Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp3353800rwb; Wed, 30 Nov 2022 20:00:07 -0800 (PST) X-Google-Smtp-Source: AA0mqf6VVYXeqS3PiWj5FVHNuelcwLfXpzV5jjtA4g+1WAqqH7GFNMBNhgiEQ/5HDiPDDrQMPBRF X-Received: by 2002:a05:6402:3893:b0:461:b033:90ac with SMTP id fd19-20020a056402389300b00461b03390acmr46823031edb.257.1669867206910; Wed, 30 Nov 2022 20:00:06 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1669867206; cv=none; d=google.com; s=arc-20160816; b=IJfFUqJIsyeH6XhD88Y0Dg/ls9wF/DCD5PoEjoooW4/6I0ltD+pMCF75enChUR0xC5 NTXn+TYFWVJR67zifZcKu6HkEWWZskLdcc627So0LK4YsxmrmN0AcD7wRAaVKx77np8G HBigTymypGcQrmtknfw1Jwbu3zI2xoXnMhX5NmOtIrbWNC2chj74ElOiB/sAVWoU2CTb zkDnVPujRIMXF1CLRKgNDd1DJd3s2dGWG8SPcbmfhcFSSptYplX5KxpuzTRCUsPveBT7 9SIL8ZVwONwtHdohzc13uElxvGAoP1IpG3jh2Ol5MIUKv0Ey7wKRSHrz/lV1OFgWohkc L2qA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:message-id:in-reply-to:date:subject :cc:to:from:user-agent:references:dkim-signature; bh=Y5SYxpBI7GimwE3d7ybl3wRGWGVGzAUnabS54e7bxDY=; b=hfXEcZHsNnfPEF8aGCWr76MKHdoez/FG60IydtuzxUfp13NPPsqqDvhNx1b8/p5mNy m1aSi55Dd4lR/g2p17EC4S0cckem4tqGuXC3GxYTbjpDBPRyl69gQ/xfodljncdtVXdZ IQ0v267VdqG+7cvgg30zOEgll9+bxMlkCUGcJuMvVfQcvXAoQmbBH6cUg2PZrNJobWEJ w+W45zzfbFIu87tS2s7u1/9b0a7CcVBsc4AyFZ7kLj1ko0GT3lFhs4bsqGX2HpPeZ86Z 8v7yjhwbAjUGTEt3Okh01pZMNDZT9+WtZ71jBnWRswCw2umY9+tPnmECZrTjHVG92L0X OMCw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=QVmCUwKU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id dn16-20020a17090794d000b0078e27f2fbe4si3029608ejc.293.2022.11.30.19.59.47; Wed, 30 Nov 2022 20:00:06 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20210112 header.b=QVmCUwKU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229507AbiLADBZ (ORCPT + 82 others); Wed, 30 Nov 2022 22:01:25 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:55508 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229791AbiLADBU (ORCPT ); Wed, 30 Nov 2022 22:01:20 -0500 Received: from mail-pf1-x42b.google.com (mail-pf1-x42b.google.com [IPv6:2607:f8b0:4864:20::42b]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 2543B8EE78; Wed, 30 Nov 2022 19:01:15 -0800 (PST) Received: by mail-pf1-x42b.google.com with SMTP id 124so675823pfy.0; Wed, 30 Nov 2022 19:01:15 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20210112; h=mime-version:message-id:in-reply-to:date:subject:cc:to:from :user-agent:references:from:to:cc:subject:date:message-id:reply-to; bh=Y5SYxpBI7GimwE3d7ybl3wRGWGVGzAUnabS54e7bxDY=; b=QVmCUwKUAtJKgzojk+tHegMuxgfZ1SSDWXFRGkmqn1+O+CvXy5OKQ2XFdG1CeVd7Bo Bwbe7nQD6X0NpDYd/EBkW6AMTYounrQR2fi+XR/b3pZvEagupxVrwB3+DgZj3B4UKlXu jdBApbJrwR48BDnyY5UZKowEW19kZTBNcz3ksSYpYMH7QE2nAXpbjPhQMdtZL6CyYH92 fT5mGigSjNfpY4wRo+NjgIAlYFWB42VCfUz/pFh1im9ss6HoBvCBDyQsdUDO+jDAripp Tibq0M95/oqjOpk/p9KLZEbr4ewHdPq5L9vDSauevls9E6JoJ+aSy9t3zGaqq5C97PnT tz8A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=mime-version:message-id:in-reply-to:date:subject:cc:to:from :user-agent:references:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=Y5SYxpBI7GimwE3d7ybl3wRGWGVGzAUnabS54e7bxDY=; b=wRpdcG3p2h/gkMXSldZiyewvTWVRJLwuzM5KX7Zv9IZ4Qkewx5sTkw4gq+EbMWT44n CHzlQyiGTLn2Hs5cfkM0xcHmufxAkFkGcsY9pH8aONJ3NCtcxMI6u+RQoWAcyeceACi6 ksgxwryIiY4jmn74hyiWCSLFxYn3DCfVz0xYgSJAR8fJwJoceEMrks+BgaLHVyvjUypA mfaNzukK5Q7jNR7kw/f8aeosOMmLHnsChDTrvoyMtrJImHfFPqsz7m/eTLuytYh166TG 4Vh3p0F9qbTAB9zNb02zfg0pN0/xJ3miCi/Z9gMRacmRtlSxYK8KPHLvXpmxhsA3Pt1A 7xuA== X-Gm-Message-State: ANoB5pkJ3o0yO9jKTevMYAcBbha8FguzQR8gFjRP5/k11v5rniSb0hpG 4tRCz9kXAK97Z51EbAdAJHg= X-Received: by 2002:a62:3882:0:b0:56b:9ce2:891f with SMTP id f124-20020a623882000000b0056b9ce2891fmr50778852pfa.43.1669863674575; Wed, 30 Nov 2022 19:01:14 -0800 (PST) Received: from MBP (ec2-18-117-95-84.us-east-2.compute.amazonaws.com. [18.117.95.84]) by smtp.gmail.com with ESMTPSA id j5-20020a17090a3e0500b00218fb211778sm3742075pjc.41.2022.11.30.19.01.05 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 30 Nov 2022 19:01:13 -0800 (PST) References: <20221129162251.90790-1-schspa@gmail.com> User-agent: mu4e 1.8.10; emacs 28.2 From: Schspa Shi To: asmadeus@codewreck.org Cc: ericvh@gmail.com, lucho@ionkov.net, linux_oss@crudebyte.com, davem@davemloft.net, edumazet@google.com, kuba@kernel.org, pabeni@redhat.com, v9fs-developer@lists.sourceforge.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, syzbot+8f1060e2aaf8ca55220b@syzkaller.appspotmail.com Subject: Re: [PATCH] 9p: fix crash when transaction killed Date: Thu, 01 Dec 2022 10:26:12 +0800 In-reply-to: Message-ID: MIME-Version: 1.0 Content-Type: text/plain X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,FREEMAIL_FROM, RCVD_IN_DNSWL_NONE,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org asmadeus@codewreck.org writes: > Schspa Shi wrote on Wed, Nov 30, 2022 at 09:15:12PM +0800: >> >> If the req was newly alloced(It was at a new page), refcount maybe not >> >> 0, there will be problem in this case. It seems we can't relay on this. >> >> >> >> We need to set the refcount to zero before add it to idr in p9_tag_alloc. >> > >> > Hmm, if it's reused then it's zero by definition, but if it's a new >> > allocation (uninitialized) then anything goes; that lookup could find >> > and increase it before the refcount_set, and we'd have an off by one >> > leading to use after free. Good catch! >> > >> > Initializing it to zero will lead to the client busy-looping until after >> > the refcount is properly set, which should work. >> >> Why? It looks no different from the previous process here. Initializing >> it to zero should makes no difference. > > I do not understand this remark. > If this is a freed request it will be zero, because we freed the request > as the refcount hit zero, but if it's a newly allocated request then the > memory is uninitalized, and the lookup can get anything. Here is my misunderstanding. I thought you meant that there would be a loop on the client side to wait for the refcount to become a non-zero value. Actually, there is no such loop. > > In that case we want refcount to be zero to have the check in > p9_tag_lookup to not use the request until we set the refcount to 2. > > >> > Setting refcount early might have us use an re-used req before the tag >> > has been changed so that one cannot move. >> > >> > Could you test with just that changed if syzbot still reproduces this >> > bug? (perhaps add a comment if you send this) >> > >> >> I have upload a new v2 change for this. But I can't easily reproduce >> this problem. > > Ah, I read that v2 as you actually ran some tests with this, sorry for > the misuderstanding. > > Well, it's a fix anyway, so it cannot hurt to apply... -- BRs Schspa Shi