Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp359160imu;
        Sat, 17 Nov 2018 00:56:45 -0800 (PST)
X-Google-Smtp-Source: AJdET5f58Er5OGdO7pUGJnhkhXVI6RoQ3YwNxDvki9Qnw6sPEtZECaOvAyhw8Cvn2WXMC7hzvCiJ
X-Received: by 2002:a63:160d:: with SMTP id w13mr13185257pgl.43.1542445005622;
        Sat, 17 Nov 2018 00:56:45 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1542445005; cv=none;
        d=google.com; s=arc-20160816;
        b=txxL+7iYFcfWW7pI97Yl0PS9qso4KNOxa+Y1u+v7heP9SMu5NtORNbuiisPTfMuzVv
         Cf2FlFZktjA6KcK00A1Musha20zZYbFGXmP0PazwZ0HCWwJX74mIDvZN8oDC/BHHdxoi
         dquEf/2N23U8O7OAmqPvXRafBda9PnXTVIMZ/HBfC4ejXhlttTqKZMEtgfbHtsIyq4FE
         hYkL7RC/wqz2B7Kn/49XqpS7uJfvE6YbN6kWJ/PMwYF6Hykl35wq/k/qnieZljxY1N/2
         vKMCOGl1gREpz7TuJ42oKzSd+tlbmEtEEENvWXvyQnR6ZFvcT1AwU4RzzEj73D3y3LNv
         +Nww==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=nxCC9t0Gv1E8wweLtxCw3vl+S59zum5FLBC62o8y5DI=;
        b=hdUF/iHhTDCNIe1KodXYHXssJ/z2ARzI34m3ZxILIWZ4YrO2NqaNPjK1p96KxLszf5
         YCOcUb6hPalPL7vrdu9MalksjFKHa3zAP+sMXMRX6VgkfMQAxIMCqmJ7p6H8zobTFjCB
         lJfWiFnJlAnKjclqt2p2UtZ2L9X3AEXGMhQG7xziY8wwygBL8jTQQYe7MzJy0Ex/xCQq
         2MuV+FuxRe3GdqyY3pdSBXL2VsqCrpFnc9SIr6ONb8PiEnwEmYVazc0FCZKqMR3tPVU2
         rMP2hfCO0PbWDDHk2bB0iF2GV1+nXfO5Ty7+mKUVeM3MBKvsvQecGwUYwSwDRpGcm91s
         CXzQ==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id a128-v6si37954772pfb.24.2018.11.17.00.56.28;
        Sat, 17 Nov 2018 00:56:45 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726034AbeKQTLr (ORCPT <rfc822;rajatbajpailinux@gmail.com>
        + 99 others); Sat, 17 Nov 2018 14:11:47 -0500
Received: from nautica.notk.org ([91.121.71.147]:46075 "EHLO nautica.notk.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1725853AbeKQTLr (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 17 Nov 2018 14:11:47 -0500
Received: by nautica.notk.org (Postfix, from userid 1001)
        id B7FBFC009; Sat, 17 Nov 2018 09:55:46 +0100 (CET)
Date:   Sat, 17 Nov 2018 09:55:31 +0100
From:   Dominique Martinet <asmadeus@codewreck.org>
To:     syzbot <syzbot+edec7868af5997928fe9@syzkaller.appspotmail.com>
Cc:     davem@davemloft.net, ericvh@gmail.com,
        linux-kernel@vger.kernel.org, lucho@ionkov.net,
        netdev@vger.kernel.org, syzkaller-bugs@googlegroups.com,
        v9fs-developer@lists.sourceforge.net
Subject: Re: WARNING: refcount bug in p9_req_put
Message-ID: <20181117085531.GB24182@nautica>
References: <000000000000eb6a8e057ab79f82@google.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <000000000000eb6a8e057ab79f82@google.com>
User-Agent: Mutt/1.5.21 (2010-09-15)
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

syzbot wrote on Thu, Nov 15, 2018:
> RIP: 0010:refcount_sub_and_test_checked+0x2c9/0x310 lib/refcount.c:187
> Code: 89 de e8 ea 1a ed fd 84 db 74 07 31 db e9 4d ff ff ff e8 0a 1a
> ed fd 48 c7 c7 20 ae 60 88 c6 05 7b fd 7e 06 01 e8 67 7d b6 fd <0f>
> 0b 31 db e9 2c ff ff ff 48 89 cf e8 a6 67 30 fe e9 41 fe ff ff
> RSP: 0018:ffff88817e87f330 EFLAGS: 00010282
> RAX: 0000000000000000 RBX: 0000000000000000 RCX: ffffc90005e51000
> RDX: 00000000000222c2 RSI: ffffffff8165e7e5 RDI: 0000000000000005
> RBP: ffff88817e87f418 R08: ffff8881866ba640 R09: ffffed103b5c5020
> R10: ffffed103b5c5020 R11: ffff8881dae28107 R12: ffff88817c7a7008
> R13: 00000000ffffffff R14: ffff88817e87f3f0 R15: ffff8881c1dc9d68
>  refcount_dec_and_test_checked+0x1a/0x20 lib/refcount.c:212
>  kref_put include/linux/kref.h:69 [inline]
>  p9_req_put+0x20/0x60 net/9p/client.c:395
>  p9_conn_destroy net/9p/trans_fd.c:880 [inline]
>  p9_fd_close+0x39f/0x6b0 net/9p/trans_fd.c:913
>  p9_client_create+0xbd0/0x1674 net/9p/client.c:1062
>  v9fs_session_init+0x217/0x1bb0 fs/9p/v9fs.c:421

So the latest ref put I added on destroy for m->rreq looks like it's not
always a good idea... The worker thread is supposed to be stoped at this
point so I'm not sure what went wrong, but while looking at this I found
a race with the read work function and the cancelled callback --
although that would cause a list corruption so it's not what happened
here.

Will think on it a bit more, and try to reproduce by adding some random
delays to make some races more likely.
I'll fix the race in trans_fd's cancelled after/together with the
async flush patches, I've got something working except for cancelled on
this end so will probably submit something around next week after I've
had time to test a bit more extensively

-- 
Dominique