Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp3984347imu; Mon, 14 Jan 2019 12:39:23 -0800 (PST) X-Google-Smtp-Source: ALg8bN4OiEGFz1pJVObc1XzHfkS9BjOFbF+ycuXKjEQa8CFSZSi4DNsB4JKAGTTTpvyfikFWrNqx X-Received: by 2002:a62:3c1:: with SMTP id 184mr375969pfd.56.1547498363648; Mon, 14 Jan 2019 12:39:23 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1547498363; cv=none; d=google.com; s=arc-20160816; b=hEwUDPYX/Xvjsjzp60/POAHqBywroFpotPSnjIagvQ4ZEuKbSSZmVgNa6rEF9jdl5i p4hw7d0Vpcq7jKdI4PUWHmo+wYmvLjvHKuOcghrESDhIZucKbcg5la7moU+kk+Zn7lNB wYDasy/KbKbZO8VfyZU3ctjHgiOguBLGjXB7tMw39QkDPvUN7qdhBD848L6hPiy4Fklm Vipl64gijzeN0Adjc9uWg0vhfE0UBNW4bNs2Gu8TkKGGwAZyoFYgAOJ3rrCQXNRktGVQ GPFB79jCf4myC6ENDFvFKMLE9LNlYUFQRSaykBMifaYdybVEFOgqmickR3wCx970KZGF H0sA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:cc:to:subject:message-id:date:from :in-reply-to:references:mime-version:dkim-signature; bh=uHx/tBNv0XiIGAnQUaDsznrgTpkI55fwt+sl3UVxk78=; b=KWQCJw3Pup16Q4Fo2ZKKowfIQFs7JQTxAged2/zs9dfEQW0S+rW42P3I5kl7OwhLN+ lxj3IvJaueBXV09c9qicWR4UdMmU9v/udV2IBgcsGIjcMEPNYH4BYixaU0LPi+YKp4MN 67pqgYlda7ajbdL/dypx+hdjslPqQPRPunchIOiJTnHJ546hDZsW4JqLFMFtpktueHyh +4ta6Dme/yowDQYysJlta33tfA2zv6IJ+e85JiNmPAE3MjycLx7rY7HMYRBBeT5wcL+m P8+ZT/0GeRdKIDGbioy83YQFK1h8UPKVsPG9PLHi7TbY8qyKP4N4WYWqVNNNYkFtFR0M usaw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=X96IbwxP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s66si1282271pgs.115.2019.01.14.12.39.08; Mon, 14 Jan 2019 12:39:23 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=X96IbwxP; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1727093AbfANUhh (ORCPT + 99 others); Mon, 14 Jan 2019 15:37:37 -0500 Received: from mail-it1-f193.google.com ([209.85.166.193]:52173 "EHLO mail-it1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726776AbfANUhh (ORCPT ); Mon, 14 Jan 2019 15:37:37 -0500 Received: by mail-it1-f193.google.com with SMTP id w18so1648820ite.1; Mon, 14 Jan 2019 12:37:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=uHx/tBNv0XiIGAnQUaDsznrgTpkI55fwt+sl3UVxk78=; b=X96IbwxP/MSsUvZ6fTQOUWYL2S2Nhm3tcIPvq5tlultQurncIajso0w1RnOI1xiWM8 +KqGsNd/dSzhz0BJmiWiuBPUjtbp/LT6WLNIzgVyrEpW1GWG5kYTlGHgFa92yJBhYXJZ 33BdvxRpba3jASQi6BSZp6I3a1Z/x6jHlecxObS8C3h92IBTmZt4i43J5RcagIyGhpqj mBoh7/3up14XQp4f6WOoWHiganraKkN1167j52RpN6nb/1UJipSLdlYWpg+IOKfs8XQq 2nb3HvlBUTiOqI1yhfI2Od+js5btTmT+7CiFFp7jcVng/StwU5iwmo/jNKPsN05xdTND IwKA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=uHx/tBNv0XiIGAnQUaDsznrgTpkI55fwt+sl3UVxk78=; b=qNjHGksXIlm2OsBXW1mJ6WWRZCNEh30uOPyjMaW2Nrb1CahzhtTjQWCp+d7OaD4YNX c2FfS+zl6AmnVgfRvEd1hrCrvrNT0KbivYQ4gTySUul0HSiccTN2CQi8PDtmA4szeOaU avb7DRdAVUEY0zEz4HJwKBWgrx6TISXwGZBiNc+nB24CNm2H0BPVtwV7ccY/NOr6ZJqr gJLsPrvL8ccJectmOeASe3uINmu1fhxc+CW1eVwLq4NW6CJcgsc+3VD8t+9hZd+sNldF 7hHAwP90BRJJYqPL7Yc/t7QA9efr/+pXbZfs0N7ftrA6U6eI+X3wZAwL4sQhgy7wFwLP URcw== X-Gm-Message-State: AJcUukfZVfcaMMk5/6TgGjJ7I6zE+2ZcSY3cWB8QQGojShw6etZy0RnJ 7Fg8bkQpoijtke7k7G68h0oqS0XJ1MwkJvVjrio= X-Received: by 2002:a02:7b09:: with SMTP id q9mr191737jac.39.1547498256382; Mon, 14 Jan 2019 12:37:36 -0800 (PST) MIME-Version: 1.0 References: <20181227190842.GA19565@myunghoj-Precision-5530> <20190103035027.GA26674@myunghoj-Precision-5530> In-Reply-To: <20190103035027.GA26674@myunghoj-Precision-5530> From: Ilya Dryomov Date: Mon, 14 Jan 2019 21:37:25 +0100 Message-ID: Subject: Re: [PATCH] libceph: protect pending flags in ceph_con_keepalive() To: Myungho Jung Cc: "Yan, Zheng" , Sage Weil , "David S. Miller" , Ceph Development , netdev , linux-kernel@vger.kernel.org Content-Type: text/plain; charset="UTF-8" Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Thu, Jan 3, 2019 at 4:50 AM Myungho Jung wrote: > I reproduced on vm using syzkaller utils and verified the fix by syzbot. Hi Myungho, I think this might be a better fix: diff --git a/net/ceph/messenger.c b/net/ceph/messenger.c index d5718284db57..c5f5313e3537 100644 --- a/net/ceph/messenger.c +++ b/net/ceph/messenger.c @@ -3205,10 +3205,11 @@ void ceph_con_keepalive(struct ceph_connection *con) { dout("con_keepalive %p\n", con); mutex_lock(&con->mutex); + con_flag_set(con, CON_FLAG_KEEPALIVE_PENDING); clear_standby(con); mutex_unlock(&con->mutex); - if (con_flag_test_and_set(con, CON_FLAG_KEEPALIVE_PENDING) == 0 && - con_flag_test_and_set(con, CON_FLAG_WRITE_PENDING) == 0) + + if (con_flag_test_and_set(con, CON_FLAG_WRITE_PENDING) == 0) queue_con(con); } EXPORT_SYMBOL(ceph_con_keepalive); WRITE_PENDING can be set without con->mutex held from socket callbacks. This is the reason we use atomic bit ops here, so testing WRITE_PENDING under the lock didn't make sense to me. At the same time, KEEPALIVE_PENDING could have been a non-atomic flag. I spent some time trying to make sense of conditioning queue_con() call on the previous value of KEEPALIVE_PENDING and couldn't see any, so I'm setting it with con_flag_set(), making ceph_con_keepalive() symmetric with ceph_con_send(). Thanks, Ilya