Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp1903904rwb;
        Tue, 29 Nov 2022 22:33:02 -0800 (PST)
X-Google-Smtp-Source: AA0mqf4HRzKXYJUk+R897g45C6QH+22y8YK9iWBy/LKbgwJ2EJlD6eMj9MQs6VHcEKE8jG07Twzc
X-Received: by 2002:a63:d14f:0:b0:476:95a8:de78 with SMTP id c15-20020a63d14f000000b0047695a8de78mr38977856pgj.66.1669789982714;
        Tue, 29 Nov 2022 22:33:02 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1669789982; cv=none;
        d=google.com; s=arc-20160816;
        b=FLtK7J+98DZSwRAtr/o433Dn/fPAr/NH27a8K687ZfuxV1eX+Bey4XJhqwggI4nqf+
         N4z+MN6insqPlPXotVjaZWl6x5U5Td5FIWcUcZQ77YADftZIIqKxRvIb+G/V8mJgeoiN
         fxe/Et4sPkhGB1vh0ZWJ7X61KWyPxK7I5nJiTRqrzr54s0u5ht/7nih1DWjBLGXHz9Mg
         EMXo7Uif1FN2rOSvLx+8kZ2d66r5ZMCopJH4YLlNK0zl2ZD7+fALB/SNLn40b7a36b3E
         xc9aggIigQUH6kKaSNTqJnwuog+8JTubq/x1H1FcTW0Q801jL3TSzsxXYoCQAkdFIlYe
         vYQA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:in-reply-to:content-disposition:mime-version
         :references:message-id:subject:cc:to:from:date:dkim-signature
         :dkim-signature;
        bh=W9hCW6luP/6v5RJwLkkF/k888Scy0g/o6MDl4j/XRHU=;
        b=L2kViy/mgKML68MeLgJRwOBdzNwZifjaYcEBQn3wNZopGaEw15Q5iCRnYPSfosIib+
         3W9MH90ZL/ijsZcJKVL5gPnnwlbV4Un6PNi3B4YIPzLcr/nz+0q5wXW5XHzin/bffHJE
         fGFQcYahmE/xzy2flqvwWpSXYbyPCZrlqvGwdlw2/goPARpAYDtTQEL64d3DWPUC8vdT
         7nyqRXmxjJjr/9iGs5Uk2Uj8/fBcZT7/hof4TX+Re7tr4pECYU7ig5BjXWcImQQG3wvI
         Nj4sRhSgTOBmKELPxnkp+hcfTZzLRGFZ1F8tf7vQ4VGh0B3KK11CvH0CaXvdX7jG0p4v
         kEig==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@codewreck.org header.s=2 header.b=qbYXVSsG;
       dkim=pass header.i=@codewreck.org header.s=2 header.b=BYFRPQXz;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=codewreck.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id f5-20020a631f05000000b004785b6be01csi523399pgf.181.2022.11.29.22.32.51;
        Tue, 29 Nov 2022 22:33:02 -0800 (PST)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@codewreck.org header.s=2 header.b=qbYXVSsG;
       dkim=pass header.i=@codewreck.org header.s=2 header.b=BYFRPQXz;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=codewreck.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S234016AbiK3GRC (ORCPT <rfc822;5losepatience@gmail.com>
        + 85 others); Wed, 30 Nov 2022 01:17:02 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40086 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S230147AbiK3GQ6 (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 30 Nov 2022 01:16:58 -0500
Received: from nautica.notk.org (nautica.notk.org [91.121.71.147])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 063CF2CE33;
        Tue, 29 Nov 2022 22:16:56 -0800 (PST)
Received: by nautica.notk.org (Postfix, from userid 108)
        id 1764DC009; Wed, 30 Nov 2022 07:17:04 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=codewreck.org; s=2;
        t=1669789024; bh=W9hCW6luP/6v5RJwLkkF/k888Scy0g/o6MDl4j/XRHU=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=qbYXVSsGvtKHAF7eNjlThPzJCsV8p735MPlXRJxCrDzXkaEkqurTssSmVozhKGvWg
         f7WWnMHDKFrdEYdBIoL2e5MSqer6hIQQD5RaD+kfE6ahIN9JsdZ7vbVLY6fQeT+WjB
         10BDRsOZYe9din+p6Yx/8dbMXf6zBQUudzj2GizYU1ODww1cR8mY7HHXG3FAFtnfAg
         7/uu/MPtt4TtIbHaK62jxyhf0xTqPmyctdWSNafYU2T4Z8Z6zLDrao8BGWS8Z2nU3i
         9kkrPSZF9ME3Q5nAuu/oW0636DvGsWx1utx8CoNgXfTEgZe1MFQVLjvnxc/Ko50ah8
         o7EtZhTSR6ELA==
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
X-Spam-Level: 
X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED,
        DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS
        autolearn=ham autolearn_force=no version=3.4.6
Received: from odin.codewreck.org (localhost [127.0.0.1])
        by nautica.notk.org (Postfix) with ESMTPS id B9D6BC009;
        Wed, 30 Nov 2022 07:16:44 +0100 (CET)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=codewreck.org; s=2;
        t=1669789008; bh=W9hCW6luP/6v5RJwLkkF/k888Scy0g/o6MDl4j/XRHU=;
        h=Date:From:To:Cc:Subject:References:In-Reply-To:From;
        b=BYFRPQXzBgX7gJTqn47e4RxS/7ps97i2zn3eVZuaHgaKv2hDkmzps3FlohwTNURPd
         71YfW1/fCri2W7mzIphgRoxP+AXz1VfbvcEMmCoRmgZRZVEo2PuUopH9hkqk1A+K2g
         ggwUkEBKG2I0UF4cm7ziFvO8ULQJdWdbOBi9nwzrSnFsKYkCmPbI+9cYMjzonE/OJh
         Zk6tjZMWmgbn6zcedPOwCi/kWIffm/JSk1OF5sXivUZYREfQr+JSPaFP0PYraf6pwE
         Icw/YK9dhvyzzUI7EWbdl5aP2GyqmlcMVK3zlir1r8o2BTTKcj4Mk8NYhTshSNuRYm
         GctMFTzkWI/hw==
Received: from localhost (odin.codewreck.org [local])
        by odin.codewreck.org (OpenSMTPD) with ESMTPA id 074f5648;
        Wed, 30 Nov 2022 06:16:32 +0000 (UTC)
Date:   Wed, 30 Nov 2022 15:16:17 +0900
From:   asmadeus@codewreck.org
To:     Schspa Shi <schspa@gmail.com>
Cc:     ericvh@gmail.com, lucho@ionkov.net, linux_oss@crudebyte.com,
        davem@davemloft.net, edumazet@google.com, kuba@kernel.org,
        pabeni@redhat.com, v9fs-developer@lists.sourceforge.net,
        netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
        syzbot+8f1060e2aaf8ca55220b@syzkaller.appspotmail.com
Subject: Re: [PATCH] 9p: fix crash when transaction killed
Message-ID: <Y4b1MQaEsPRK+3lF@codewreck.org>
References: <20221129162251.90790-1-schspa@gmail.com>
 <Y4aJzjlkkt5VKy0G@codewreck.org>
 <m2r0xli1mq.fsf@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Disposition: inline
In-Reply-To: <m2r0xli1mq.fsf@gmail.com>
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

(fixed Christophe's address, hopefully that will do for good...)

Schspa Shi wrote on Wed, Nov 30, 2022 at 10:22:44AM +0800:
> > I'm happy to believe we have a race somewhere (even if no sane server
> > would produce it), but right now I don't see it looking at the code.. :/
> 
> And I think there is a race too. because the syzbot report about 9p fs
> memory corruption multi times.

Yes, no point in denying that :)

> As for the problem, the p9_tag_lookup only takes the rcu_read_lock when
> accessing the IDR, why it doesn't take the p9_client->lock? Maybe the
> root cause is that a lock is missing here.

It shouldn't need to, but happy to try adding it.
For the logic:
 - idr_find is RCU-safe (trusting the comment above it)
 - reqs are alloced in a kmem_cache created with SLAB_TYPESAFE_BY_RCU.
 This means that if we get a req from idr_find, even if it has just been
 freed, it either is still in the state it was freed at (hence refcount
 0, we ignore it) or is another req coming from the same cache (if
 refcount isn't zero, we can check its tag)
 The refcount itself is an atomic operation so doesn't require lock.
 ... And in the off chance I hadn't considered that we're already
 dealing with a new request with the same tag here, we'll be updating
 its status so another receive for it shouldn't use it?...

I don't think adding the client lock helps with anything here, but it'll
certainly simplify this logic as we then are guaranteed not to get
obsolete results from idr_find.

Unfortunately adding a lock will slow things down regardless of
correctness, so it might just make the race much harder to hit without
fixing it and we might not notice that, so it'd be good to understand
the race.

-- 
Dominique