Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp455162imu;
        Wed, 2 Jan 2019 09:46:53 -0800 (PST)
X-Google-Smtp-Source: AFSGD/Vr6vQGbuh2Ilwi6PHp5yFx8y/iG0RUDfzXZjDlOUEFnzEPYPtEojrQ+86IaBiJItgu9Dji
X-Received: by 2002:a62:528e:: with SMTP id g136mr47217500pfb.111.1546451212955;
        Wed, 02 Jan 2019 09:46:52 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1546451212; cv=none;
        d=google.com; s=arc-20160816;
        b=niSvc2hI+jB76n2BKVoqgnetoSWWWIdc5hIm8hxxqOAv4OhEhiK8HArol7QGD7MC3O
         MlDtXeSBT2aLmkcpg2/Z3qjwEVL05gMIhm7SqJjcxFOgTcFF0l2+EgWAu2TvypM9ZCDG
         EQ2RD0YEGlADZ8iL5xjHzhLAUZZXI+B+wnBvt/nSgISXHpalXncLLZdLfLY/ftyFfwEX
         YTq6jbBOe1gSa93qNLF34GyHn/AWdYTIVjNtQizKaXj3G7LPYshUQwIYBemh1Okg2zg+
         f/QybrfeBDZ5CfxUrBpcqExNN4XI0RdtXDomj164qYa9PnTEm8xt5qqu6v0mFtUOMJ8W
         801Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:cc:to:subject:message-id:date:from
         :in-reply-to:references:mime-version:dkim-signature;
        bh=qiLFLhBXdYY3jCFedCfq4+ipsrmddGhUNvb7y4N22Q0=;
        b=ojUSSSme56FIYv6qpl/jiCn3LUlWillW5XdYJ/RUs4JKe18VfCKUNVMF6JedM0wQs1
         q/kIRhQiLOhHBstsef5c0TuSU5cRRkyV+i7u3NiYvb5Bt7TQk37Oqwz2/Ngf/nWYsVxW
         xO+BFKB5Hk5DDGPSVK4eu3h1rsFWPZJ4/SFJS1b1cesT+6vDx9Y4FnEikag4Nm/hDb3f
         PX2MfTFKj18aoDhPkrNsLraV9ORushN2XkksX0tS20XGUaOzJd4x8S2cNbEQvJoKZm/P
         RKMQwQJO5Rz3V3Kn0ZIW7Z2p7tfQiKphiqGjyzG++wsp+Augh/YerxvBIoYHmuMG7HU1
         YYdw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=PfMzQWqA;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id m8si22629825pgd.555.2019.01.02.09.46.18;
        Wed, 02 Jan 2019 09:46:52 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=PfMzQWqA;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1729419AbfABPmn (ORCPT <rfc822;dacohen@gmail.com> + 99 others);
        Wed, 2 Jan 2019 10:42:43 -0500
Received: from mail-io1-f65.google.com ([209.85.166.65]:46599 "EHLO
        mail-io1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727038AbfABPmm (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 2 Jan 2019 10:42:42 -0500
Received: by mail-io1-f65.google.com with SMTP id v10so24775560ios.13;
        Wed, 02 Jan 2019 07:42:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=mime-version:references:in-reply-to:from:date:message-id:subject:to
         :cc;
        bh=qiLFLhBXdYY3jCFedCfq4+ipsrmddGhUNvb7y4N22Q0=;
        b=PfMzQWqA0fsH3hxPX7VWjU7CPeSK+TecUSnK5LmZfhxktqVOzVz/ZlDOHzwbSFhsrh
         ZTRjCfC4TqrMgbM+fjagH1rf5xX8+LB1nq0ltwJavTV6KOJHebD0IgN+AqIaFRv1ZDbQ
         8Lc5yjPOt6aSD3j1cIJFwUfyOtuSNyRPKSFaG9MweqAyE2dZRuH8+OYr8P7XdaduOaUj
         bV0CJdpR80DUqzaT4syC8CdQHi6Sq2tHTpQPitzKkrVMaV67RWubgUqkNPC72ggQ2l+O
         nwENTUGo7fXvtcO1x0jOXxHXUIwf6x6ENzxQ+GN0+8WiwsjKjGffTe+0xSiZxvWRKuCP
         droA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:mime-version:references:in-reply-to:from:date
         :message-id:subject:to:cc;
        bh=qiLFLhBXdYY3jCFedCfq4+ipsrmddGhUNvb7y4N22Q0=;
        b=IHsL/Ot09INdpBk4zZr2Q7ZhxcnC2AN4rG8QPU2QBfrMiot7HeN7Ct7rviQ7KFLaP3
         0YW0BkUU681R1k1x/YJXdHw1SmS+yBaupoQrkHLS1aQ5tx9eiRSTB41sOCeFREqUzaHe
         rZrKsDUn+n2ebqsliv8tHvg5gmV6U8JEc075sBLu1UltxUZL2ONJK6pNN7+rIrgOOnhW
         AqLh/3ihur3MAEqRTXZOXWx6+8XOntGrlwgulqCc80tgdtyH7HezCM7wuoc4XuBQSgWY
         7k2V2mVPsxlmq0H/LNhYX71ggJw7bCzRqOzwFIhbSHIRTy3vzMv7nUBaa5576/wCaPAz
         bzUA==
X-Gm-Message-State: AJcUukegxeXKWdE+lW1dHYv4s9SxHSqBHW0096OfpvSvys8gzHL9g3Tx
        I63TCqPqa3OlhzRrhBNTKC0YshSvXgabYTCAg4w=
X-Received: by 2002:a6b:2b95:: with SMTP id r143mr31789591ior.217.1546443761377;
 Wed, 02 Jan 2019 07:42:41 -0800 (PST)
MIME-Version: 1.0
References: <20181227190842.GA19565@myunghoj-Precision-5530>
In-Reply-To: <20181227190842.GA19565@myunghoj-Precision-5530>
From:   Ilya Dryomov <idryomov@gmail.com>
Date:   Wed, 2 Jan 2019 16:42:47 +0100
Message-ID: <CAOi1vP9G=-ZLBKH6Y5MoDRUjX4YkN6GUWKm1=fnM02odQX8GWA@mail.gmail.com>
Subject: Re: [PATCH] libceph: protect pending flags in ceph_con_keepalive()
To:     Myungho Jung <mhjungk@gmail.com>
Cc:     "Yan, Zheng" <zyan@redhat.com>, Sage Weil <sage@redhat.com>,
        "David S. Miller" <davem@davemloft.net>,
        Ceph Development <ceph-devel@vger.kernel.org>,
        netdev <netdev@vger.kernel.org>, linux-kernel@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Thu, Dec 27, 2018 at 8:08 PM Myungho Jung <mhjungk@gmail.com> wrote:
>
> con_flag_test_and_set() sets CON_FLAG_KEEPALIVE_PENDING and
> CON_FLAG_WRITE_PENDING flags without protection in ceph_con_keepalive().
> It triggers WARN_ON() in clear_standby() if the flags are set after
> con_fault() changes connection state to CON_STATE_STANDBY. Move
> con_flag_test_and_set() to be called before releasing the lock and store
> the condition to check after the critical section.
>
> Reported-by: syzbot+acdeb633f6211ccdf886@syzkaller.appspotmail.com
> Signed-off-by: Myungho Jung <mhjungk@gmail.com>
> ---
>  net/ceph/messenger.c | 8 ++++++--
>  1 file changed, 6 insertions(+), 2 deletions(-)
>
> diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c
> index 2f126eff275d..e15da22d4f37 100644
> --- a/net/ceph/messenger.c
> +++ b/net/ceph/messenger.c
> @@ -3216,12 +3216,16 @@ void ceph_msg_revoke_incoming(struct ceph_msg *msg)
>   */
>  void ceph_con_keepalive(struct ceph_connection *con)
>  {
> +       bool pending;
> +
>         dout("con_keepalive %p\n", con);
>         mutex_lock(&con->mutex);
>         clear_standby(con);
> +       pending = (con_flag_test_and_set(con,
> +                                        CON_FLAG_KEEPALIVE_PENDING) == 0 &&
> +                  con_flag_test_and_set(con, CON_FLAG_WRITE_PENDING) == 0);
>         mutex_unlock(&con->mutex);
> -       if (con_flag_test_and_set(con, CON_FLAG_KEEPALIVE_PENDING) == 0 &&
> -           con_flag_test_and_set(con, CON_FLAG_WRITE_PENDING) == 0)
> +       if (pending)
>                 queue_con(con);
>  }
>  EXPORT_SYMBOL(ceph_con_keepalive);

Hi Myungho,

Were you able to reproduce?  If so, did you use the syzkaller output or
something else?

Thanks,

                Ilya