Received: by 2002:a05:6358:d09b:b0:dc:cd0c:909e with SMTP id jc27csp6774452rwb; Mon, 12 Dec 2022 06:19:24 -0800 (PST) X-Google-Smtp-Source: AA0mqf4BzuPeIMV1MBF2Qw+LOrzQL8ZFQg2dJ3jBWe7I/cjNBMQSjV+IyU9sCL9KQ+JFfvTaAv6H X-Received: by 2002:a17:90b:494:b0:213:1d5:8acf with SMTP id bh20-20020a17090b049400b0021301d58acfmr16428716pjb.18.1670854764241; Mon, 12 Dec 2022 06:19:24 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1670854764; cv=none; d=google.com; s=arc-20160816; b=SdwdUdb3IO3lhBUqe1UeVUlwm9V0cWdF+eqpQFbHPhsBCCJkALnH19kKEw0t1KKlLT BUpasDBP96J8snv8sc2nd/dlSmR6CVjQEQY0aiKx/Q5KcTKoPqEnSNFP9/jy1+kji4fF 6oQ1XCoFWkqBW9P8tKK1V0ZTjjEiOuGMg86VuRNkmdh5FdZMrAPZ2pVpH8i53vkXoC3D Sp1/eFYf9pjCFzLUy7Rw6c/yeFcNvvsCsq87NI7hN8U7zi6Tw9/AUhtyqVXj8k2jT5us sZ+t7JARn2x3wPwOrPtYQskjVkC6fCseRByXF6EOFCVckp0FuGvokZnlibzQWLA8ivwd OdCQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=fz5Bb1HkOnzUlPrBGL969RO1qlOdWuFW9bWTEczProg=; b=orpXFOHheC0oTimmB0fLt4ptA2eCJKeNCCD80pCeyGV4aI6TryZPey3irQj5E4Kvlv SeXMCyBcDcHisMGhsxkSKYvFvWHHo0yXvBsvLwgIT+8rdvlfMxueRfrCmF3gqF6/zTo0 R+e77a2WC4yPyYGh+FPgiTzJBJmDsT6WgTZ2f/atG4veD98fd8GgORYjJtFQWdv0clve wDHavUzMwKqT8cFsT67G14k2215sJ0CjpigljA7EBBvoN8GZtTy4LlxozCdi5XOaqZlC DO0RvmaWLxSmFT9fNztHvvio2j48B1EM7pwJiQmPlNEaUGmbcMUGG6SF/PpRJrKzMOZG 0vbw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@crudebyte.com header.s=kylie header.b="Aqs69a/o"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=crudebyte.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id oj10-20020a17090b4d8a00b00219c0cd0f1dsi10751019pjb.145.2022.12.12.06.19.13; Mon, 12 Dec 2022 06:19:24 -0800 (PST) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@crudebyte.com header.s=kylie header.b="Aqs69a/o"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=crudebyte.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232955AbiLLNlD (ORCPT + 75 others); Mon, 12 Dec 2022 08:41:03 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41778 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232558AbiLLNkc (ORCPT ); Mon, 12 Dec 2022 08:40:32 -0500 Received: from kylie.crudebyte.com (kylie.crudebyte.com [5.189.157.229]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 66026E0F6 for ; Mon, 12 Dec 2022 05:39:46 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=crudebyte.com; s=kylie; h=Content-Type:Content-Transfer-Encoding: MIME-Version:References:In-Reply-To:Message-ID:Date:Subject:Cc:To:From: Content-ID:Content-Description; bh=fz5Bb1HkOnzUlPrBGL969RO1qlOdWuFW9bWTEczProg=; b=Aqs69a/o+oA9QIgpROLGuDvWka RNL8sZxXLpKl3wZ5E6/G+Jykc/Ibedh4SbTEqHCTjxfPRFtX0wTOwqyJXpVmayN1/Ms/UJckgWOmk 7QXCtFy7TxknO2aaq8AQ3N378RuIRqGWKWPSs7TGv80WRahRZbPD7ZLF5jh7yu4EP1eZ3gq7oW2QL QCY9kgqNsYUWeMkqgB99laieyj6PStMRcYM6nFEFgEy9zFNOlod1D8Vo3qyEv/DX0iSPIg7iGK6nn POaQnyVsBHvfYJpjciQwY+QjWVLr1qfPzIT0mktetZe/pXdAW0VdJH+MmRYZbo3m3DeOnCa5EUTMB saoB4c3ujfvogygLjgFb20srtkp5xRXr46fovgySqoLoyIU2Loj7MyB4jLM0e9uxYwZZZSDAiUKKj Cqjuf58jsEG2IsJdLR5iHbB5DLazAQqwNeP5sByQ9reZwxoh6qikcWXwRxf5IkqxWV5aGR0iUcBu5 BteRhBgK8J80TS2DErDcFmyAE7f+4liAuA9L1Ldhm8SRzk1BrwX6NwmTvgO9n9nup1XosdBYwpEHr HFVHgAJ3GG75Drhy7wnvBFbQkd+JQ043KZ6yYeCr8vK9UDPrzREMS2PE6mY7faNQMgRXAqJHLnkkt pWOSNBAISSSxxpIqG3ss2S4FIk1RqLUPZ0jduuqOQ=; From: Christian Schoenebeck To: Dominique Martinet Cc: Naresh Kamboju , v9fs-developer@lists.sourceforge.net, linux-kernel@vger.kernel.org, Marco Elver Subject: Re: [PATCH] 9p/client: fix data race on req->status Date: Mon, 12 Dec 2022 14:39:43 +0100 Message-ID: <14282286.flAjB0pb5C@silver> In-Reply-To: References: <20221205124756.426350-1-asmadeus@codewreck.org> <2603677.8PHbUxGoeg@silver> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Friday, December 9, 2022 10:12:41 PM CET Dominique Martinet wrote: > Christian Schoenebeck wrote on Fri, Dec 09, 2022 at 02:45:51PM +0100: > > > > What about p9_tag_alloc()? > > > > > > I think that one's ok: it happens during the allocation before the > > > request is enqueued in the idr, so it should be race-free by defition. > > > > > > tools/memory-model/Documentation/access-marking.txt says > > > "Initialization-time and cleanup-time accesses" should use plain > > > C-language accesses, so I stuck to that. > > > > When it is allocated then it is safe, but the object may also come from a pool > > here. It's probably not likely to cause an issue here, just saying. > > If it comes from the pool then it is gated by the refcount... But that > would require a similar barrier indeed (init stuff, wmb, init refcount > // get req + check refcount, rmb, read stuff e.g. tag); just a > write_once would not help. > > For the init side I assume unlocking c->lock acts as a write barrier > after tag is set, which is conveniently the last step, but we'd need a > read barrier here in tag lookup: > -------- > diff --git a/net/9p/client.c b/net/9p/client.c > index fef6516a0639..68585ad9003c 100644 > --- a/net/9p/client.c > +++ b/net/9p/client.c > @@ -363,6 +363,7 @@ struct p9_req_t *p9_tag_lookup(struct p9_client *c, u16 tag) > */ > if (!p9_req_try_get(req)) > goto again; > + smp_rmb(); > if (req->tc.tag != tag) { > p9_req_put(c, req); > goto again; > -------- > > OTOH this cannot happen with a normal server (a req should only be looked > up after it has been sent to the server and comes back, which involves a > few round trip and a few locks in the recv paths for tcp); but if syzbot > tries hard enough I guess that could be hit... > I don't have a strong opinion on this: I don't think anything really bad > can happen here as long as the refcount is correct (status is read under > lock when it matters before extra decrements of the refcount, and writes > to the buffer itself are safe from a memory pov), even if it's obviously > not correct strictly speaking. > (And I have no way of measuring what impact that extra barrier would have > tbh; for virtio at least lookup is actually never used...) Yeah agreed, this was more of a theoretical issue. With the other memory barrier patch posted by you already: Reviewed-by: Christian Schoenebeck