Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp5329115imm; Sun, 22 Jul 2018 19:40:33 -0700 (PDT) X-Google-Smtp-Source: AAOMgpe6rDwqO8nzR115FhpaRY9Cyr+DVm/h42XRDEZ7nHIASBHupiDlBx0WRWMeVt2HuEI411u1 X-Received: by 2002:a17:902:d711:: with SMTP id w17-v6mr10880203ply.200.1532313633508; Sun, 22 Jul 2018 19:40:33 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532313633; cv=none; d=google.com; s=arc-20160816; b=wJvvCWSeV+K4VJt/Va+CypoqCmT/bnQiAoWEzaww3qVH4DWBH49cYfjcocVbFvfKpm m4sVQGlxjEeqqOxVwdgOM5p5sU9PUIKtPD6HxptwOIach0EeqGPC0TTbDyXtFnxFBvxA 71HK6HqJZgXU3wQr1w1XUzDp4OWIGrs0cQPYM/pXd9MdtY4Al6B9qxADbAGDFsBxDg8I WcPW9X4fcxdOHNKPD0/FatQbXy0C81rcKVMmtmMsDOp9ySMIbuH3MU3XfVWuTwAojIHu IMk0dOEwB3wJDyOIQQlEcBm4pEgMrVJlDdQhiT2vzCGZPYSLuc9dhkTozu655MrabHFE Ui7A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=bJUDhavP7B8SdkYM2zZd3ee9KhXl/3dcuRW9189eM94=; b=OjlKNfGDH8b7gbknFvDWseNfA0oP97sjs5VZWLSh9vWBqwPM4Ozq0SyIhRnzCdAXxZ Vg5aUiDKB0o8UIu85si+vA9r2TrYcMk1fvt9RwcbF0MmRskkOC+WP0sOsNPeaVxzwVrY 74mqDXzc22qFvttUmDW/vw/xtNwV3AYf6rILmj8/rR8aYbdNJOtmGydo3cYziIEWBexF xEBHzhh+WHIrbhfU2R5oA7av9FlZSQtTm0CsVssbhfIY/rnPG3VWYnvdzOlRY241H4t2 DJkl4nj1ISUZ6JUT6aGRB3x1hEiHdA82wCabcsurnUvCskYH7oYrgzebPXz8VKufa9NQ KWGQ== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id a1-v6si7601372pgg.326.2018.07.22.19.40.16; Sun, 22 Jul 2018 19:40:33 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387710AbeGWDiR (ORCPT + 99 others); Sun, 22 Jul 2018 23:38:17 -0400 Received: from nautica.notk.org ([91.121.71.147]:52276 "EHLO nautica.notk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731059AbeGWDiR (ORCPT ); Sun, 22 Jul 2018 23:38:17 -0400 Received: by nautica.notk.org (Postfix, from userid 1001) id 180E1C009; Mon, 23 Jul 2018 04:39:22 +0200 (CEST) Date: Mon, 23 Jul 2018 04:39:07 +0200 From: Dominique Martinet To: Tomas Bortoli Cc: ericvh@gmail.com, rminnich@sandia.gov, lucho@ionkov.net, jiangyiwen@huawei.com, davem@davemloft.net, v9fs-developer@lists.sourceforge.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller@googlegroups.com Subject: Re: [PATCH] [V9fs-developer] [PATCH] /net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree() Message-ID: <20180723023907.GA24608@nautica> References: <20180720092730.27104-1-tomasbortoli@gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <20180720092730.27104-1-tomasbortoli@gmail.com> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Tomas Bortoli wrote on Fri, Jul 20, 2018: > The patch adds the flush in p9_mux_poll_stop() as it the function used by > p9_conn_destroy(), in turn called by p9_fd_close() to stop the async > polling associated with the data regarding the connection. > > Signed-off-by: Tomas Bortoli > Reported-by: syzbot+39749ed7d9ef6dfb23f6@syzkaller.appspotmail.com Looks good to me, I'm taking this patch. If I had to say something, try to aim for slightly shorter subject lines if possible :) > --- > As shown by Syzbot, it is possible to provoke a race between p9_fd_close() > and p9_poll_workfn() that is called to take care of the async read/write work > to do. To make sure p9_fd_close() frees "trans" when it is not used anymore, > it has to explicitly flush p9_poll_work before the kfree(). > > net/9p/trans_fd.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c > index bf459ee0feab..a64b01c56e30 100644 > --- a/net/9p/trans_fd.c > +++ b/net/9p/trans_fd.c > @@ -185,6 +185,8 @@ static void p9_mux_poll_stop(struct p9_conn *m) > spin_lock_irqsave(&p9_poll_lock, flags); > list_del_init(&m->poll_pending_link); > spin_unlock_irqrestore(&p9_poll_lock, flags); > + > + flush_work(&p9_poll_work); > } > > /** -- Dominique Martinet