Received: by 2002:ad5:4acb:0:0:0:0:0 with SMTP id n11csp2228839imw;
        Sun, 10 Jul 2022 00:54:38 -0700 (PDT)
X-Google-Smtp-Source: AGRyM1v++AYDlCC84MU3Q1gIAZQQD/9/251bXGqQDRMr5VTdTnNr+sOprG/hR1r1P1PqRQ4g7A6Q
X-Received: by 2002:a05:6402:1d53:b0:43a:9ba7:315b with SMTP id dz19-20020a0564021d5300b0043a9ba7315bmr16748167edb.350.1657439678310;
        Sun, 10 Jul 2022 00:54:38 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1657439678; cv=none;
        d=google.com; s=arc-20160816;
        b=Pm8U+NTlT3wxgCRexvbSvsEAifKSPTWDT7VqoIAAAYsE6irQD4gIpfDZSItNm3aQ4W
         tegFwhyawtcCKKEGNAKyXFUABkMV8f+dqpX7wHNqVhUsKcKycYVJlg3HEibKtVyEjQE5
         DRRsLLRWNpe3Iewni35ZUpG3MdfOrLITUaCrhnLQV4mwzvZstk4jusYES7E4BVcIBEtu
         RQiw9/cNnCt46WsvAgdQap0jUpMJjInjajlud4Gaqn4h003Hh802XFfozHM5JeENExTB
         PMoRc4RYzhpp96ZCYibpyVxU9WaNN8xIbQb2M+muuHAYg+EDjK7xmtgs6GpPsTGb3Vpl
         r+LQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:in-reply-to:from
         :references:cc:to:content-language:subject:user-agent:mime-version
         :date:message-id;
        bh=SuxhVONG9quAbA4ZGLT2XDljoXjAptxAeH3M8Kl1+kk=;
        b=fBN3dwRL2qONDAujXblFjhxa3RM9/caNiSQZgnZH1dZV24F6zzyTzqV/30bPCWI8zt
         fMy+nA5on8Pudj4Slnptje5vhwwrS6k4pN10G8JjISqR6BjPMgGaMBxg8JfEScdpniTS
         zmdJ0lWu4vqPXr+FF0/3rLSVtHbenTlFVH3tsbfqMTm6KHYRvMDZVeq8Tz/wMSXkXyfV
         IqauYwAsZvsH5lYGv8UYPHWpyRea0ZocGVFLLx5QmxJ5/5H9Zlxos2z3UtnIBEs+vc26
         puT2k5T9+Q21RTT4mnHKH+9h+afRr0IWo/jzvDG7gcKyp5TMvjaQZimn0hOZMYtPJwnM
         j6uA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id mp36-20020a1709071b2400b006fed9376071si6598641ejc.13.2022.07.10.00.54.02;
        Sun, 10 Jul 2022 00:54:38 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229456AbiGJGpN (ORCPT <rfc822;alexzyp@gmail.com> + 99 others);
        Sun, 10 Jul 2022 02:45:13 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:39294 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229469AbiGJGpK (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Sun, 10 Jul 2022 02:45:10 -0400
Received: from smtp.smtpout.orange.fr (smtp02.smtpout.orange.fr [80.12.242.124])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3F65B13D78
        for <linux-kernel@vger.kernel.org>; Sat,  9 Jul 2022 23:45:09 -0700 (PDT)
Received: from [192.168.1.18] ([90.11.190.129])
        by smtp.orange.fr with ESMTPA
        id AQgjoJcy1Zfs8AQgjo80s7; Sun, 10 Jul 2022 08:45:07 +0200
X-ME-Helo: [192.168.1.18]
X-ME-Auth: YWZlNiIxYWMyZDliZWIzOTcwYTEyYzlhMmU3ZiQ1M2U2MzfzZDfyZTMxZTBkMTYyNDBjNDJlZmQ3ZQ==
X-ME-Date: Sun, 10 Jul 2022 08:45:07 +0200
X-ME-IP: 90.11.190.129
Message-ID: <311190f4-3eba-b2d2-1a5e-a00aad8d64dc@wanadoo.fr>
Date:   Sun, 10 Jul 2022 08:45:04 +0200
MIME-Version: 1.0
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101
 Thunderbird/91.9.1
Subject: Re: [PATCH] net/9p: Initialize the iounit field during fid creation
Content-Language: en-US
To:     Tyler Hicks <tyhicks@linux.microsoft.com>,
        Eric Van Hensbergen <ericvh@gmail.com>,
        Latchesar Ionkov <lucho@ionkov.net>,
        Dominique Martinet <asmadeus@codewreck.org>,
        Christian Schoenebeck <linux_oss@crudebyte.com>
Cc:     "David S. Miller" <davem@davemloft.net>,
        Eric Dumazet <edumazet@google.com>,
        Jakub Kicinski <kuba@kernel.org>,
        Paolo Abeni <pabeni@redhat.com>,
        v9fs-developer@lists.sourceforge.net, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org
References: <20220709200005.681861-1-tyhicks@linux.microsoft.com>
From:   Christophe JAILLET <christophe.jaillet@wanadoo.fr>
In-Reply-To: <20220709200005.681861-1-tyhicks@linux.microsoft.com>
Content-Type: text/plain; charset=UTF-8; format=flowed
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-1.9 required=5.0 tests=BAYES_00,NICE_REPLY_A,
        RCVD_IN_DNSWL_NONE,RCVD_IN_MSPIKE_H2,SPF_HELO_NONE,SPF_PASS,
        T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Le 09/07/2022 à 22:00, Tyler Hicks a écrit :
> Ensure that the fid's iounit field is set to zero when a new fid is
> created. Certain 9P operations, such as OPEN and CREATE, allow the
> server to reply with an iounit size which the client code assigns to the
> fid struct shortly after the fid is created in p9_fid_create(). Other
> operations that follow a call to p9_fid_create(), such as an XATTRWALK,
> don't include an iounit value in the reply message from the server. In
> the latter case, the iounit field remained uninitialized. Depending on
> allocation patterns, the iounit value could have been something
> reasonable that was carried over from previously freed fids or, in the
> worst case, could have been arbitrary values from non-fid related usages
> of the memory location.
> 
> The bug was detected in the Windows Subsystem for Linux 2 (WSL2) kernel
> after the uninitialized iounit field resulted in the typical sequence of
> two getxattr(2) syscalls, one to get the size of an xattr and another
> after allocating a sufficiently sized buffer to fit the xattr value, to
> hit an unexpected ERANGE error in the second call to getxattr(2). An
> uninitialized iounit field would sometimes force rsize to be smaller
> than the xattr value size in p9_client_read_once() and the 9P server in
> WSL refused to chunk up the READ on the attr_fid and, instead, returned
> ERANGE to the client. The virtfs server in QEMU seems happy to chunk up
> the READ and this problem goes undetected there. However, there are
> likely other non-xattr implications of this bug that could cause
> inefficient communication between the client and server.
> 
> Cc: stable@vger.kernel.org
> Signed-off-by: Tyler Hicks <tyhicks@linux.microsoft.com>
> ---
> 
> Note that I haven't had a chance to identify when this bug was
> introduced so I don't yet have a proper Fixes tag. The history looked a
> little tricky to me but I'll have another look in the coming days. We
> started hitting this bug after trying to move from linux-5.10.y to
> linux-5.15.y but I didn't see any obvious changes between those two
> series. I'm not confident of this theory but perhaps the fid refcounting
> changes impacted the fid allocation patterns enough to uncover the
> latent bug?
> 
>   net/9p/client.c | 1 +
>   1 file changed, 1 insertion(+)
> 
> diff --git a/net/9p/client.c b/net/9p/client.c
> index 8bba0d9cf975..1dfceb9154f7 100644
> --- a/net/9p/client.c
> +++ b/net/9p/client.c
> @@ -899,6 +899,7 @@ static struct p9_fid *p9_fid_create(struct p9_client *clnt)
>   	fid->clnt = clnt;
>   	fid->rdir = NULL;
>   	fid->fid = 0;
> +	fid->iounit = 0;
>   	refcount_set(&fid->count, 1);
>   
>   	idr_preload(GFP_KERNEL);

Hi,
you could also kzalloc 'fid' and remove the memset, "= NULL" and "= 0".
This would be even more future proof and would save some LoC.

Just my 2c,

CJ