Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp961262imm; Wed, 10 Oct 2018 07:05:19 -0700 (PDT) X-Google-Smtp-Source: ACcGV63BKRX/tgtlVYfED8wr2iFC+mP2ghF/6HbNzyK6yH+n/EtUpYpNKKHI0MqwZNz28X+Uk5tx X-Received: by 2002:a62:8a4f:: with SMTP id y76-v6mr35355848pfd.142.1539180319614; Wed, 10 Oct 2018 07:05:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539180319; cv=none; d=google.com; s=arc-20160816; b=0FxN1sThZyILNeURa4LRo1+oxgpHLM3BnqcUvyFLefWLyZI8vETEg9RpXVERM/lAWU DhI1cMJcD174A0R1Dm0gWzf87cla4jdE/THltlptdMLUQ/wQK1ddv+J4fci4IEllRa8I aiftJJ6gRXxi3hSQp+l0b0+6Wz3Ergd3nOEVrHHTElPJN/FR9Zf0g61efoFU/UcGXnhW sBzaB5rC4d/AAzATPQnGSdKMYk0zfcfKWTS6EBaZiK8vFx2SmO5zKRrKHWBsTc9AGXPx TDnbllzoVIp2qdzHfBaWpFjbe34FZF5DcvCFXdTayrHSVvUq3/Ej5Nt1FI1pcIpIHRt5 Mk2A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :references:in-reply-to:mime-version:dkim-signature; bh=rF64gcV34KiV1fr9uWm8ceuSgT14tQtyXq3dBZps1S8=; b=R9xa8oTBiv5HbY11geavC9fcI7cEQPiHJt4L5YEuoStcxEXqyL89L+O7KtiYs10mHC tCpjLclTy2mM5iYMkHjnrocpeOorgQIY1LcdSqEJqVF25jRbCpj2KkeIryfxAXxkqkR/ 4WOrq48NBJlqYzjd32ubIJgeoIh7HdYcsRLW2n1hdMvJ2doNg4w58MWmLaWFTdTPjVig JQfMb8/GZP/S33rAh/0aQuK4cHg54lNsEGzqrqfyedUjrf5TKB+otdiFtt3ilbiMbQsH u0kpbJfHZrHfgu0UJO2QFBZQMd6iUvJZbAQhRpy9rteP1wuPX2ePbG5Y6yXhN5A51h7e xtug== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=dG8LTAel; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id z7-v6si21610404pgi.178.2018.10.10.07.05.05; Wed, 10 Oct 2018 07:05:19 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20161025 header.b=dG8LTAel; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726983AbeJJV0i (ORCPT + 99 others); Wed, 10 Oct 2018 17:26:38 -0400 Received: from mail-io1-f68.google.com ([209.85.166.68]:34140 "EHLO mail-io1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726665AbeJJV0h (ORCPT ); Wed, 10 Oct 2018 17:26:37 -0400 Received: by mail-io1-f68.google.com with SMTP id w2-v6so3961290ioc.1 for ; Wed, 10 Oct 2018 07:04:17 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20161025; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=rF64gcV34KiV1fr9uWm8ceuSgT14tQtyXq3dBZps1S8=; b=dG8LTAelReepN6wHh7+62cfglNsXcT/fmA4YnZvLAEviaj+FlDB+d2Y/V0SFkCbExr h7P2Mqw8fHRk61lqc3S57A3LeTXX+JDbPVWVFvAATf1hcnts4GYGsjUhN5lsv/N3zRXS Dbbgi7+ZitHssyOc64LbTObPC1PxUOivPCJ1S/0JfuOzWmY7pWFgDknfC6cZNyNqIG/E RWeKI8dN1BMiWsTZUKNHC+xV55GvjS798b7hL0ZTy8iLLFg9qcWzE5QMoUkSHFFfZsSY reKtG04UuXcXFFx91vDbvIW2KbwHhOuCi36JNH0jjqrSMALk+kSAYOJ5fELAypqrVCvE DkOw== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=rF64gcV34KiV1fr9uWm8ceuSgT14tQtyXq3dBZps1S8=; b=cYbiWsSCPLuZblvyqw1biT3Nk7MufBZ3FuqEsDh/1yGMLS7SeuYL91Fc13FaI8oxz/ wi0wjzufqFjpRFx3M2Ixw40zEDK0terCgkl+wVRmv52l8r4Vs+5WnKXaTBILDkTuXKPd zOxeN1uvIfnDPpym9lwMuz4uA/RExP8uIjxOXJItVP+xn/SuWy2vpq8J9qOn6ze99aSR 6BP0rkSaCgRYdLyPU4f7+H6/4eSUqAT4PrU5mkNQhsQxtu5FuSDXr/GIjy0A2Ammv3wP HSID0LvvNAH98qdtT9CqbbVmM4XOx+KE+MFfIzJMPtZed0R+UpHCD145StwsMspJUFb+ acvQ== X-Gm-Message-State: ABuFfohw0g3qfX3/+XYdPRbLNUNYXeI85BhxF8y3oaOHbkf8GWTfiR1g nqS42iRVwqMgB81V5A1Zvi/9d+YAdQ8iZWkXnb3Z2g== X-Received: by 2002:a6b:f10f:: with SMTP id e15-v6mr20481117iog.271.1539180256951; Wed, 10 Oct 2018 07:04:16 -0700 (PDT) MIME-Version: 1.0 Received: by 2002:a02:1003:0:0:0:0:0 with HTTP; Wed, 10 Oct 2018 07:03:56 -0700 (PDT) In-Reply-To: <20181009020949.GA29622@nautica> References: <000000000000ca61cd0571178677@google.com> <000000000000fddb150577c15af6@google.com> <20181009020949.GA29622@nautica> From: Dmitry Vyukov Date: Wed, 10 Oct 2018 16:03:56 +0200 Message-ID: Subject: Re: BUG: corrupted list in p9_read_work To: Dominique Martinet , Leon Romanovsky Cc: syzbot , David Miller , Eric Van Hensbergen , LKML , Latchesar Ionkov , netdev , Ron Minnich , syzkaller-bugs , v9fs-developer@lists.sourceforge.net Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Oct 9, 2018 at 4:09 AM, Dominique Martinet wrote: > syzbot wrote on Mon, Oct 08, 2018: >> syzbot has found a reproducer for the following crash on: >> >> HEAD commit: 0854ba5ff5c9 Merge git://git.kernel.org/pub/scm/linux/kern.. >> git tree: upstream >> console output: https://syzkaller.appspot.com/x/log.txt?x=1514ec06400000 >> kernel config: https://syzkaller.appspot.com/x/.config?x=88e9a8a39dc0be2d >> dashboard link: https://syzkaller.appspot.com/bug?extid=2222c34dc40b515f30dc >> compiler: gcc (GCC) 8.0.1 20180413 (experimental) >> syz repro: https://syzkaller.appspot.com/x/repro.syz?x=10b91685400000 >> >> IMPORTANT: if you fix the bug, please add the following tag to the commit: >> Reported-by: syzbot+2222c34dc40b515f30dc@syzkaller.appspotmail.com >> >> list_del corruption, ffff88019ae36ee8->next is LIST_POISON1 >> (dead000000000100) >> ------------[ cut here ]------------ >> [...] >> list_del include/linux/list.h:125 [inline] >> p9_read_work+0xab6/0x10e0 net/9p/trans_fd.c:379 > > Hmm this looks very much like the report from > syzbot+735d926e9d1317c3310c@syzkaller.appspotmail.com > which should have been fixed by Tomas in 9f476d7c540cb > ("net/9p/trans_fd.c: fix race by holding the lock")... > > It looks like another double list_del, looking at the code again there > actually are other ways this could happen around connection errors. > For example, > - p9_read_work receives something and lookup works... meanwhile > - p9_write_work fails to write and calls p9_conn_cancel, which deletes > from the req_list without waiting for other works to finish (could also > happen in p9_poll_mux) > - p9_read_work finishes processing the read and deletes from list again > > For this one the simplest fix would probably be to just not > list_del/call p9_client_cb at all if m->r?req->status isn't > REQ_STATUS_ERROR in p9_read_work after the "got new packet" debug print, > and frankly I think that's saner so I'll send a patch shortly doing > that, but I have zero confidence there aren't similar bugs around, the > tcp code is so messy... Most of the syzbot reports recently have been > around trans_fd which I don't think is used much in real life, and this > is not really motivating (i.e. I think it would probably need a more > extensive rewrite but nobody cares) :/ > > > Dmitry, on that note, do you think syzbot could possibly test other > transports somehow? rdma or virtio cannot be faked as easily as passing > a fd around, but I'd be very interested in seeing these flayed a bit. Hi Dominique, How can they be faked? If we could create a private rdma/virtio stub instance per test process, then we could I think easily use that instance for 9p. But is it possible? Testing on real hardware is mostly outside of our priorities at the moment. I mean syzkaller itself can be run on anything, and one could extend descriptions to use a known rdma interface and run on a real hardware. But we can't afford this at the moment. As far as I understand RDMA maintainers run syzkaller on real hardware, but I don't know if they are up to including 9p into testing. +Leon