Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp2183225imw; Sat, 9 Jul 2022 23:33:37 -0700 (PDT) X-Google-Smtp-Source: AGRyM1vk6Wo9J78ky759JwS8bNK5Vg0pBGMqb3R4aWyPrWgmDuxI0MeA8nEY1UK3+EYww+LfuWYH X-Received: by 2002:a17:90a:9bc5:b0:1ef:8084:ada1 with SMTP id b5-20020a17090a9bc500b001ef8084ada1mr10151234pjw.172.1657434817709; Sat, 09 Jul 2022 23:33:37 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1657434817; cv=none; d=google.com; s=arc-20160816; b=MUar0AcosbXQyJh4CNhttyJEyGB93wCTUWufxqWD6OXM2afSNBPVttODt1WlX3eVf2 G+HmuHeLvXVUKYaoKISKxEdqn6J/KxVRVgpo2GSRYZDKz5IoPAN4umXr2Zs0jA9oEzOA IbDlwcsIuCX48gYCs3xD1quAo6D9byMoKY8hqPy8Vxhl4YLQsFFYYKC0Wy5McxFeOZa9 N1rcvFk1gfN5gr+05JVSTLXKyVwMjNQ1W/jg1AHt1sC6F24L14jr0j0cx2pZDcMrImrL AqXPjuGVVbYh7ty/dgQlvQMTEteSM1BAuqwbooXLWQX0BLFHTJeKyZokFLZEkfzyjmij D6DA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:in-reply-to:content-transfer-encoding :content-disposition:mime-version:references:message-id:subject:cc :to:from:date:dkim-signature:dkim-filter; bh=vRH4An09fv5tOAeTFJW/Mxypr1Ya6mmtln9ASL5X9xI=; b=hY0TDRSeVqmGzNDNgwHANopV2LRqXi4MEN1cnAuKPHzKEhkFUfGypZbyzyM22TxMQq E/nI/itGKITKMRkCkmWZyeQgniXLhhKS/a3LX3kEfHmjJD26OetvrOQHYg3LC/6e+i1z ncJ9W8gar/w89JQa38EqvJ6Pe5LGp1SOEBEUtGaH0cp5IydX/z3Qjzk35XOyKGivh22c /xf4qhSZov48QNVhaW8RYOGEr78cobZTY81/BmxCA/JoRp78B/hnuqpzD7DSn3pKFdkn SKQM8DZ4yJT9Jm9240kXrZXwqSPVCZgfLaUr+72I4Q3kymGwdc2W56WlJMzdxEvnMXgC pXQA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=BARbJyhx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id h10-20020a17090aa88a00b001efacc53b2esi6207517pjq.25.2022.07.09.23.33.03; Sat, 09 Jul 2022 23:33:37 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@linux.microsoft.com header.s=default header.b=BARbJyhx; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linux.microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229492AbiGJG0Q (ORCPT + 99 others); Sun, 10 Jul 2022 02:26:16 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:60870 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229450AbiGJG0P (ORCPT ); Sun, 10 Jul 2022 02:26:15 -0400 Received: from linux.microsoft.com (linux.microsoft.com [13.77.154.182]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 0426911C28; Sat, 9 Jul 2022 23:26:14 -0700 (PDT) Received: from sequoia (162-237-133-238.lightspeed.rcsntx.sbcglobal.net [162.237.133.238]) by linux.microsoft.com (Postfix) with ESMTPSA id E0575204CB2B; Sat, 9 Jul 2022 23:26:12 -0700 (PDT) DKIM-Filter: OpenDKIM Filter v2.11.0 linux.microsoft.com E0575204CB2B DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=linux.microsoft.com; s=default; t=1657434373; bh=vRH4An09fv5tOAeTFJW/Mxypr1Ya6mmtln9ASL5X9xI=; h=Date:From:To:Cc:Subject:References:In-Reply-To:From; b=BARbJyhxS1Qo4Foxx/iMtbmAHpNs6GISrSvFIA8zhcrjNUl1JKxoyueE3Cclq7Z5n gjV67Arf6iZefe7e4/Mks92ItIgm8IOxGHGkHk7K++8MgQokoRsAVWHCW7Spkei1Uj WL8yC/3PFQ1MR8BMzuDE5enFquKAZw4Gy4PPmxg8= Date: Sun, 10 Jul 2022 01:25:57 -0500 From: Tyler Hicks To: Eric Van Hensbergen , Latchesar Ionkov , Dominique Martinet , Christian Schoenebeck Cc: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , v9fs-developer@lists.sourceforge.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Subject: Re: [PATCH] net/9p: Initialize the iounit field during fid creation Message-ID: <20220710062557.GA272934@sequoia> References: <20220709200005.681861-1-tyhicks@linux.microsoft.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable In-Reply-To: <20220709200005.681861-1-tyhicks@linux.microsoft.com> X-Spam-Status: No, score=-19.8 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_MED, SPF_HELO_PASS,SPF_PASS,T_SCC_BODY_TEXT_LINE,USER_IN_DEF_DKIM_WL, USER_IN_DEF_SPF_WL autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 2022-07-09 15:00:05, Tyler Hicks wrote: > Ensure that the fid's iounit field is set to zero when a new fid is > created. Certain 9P operations, such as OPEN and CREATE, allow the > server to reply with an iounit size which the client code assigns to the > fid struct shortly after the fid is created in p9_fid_create(). Other > operations that follow a call to p9_fid_create(), such as an XATTRWALK, > don't include an iounit value in the reply message from the server. In > the latter case, the iounit field remained uninitialized. Depending on > allocation patterns, the iounit value could have been something > reasonable that was carried over from previously freed fids or, in the > worst case, could have been arbitrary values from non-fid related usages > of the memory location. >=20 > The bug was detected in the Windows Subsystem for Linux 2 (WSL2) kernel > after the uninitialized iounit field resulted in the typical sequence of > two getxattr(2) syscalls, one to get the size of an xattr and another > after allocating a sufficiently sized buffer to fit the xattr value, to > hit an unexpected ERANGE error in the second call to getxattr(2). An > uninitialized iounit field would sometimes force rsize to be smaller > than the xattr value size in p9_client_read_once() and the 9P server in > WSL refused to chunk up the READ on the attr_fid and, instead, returned > ERANGE to the client. The virtfs server in QEMU seems happy to chunk up > the READ and this problem goes undetected there. However, there are > likely other non-xattr implications of this bug that could cause > inefficient communication between the client and server. >=20 > Cc: stable@vger.kernel.org > Signed-off-by: Tyler Hicks > --- >=20 > Note that I haven't had a chance to identify when this bug was > introduced so I don't yet have a proper Fixes tag. The history looked a > little tricky to me but I'll have another look in the coming days. We > started hitting this bug after trying to move from linux-5.10.y to > linux-5.15.y but I didn't see any obvious changes between those two > series. I'm not confident of this theory but perhaps the fid refcounting > changes impacted the fid allocation patterns enough to uncover the > latent bug? =46rom reading the source, I believe that this first showed up in commit ebf46264a004 ("fs/9p: Add support user. xattr") which landed in v2.6.36. Before that commit, p9_client_read(), p9_client_write(), and p9_client_readdir() were always passed a fid that came from a file's private_data and went through the open/create functions that initialized iounit. That commit was the first that passed a fid directly from p9_fid_create() to p9_client_read(). Tyler