Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp2595815imm; Sun, 12 Aug 2018 18:50:27 -0700 (PDT) X-Google-Smtp-Source: AA+uWPxlbQdcwUlBD++AR608QZOnkZhz8/pHeLfdHZ4QxIesW0Z4tejDG/Us6yQ98rkyOibwFMKC X-Received: by 2002:a65:4344:: with SMTP id k4-v6mr14975328pgq.409.1534125027848; Sun, 12 Aug 2018 18:50:27 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1534125027; cv=none; d=google.com; s=arc-20160816; b=SMCvDZNxeS476L+rb/BT767RhRrCCyGVUR8unMHIPHEgesVfkurQwXVD1a+5YI8eKh 8CdUhNtWlPVtXAIhSZb+O/syimOQHu0wvkCZaxw5xCvg9w/GhMa5yHInZHwCmvAgCIvk mYQAdZWRt4w8RvIJ/i+cJi6+rEN1+a+Ngd4VR19oZjqaV6nNr1h/G5PUoTqq9/+wx/ud 3ssH/+skkocM4DjOa+ua5yj3Jx0TNYZpjPsganHUFKpLf4MXpSumXiNz1EhSWHkJLOHi ZSVjbsLV1udki8g6MLh7V8ed8esjsFmut9lPxyQPHMjlv1nXGAlA7wjKczMAuOcI2OYn F4UQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:user-agent:in-reply-to :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:arc-authentication-results; bh=4mw1pnoQpFGLtkRr+u3uEYwxAdoDE1EKGejUS2XWXIQ=; b=0DI9suZ61Nf89Rv1aDngEAgefwZ49HAIZoJry0SX04D3AjKik6+KxEYNq4zvyyEIwv 9n/IP/Fhevialz86q0CwKAQJazdLO03uhd3Wnu2QcVTtOp1ylAfpJ7LMio0y0gMq9Syo fHmcuq7LuJxOxOTUV2aCNFleTrIFzW64WI9HZXQ/NUb4JefNAJsxzNFsV023Kag+uVkH kDTD+XRP8tE+6RHocQzU6cw717xUrscx9S4JVdU5soXucHY6rhw0i/xJy3ggh55o1+MJ dP4o8QO3RS7AYgkbP01YzuuAH8IR09WttocCE14YWy91eeATFWQFr0hGO3qf0VI/ynJ8 /OHw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 68-v6si15995143pga.113.2018.08.12.18.49.58; Sun, 12 Aug 2018 18:50:27 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726037AbeHME2c (ORCPT + 99 others); Mon, 13 Aug 2018 00:28:32 -0400 Received: from nautica.notk.org ([91.121.71.147]:53287 "EHLO nautica.notk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725772AbeHME2c (ORCPT ); Mon, 13 Aug 2018 00:28:32 -0400 Received: by nautica.notk.org (Postfix, from userid 1001) id E37D6C009; Mon, 13 Aug 2018 03:48:30 +0200 (CEST) Date: Mon, 13 Aug 2018 03:48:15 +0200 From: Dominique Martinet To: piaojun Cc: Tomas Bortoli , ericvh@gmail.com, rminnich@sandia.gov, lucho@ionkov.net, Dominique Martinet , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller@googlegroups.com, v9fs-developer@lists.sourceforge.net, davem@davemloft.net Subject: Re: [V9fs-developer] [PATCH 2/2] 9p: Add refcount to p9_req_t Message-ID: <20180813014815.GB6777@nautica> References: <20180811144254.23665-1-tomasbortoli@gmail.com> <20180811144254.23665-2-tomasbortoli@gmail.com> <5B70E0D1.2080300@huawei.com> MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Disposition: inline In-Reply-To: <5B70E0D1.2080300@huawei.com> User-Agent: Mutt/1.5.21 (2010-09-15) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org piaojun wrote on Mon, Aug 13, 2018: > Could you help paste the reason of the crash bug to help others > understand more clearly? And I have another question below. The problem for tcp (but other transports have a similar problem) is that with a malicious server like syzkaller they can try to submit replies before the request came in. This leads in the writer thread trying to write a buffer that has already been freed, and if memory has been reused could potentially leak some information. Now, with the previous patches this is based on this would be a slab and the likeliness of it being sensitive information is rather low (it would likely be some other packet being sent twice, or a mix and match of two packets that would have been sent anyway), but it would nevertheless be a use after free. There is a second advantage to this reference counting, that is now we have this system we will be able to implement flush asynchronously. This will remove the need for the 'goto again' in p9_client_rpc which was making 9p threads unkillable in practice if the server would not reply to the flush requests. Even if the server replies I've always found myself needing to hit ^C multiple times to exit a process doing I/Os and I think fixing that behaviour will make 9p more comfortable to use. > > diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c > > index 20f46f13fe83..686e24e355d0 100644 > > --- a/net/9p/trans_fd.c > > +++ b/net/9p/trans_fd.c > > @@ -132,6 +132,7 @@ struct p9_conn { > > struct list_head req_list; > > struct list_head unsent_req_list; > > struct p9_req_t *req; > > + struct p9_req_t *wreq; > > Why adding a wreq for write work? And I wonder we should rename req to > rreq? We need to store a pointer to the request for the write thread because we need to put the reference to it when we're done writing its content. Previously, the worker would only store the write buffer there but that's not enough to figure what request to dereference. I personally don't think renaming req to rreq would bring much but it could be done in another patch if you think that'd be helpful; I think it shouldn't be done here at least to make the patch more readable. -- Dominique