: <20180720092730.27104-1-tomasbortoli@gmail.com> X-Mailer: git-send-email 2.11.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org The patch adds the flush in p9_mux_poll_stop() as it the function used by p9_conn_destroy(), in turn called by p9_fd_close() to stop the async polling associated with the data regarding the connection. Signed-off-by: Tomas Bortoli Reported-by: syzbot+39749ed7d9ef6dfb23f6@syzkaller.appspotmail.com --- As shown by Syzbot, it is possible to provoke a race between p9_fd_close() and p9_poll_workfn() that is called to take care of the async read/write work to do. To make sure p9_fd_close() frees "trans" when it is not used anymore, it has to explicitly flush p9_poll_work before the kfree(). net/9p/trans_fd.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c index bf459ee0feab..a64b01c56e30 100644 --- a/net/9p/trans_fd.c +++ b/net/9p/trans_fd.c @@ -185,6 +185,8 @@ static void p9_mux_poll_stop(struct p9_conn *m) spin_lock_irqsave(&p9_poll_lock, flags); list_del_init(&m->poll_pending_link); spin_unlock_irqrestore(&p9_poll_lock, flags); + + flush_work(&p9_poll_work); } /** -- 2.11.0