Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp2228839imw; Sun, 10 Jul 2022 00:54:38 -0700 (PDT) X-Google-Smtp-Source: AGRyM1v++AYDlCC84MU3Q1gIAZQQD/9/251bXGqQDRMr5VTdTnNr+sOprG/hR1r1P1PqRQ4g7A6Q X-Received: by 2002:a05:6402:1d53:b0:43a:9ba7:315b with SMTP id dz19-20020a0564021d5300b0043a9ba7315bmr16748167edb.350.1657439678310; Sun, 10 Jul 2022 00:54:38 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1657439678; cv=none; d=google.com; s=arc-20160816; b=Pm8U+NTlT3wxgCRexvbSvsEAifKSPTWDT7VqoIAAAYsE6irQD4gIpfDZSItNm3aQ4W tegFwhyawtcCKKEGNAKyXFUABkMV8f+dqpX7wHNqVhUsKcKycYVJlg3HEibKtVyEjQE5 DRRsLLRWNpe3Iewni35ZUpG3MdfOrLITUaCrhnLQV4mwzvZstk4jusYES7E4BVcIBEtu RQiw9/cNnCt46WsvAgdQap0jUpMJjInjajlud4Gaqn4h003Hh802XFfozHM5JeENExTB PMoRc4RYzhpp96ZCYibpyVxU9WaNN8xIbQb2M+muuHAYg+EDjK7xmtgs6GpPsTGb3Vpl r+LQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:cc:to:content-language:subject:user-agent:mime-version :date:message-id; bh=SuxhVONG9quAbA4ZGLT2XDljoXjAptxAeH3M8Kl1+kk=; b=fBN3dwRL2qONDAujXblFjhxa3RM9/caNiSQZgnZH1dZV24F6zzyTzqV/30bPCWI8zt fMy+nA5on8Pudj4Slnptje5vhwwrS6k4pN10G8JjISqR6BjPMgGaMBxg8JfEScdpniTS zmdJ0lWu4vqPXr+FF0/3rLSVtHbenTlFVH3tsbfqMTm6KHYRvMDZVeq8Tz/wMSXkXyfV IqauYwAsZvsH5lYGv8UYPHWpyRea0ZocGVFLLx5QmxJ5/5H9Zlxos2z3UtnIBEs+vc26 puT2k5T9+Q21RTT4mnHKH+9h+afRr0IWo/jzvDG7gcKyp5TMvjaQZimn0hOZMYtPJwnM j6uA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id mp36-20020a1709071b2400b006fed9376071si6598641ejc.13.2022.07.10.00.54.02; Sun, 10 Jul 2022 00:54:38 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229456AbiGJGpN (ORCPT + 99 others); Sun, 10 Jul 2022 02:45:13 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39294 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229469AbiGJGpK (ORCPT ); Sun, 10 Jul 2022 02:45:10 -0400 Received: from smtp.smtpout.orange.fr (smtp02.smtpout.orange.fr [80.12.242.124]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3F65B13D78 for ; Sat, 9 Jul 2022 23:45:09 -0700 (PDT) Received: from [192.168.1.18] ([90.11.190.129]) by smtp.orange.fr with ESMTPA id AQgjoJcy1Zfs8AQgjo80s7; Sun, 10 Jul 2022 08:45:07 +0200 X-ME-Helo: [192.168.1.18] X-ME-Auth: YWZlNiIxYWMyZDliZWIzOTcwYTEyYzlhMmU3ZiQ1M2U2MzfzZDfyZTMxZTBkMTYyNDBjNDJlZmQ3ZQ== X-ME-Date: Sun, 10 Jul 2022 08:45:07 +0200 X-ME-IP: 90.11.190.129 Message-ID: <311190f4-3eba-b2d2-1a5e-a00aad8d64dc@wanadoo.fr> Date: Sun, 10 Jul 2022 08:45:04 +0200 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.9.1 Subject: Re: [PATCH] net/9p: Initialize the iounit field during fid creation Content-Language: en-US To: Tyler Hicks , Eric Van Hensbergen , Latchesar Ionkov , Dominique Martinet , Christian Schoenebeck Cc: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , v9fs-developer@lists.sourceforge.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org References: <20220709200005.681861-1-tyhicks@linux.microsoft.com> From: Christophe JAILLET In-Reply-To: <20220709200005.681861-1-tyhicks@linux.microsoft.com> Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,NICE_REPLY_A, RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS, T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Le 09/07/2022 à 22:00, Tyler Hicks a écrit : > Ensure that the fid's iounit field is set to zero when a new fid is > created. Certain 9P operations, such as OPEN and CREATE, allow the > server to reply with an iounit size which the client code assigns to the > fid struct shortly after the fid is created in p9_fid_create(). Other > operations that follow a call to p9_fid_create(), such as an XATTRWALK, > don't include an iounit value in the reply message from the server. In > the latter case, the iounit field remained uninitialized. Depending on > allocation patterns, the iounit value could have been something > reasonable that was carried over from previously freed fids or, in the > worst case, could have been arbitrary values from non-fid related usages > of the memory location. > > The bug was detected in the Windows Subsystem for Linux 2 (WSL2) kernel > after the uninitialized iounit field resulted in the typical sequence of > two getxattr(2) syscalls, one to get the size of an xattr and another > after allocating a sufficiently sized buffer to fit the xattr value, to > hit an unexpected ERANGE error in the second call to getxattr(2). An > uninitialized iounit field would sometimes force rsize to be smaller > than the xattr value size in p9_client_read_once() and the 9P server in > WSL refused to chunk up the READ on the attr_fid and, instead, returned > ERANGE to the client. The virtfs server in QEMU seems happy to chunk up > the READ and this problem goes undetected there. However, there are > likely other non-xattr implications of this bug that could cause > inefficient communication between the client and server. > > Cc: stable@vger.kernel.org > Signed-off-by: Tyler Hicks > --- > > Note that I haven't had a chance to identify when this bug was > introduced so I don't yet have a proper Fixes tag. The history looked a > little tricky to me but I'll have another look in the coming days. We > started hitting this bug after trying to move from linux-5.10.y to > linux-5.15.y but I didn't see any obvious changes between those two > series. I'm not confident of this theory but perhaps the fid refcounting > changes impacted the fid allocation patterns enough to uncover the > latent bug? > > net/9p/client.c | 1 + > 1 file changed, 1 insertion(+) > > diff --git a/net/9p/client.c b/net/9p/client.c > index 8bba0d9cf975..1dfceb9154f7 100644 > --- a/net/9p/client.c > +++ b/net/9p/client.c > @@ -899,6 +899,7 @@ static struct p9_fid *p9_fid_create(struct p9_client *clnt) > fid->clnt = clnt; > fid->rdir = NULL; > fid->fid = 0; > + fid->iounit = 0; > refcount_set(&fid->count, 1); > > idr_preload(GFP_KERNEL); Hi, you could also kzalloc 'fid' and remove the memset, "= NULL" and "= 0". This would be even more future proof and would save some LoC. Just my 2c, CJ