Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp455162imu; Wed, 2 Jan 2019 09:46:53 -0800 (PST) X-Google-Smtp-Source: AFSGD/Vr6vQGbuh2Ilwi6PHp5yFx8y/iG0RUDfzXZjDlOUEFnzEPYPtEojrQ+86IaBiJItgu9Dji X-Received: by 2002:a62:528e:: with SMTP id g136mr47217500pfb.111.1546451212955; Wed, 02 Jan 2019 09:46:52 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1546451212; cv=none; d=google.com; s=arc-20160816; b=niSvc2hI+jB76n2BKVoqgnetoSWWWIdc5hIm8hxxqOAv4OhEhiK8HArol7QGD7MC3O MlDtXeSBT2aLmkcpg2/Z3qjwEVL05gMIhm7SqJjcxFOgTcFF0l2+EgWAu2TvypM9ZCDG EQ2RD0YEGlADZ8iL5xjHzhLAUZZXI+B+wnBvt/nSgISXHpalXncLLZdLfLY/ftyFfwEX YTq6jbBOe1gSa93qNLF34GyHn/AWdYTIVjNtQizKaXj3G7LPYshUQwIYBemh1Okg2zg+ f/QybrfeBDZ5CfxUrBpcqExNN4XI0RdtXDomj164qYa9PnTEm8xt5qqu6v0mFtUOMJ8W 801Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=qiLFLhBXdYY3jCFedCfq4+ipsrmddGhUNvb7y4N22Q0=; b=ojUSSSme56FIYv6qpl/jiCn3LUlWillW5XdYJ/RUs4JKe18VfCKUNVMF6JedM0wQs1 q/kIRhQiLOhHBstsef5c0TuSU5cRRkyV+i7u3NiYvb5Bt7TQk37Oqwz2/Ngf/nWYsVxW xO+BFKB5Hk5DDGPSVK4eu3h1rsFWPZJ4/SFJS1b1cesT+6vDx9Y4FnEikag4Nm/hDb3f PX2MfTFKj18aoDhPkrNsLraV9ORushN2XkksX0tS20XGUaOzJd4x8S2cNbEQvJoKZm/P RKMQwQJO5Rz3V3Kn0ZIW7Z2p7tfQiKphiqGjyzG++wsp+Augh/YerxvBIoYHmuMG7HU1 YYdw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=PfMzQWqA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id m8si22629825pgd.555.2019.01.02.09.46.18; Wed, 02 Jan 2019 09:46:52 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=PfMzQWqA; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1729419AbfABPmn (ORCPT + 99 others); Wed, 2 Jan 2019 10:42:43 -0500 Received: from mail-io1-f65.google.com ([209.85.166.65]:46599 "EHLO mail-io1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727038AbfABPmm (ORCPT ); Wed, 2 Jan 2019 10:42:42 -0500 Received: by mail-io1-f65.google.com with SMTP id v10so24775560ios.13; Wed, 02 Jan 2019 07:42:41 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=qiLFLhBXdYY3jCFedCfq4+ipsrmddGhUNvb7y4N22Q0=; b=PfMzQWqA0fsH3hxPX7VWjU7CPeSK+TecUSnK5LmZfhxktqVOzVz/ZlDOHzwbSFhsrh ZTRjCfC4TqrMgbM+fjagH1rf5xX8+LB1nq0ltwJavTV6KOJHebD0IgN+AqIaFRv1ZDbQ 8Lc5yjPOt6aSD3j1cIJFwUfyOtuSNyRPKSFaG9MweqAyE2dZRuH8+OYr8P7XdaduOaUj bV0CJdpR80DUqzaT4syC8CdQHi6Sq2tHTpQPitzKkrVMaV67RWubgUqkNPC72ggQ2l+O nwENTUGo7fXvtcO1x0jOXxHXUIwf6x6ENzxQ+GN0+8WiwsjKjGffTe+0xSiZxvWRKuCP droA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=qiLFLhBXdYY3jCFedCfq4+ipsrmddGhUNvb7y4N22Q0=; b=IHsL/Ot09INdpBk4zZr2Q7ZhxcnC2AN4rG8QPU2QBfrMiot7HeN7Ct7rviQ7KFLaP3 0YW0BkUU681R1k1x/YJXdHw1SmS+yBaupoQrkHLS1aQ5tx9eiRSTB41sOCeFREqUzaHe rZrKsDUn+n2ebqsliv8tHvg5gmV6U8JEc075sBLu1UltxUZL2ONJK6pNN7+rIrgOOnhW AqLh/3ihur3MAEqRTXZOXWx6+8XOntGrlwgulqCc80tgdtyH7HezCM7wuoc4XuBQSgWY 7k2V2mVPsxlmq0H/LNhYX71ggJw7bCzRqOzwFIhbSHIRTy3vzMv7nUBaa5576/wCaPAz bzUA== X-Gm-Message-State: AJcUukegxeXKWdE+lW1dHYv4s9SxHSqBHW0096OfpvSvys8gzHL9g3Tx I63TCqPqa3OlhzRrhBNTKC0YshSvXgabYTCAg4w= X-Received: by 2002:a6b:2b95:: with SMTP id r143mr31789591ior.217.1546443761377; Wed, 02 Jan 2019 07:42:41 -0800 (PST) MIME-Version: 1.0 References: <20181227190842.GA19565@myunghoj-Precision-5530> In-Reply-To: <20181227190842.GA19565@myunghoj-Precision-5530> From: Ilya Dryomov Date: Wed, 2 Jan 2019 16:42:47 +0100 Message-ID: Subject: Re: [PATCH] libceph: protect pending flags in ceph_con_keepalive() To: Myungho Jung Cc: "Yan, Zheng" , Sage Weil , "David S. Miller" , Ceph Development , netdev , linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Dec 27, 2018 at 8:08 PM Myungho Jung wrote: > > con_flag_test_and_set() sets CON_FLAG_KEEPALIVE_PENDING and > CON_FLAG_WRITE_PENDING flags without protection in ceph_con_keepalive(). > It triggers WARN_ON() in clear_standby() if the flags are set after > con_fault() changes connection state to CON_STATE_STANDBY. Move > con_flag_test_and_set() to be called before releasing the lock and store > the condition to check after the critical section. > > Reported-by: syzbot+acdeb633f6211ccdf886@syzkaller.appspotmail.com > Signed-off-by: Myungho Jung > --- > net/ceph/messenger.c | 8 ++++++-- > 1 file changed, 6 insertions(+), 2 deletions(-) > > diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c > index 2f126eff275d..e15da22d4f37 100644 > --- a/net/ceph/messenger.c > +++ b/net/ceph/messenger.c > @@ -3216,12 +3216,16 @@ void ceph_msg_revoke_incoming(struct ceph_msg *msg) > */ > void ceph_con_keepalive(struct ceph_connection *con) > { > + bool pending; > + > dout("con_keepalive %p\n", con); > mutex_lock(&con->mutex); > clear_standby(con); > + pending = (con_flag_test_and_set(con, > + CON_FLAG_KEEPALIVE_PENDING) == 0 && > + con_flag_test_and_set(con, CON_FLAG_WRITE_PENDING) == 0); > mutex_unlock(&con->mutex); > - if (con_flag_test_and_set(con, CON_FLAG_KEEPALIVE_PENDING) == 0 && > - con_flag_test_and_set(con, CON_FLAG_WRITE_PENDING) == 0) > + if (pending) > queue_con(con); > } > EXPORT_SYMBOL(ceph_con_keepalive); Hi Myungho, Were you able to reproduce? If so, did you use the syzkaller output or something else? Thanks, Ilya