Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp1869734imw; Sat, 9 Jul 2022 13:47:10 -0700 (PDT) X-Google-Smtp-Source: AGRyM1vLelpV2LaBEundvQsHBrmRG1ru3t2yyBDnC17XT39mW3fpCWj9J5s0alZ4wSkb7F5MJiab X-Received: by 2002:a05:6402:298a:b0:43a:76f8:a75c with SMTP id eq10-20020a056402298a00b0043a76f8a75cmr14011769edb.216.1657399630286; Sat, 09 Jul 2022 13:47:10 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1657399630; cv=none; d=google.com; s=arc-20160816; b=yHTxB5wS0ngdsQrNOZR7YTbLvzQ7MbXieP3RI8H6MqlKRko7Nzh+XGmebgxC6jUiG2 gyoCeUKnPu03933XdaQ7mmuNGce3UhjGjwTD0UEjZ1h/pa6S7nMLgN5yvWxtfMClxr6M HbrszVQ9ZGnt4Zk8UVjexVC1Fbx81Eiff1bKQ3CKe/V3rkEGm4lBwawC6Vssg3Kl2CaN YN0LJESTRzGaaMPK/izWUVbQolcMHb7uMru0RcpDQGh8ZlPj9jkpxE6YBonywik0wC5N l4z6SIFIAfkjMnJVqvkrclvfjZ7VxbOzmQ3TtEMd0yPJQeKQ2tdxssi9HgRgOaUPRT/W tOnw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature:dkim-filter; bh=0/4/je5F3ph2qO9T5M9uqjsKhrJMFF9mOYX6DBCeVVI=; b=i8/IpOH0PQssTXL+F7BACFaA5AIIB53BdAf/qHfSexiEHG/Bq9Uh28RXFTjt3YPY9K EuF2gnZ+Dd4czKGMt0SbCSYyupIaDN9INSiGbDgRYfjyGW4aXzDUCGo5lpT65Ng3l1Cp ++BGmJXZNP3GxjKh0kVPQhqetaBUwf7tnCg9lsWPhg32cZJSzBVB2Zu9uvc/0A2Uq12E +eSGTfMFDq3K7LzV+WRB9OO+W0qg3DhdKLT08SVaTBA6aEO+FymT2ZXUtNT1w1HuFMmM NAX6Zgu7eKD93x3jeIo6uSpx8EGnkAICocXF/C330tgjzZmy5c7/mHX9xezmk8SIQWV9 or+g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=WwAVohwj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id f17-20020a056402069100b0043a739de8c1si3290439edy.428.2022.07.09.13.46.45; Sat, 09 Jul 2022 13:47:10 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=WwAVohwj; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229547AbiGIUAX (ORCPT + 99 others); Sat, 9 Jul 2022 16:00:23 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:57568 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229448AbiGIUAV (ORCPT ); Sat, 9 Jul 2022 16:00:21 -0400 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 0CD33E01D; Sat, 9 Jul 2022 13:00:20 -0700 (PDT) Received: from sequoia.devices.tihix.com (162-237-133-238.lightspeed.rcsntx.sbcglobal.net [162.237.133.238]) by linux.microsoft.com (Postfix) with ESMTPSA id AC919204C8E0; Sat, 9 Jul 2022 13:00:18 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com AC919204C8E0 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1657396819; bh=0/4/je5F3ph2qO9T5M9uqjsKhrJMFF9mOYX6DBCeVVI=; h=From:To:Cc:Subject:Date:From; b=WwAVohwjMEHgPxZC8fl/YVpl7hgLuB3Ct1y5ziEld3gJ5uEsMj6vCC0cCBu3Dp7ih VSHgbFIzLHlkoc8NIssRqOYG4OviGqXv49J/OBO9QtU7me0jYqpcT1KMMLGvqDmqe6 8jdmkB7MWMeAbmYcLMWWtX0+QxOXQPWlaPeUUKpg= From: Tyler Hicks To: Eric Van Hensbergen , Latchesar Ionkov , Dominique Martinet , Christian Schoenebeck Cc: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , v9fs-developer@lists.sourceforge.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: [PATCH] net/9p: Initialize the iounit field during fid creation Date: Sat, 9 Jul 2022 15:00:05 -0500 Message-Id: <20220709200005.681861-1-tyhicks@linux.microsoft.com> X-Mailer: git-send-email 2.25.1 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-19.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_MED, SPF_HELO_PASS,SPF_PASS,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL, USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Ensure that the fid's iounit field is set to zero when a new fid is created. Certain 9P operations, such as OPEN and CREATE, allow the server to reply with an iounit size which the client code assigns to the fid struct shortly after the fid is created in p9_fid_create(). Other operations that follow a call to p9_fid_create(), such as an XATTRWALK, don't include an iounit value in the reply message from the server. In the latter case, the iounit field remained uninitialized. Depending on allocation patterns, the iounit value could have been something reasonable that was carried over from previously freed fids or, in the worst case, could have been arbitrary values from non-fid related usages of the memory location. The bug was detected in the Windows Subsystem for Linux 2 (WSL2) kernel after the uninitialized iounit field resulted in the typical sequence of two getxattr(2) syscalls, one to get the size of an xattr and another after allocating a sufficiently sized buffer to fit the xattr value, to hit an unexpected ERANGE error in the second call to getxattr(2). An uninitialized iounit field would sometimes force rsize to be smaller than the xattr value size in p9_client_read_once() and the 9P server in WSL refused to chunk up the READ on the attr_fid and, instead, returned ERANGE to the client. The virtfs server in QEMU seems happy to chunk up the READ and this problem goes undetected there. However, there are likely other non-xattr implications of this bug that could cause inefficient communication between the client and server. Cc: stable@vger.kernel.org Signed-off-by: Tyler Hicks --- Note that I haven't had a chance to identify when this bug was introduced so I don't yet have a proper Fixes tag. The history looked a little tricky to me but I'll have another look in the coming days. We started hitting this bug after trying to move from linux-5.10.y to linux-5.15.y but I didn't see any obvious changes between those two series. I'm not confident of this theory but perhaps the fid refcounting changes impacted the fid allocation patterns enough to uncover the latent bug? net/9p/client.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/9p/client.c b/net/9p/client.c index 8bba0d9cf975..1dfceb9154f7 100644 --- a/net/9p/client.c +++ b/net/9p/client.c @@ -899,6 +899,7 @@ static struct p9_fid *p9_fid_create(struct p9_client *clnt) fid->clnt = clnt; fid->rdir = NULL; fid->fid = 0; + fid->iounit = 0; refcount_set(&fid->count, 1); idr_preload(GFP_KERNEL); -- 2.25.1