Received: by 2002:a05:7412:1703:b0:e2:908c:2ebd with SMTP id dm3csp3343472rdb; Tue, 29 Aug 2023 12:17:11 -0700 (PDT) X-Google-Smtp-Source: AGHT+IExwrHecjepyu/h9oDgBKwutAi9Omo+QagtP/L9m/M1AdTsnOlz6I5HpIc9mvQQprxPGX+M X-Received: by 2002:a05:6402:27d1:b0:51e:4218:b91b with SMTP id c17-20020a05640227d100b0051e4218b91bmr3746302ede.1.1693336631255; Tue, 29 Aug 2023 12:17:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1693336631; cv=none; d=google.com; s=arc-20160816; b=YwQXZb5Yo+6pNlePlAxHrzbZs7niO+NlFYbX9qpC+GjccDPUyBVpzVLCCZu9e/9mHH aDvvRfPKeMlCEnC6kvH2RW/3H/g+8pKVzYUnet/+Hyg1dCuvd87HNT/bWBSac7D9A8ks eEG1FpmEowqvXRn8+hvVMk7gqeT6G5bxNaZEOlvJtIwI6UOQy3RWzLhYrf8iae3RGAKk vdFOLTqyWtTwDiVab+8zaLRhWnU9da3fUW6dQBEVkK+O+lZbbBRJaKNHdFgtqVZPsH/G gy7rI07m4ZgwcRQ8+HYfnxjsPsoJnqPqeduUsM4rewW+Cubc+vhe2pCuwwfLWiT65J3S ZdxQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:user-agent:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date :dkim-signature; bh=RJ8yJVk1WanTGK6noPSAuAu8J5j6k7b3gO5IRwPDORc=; fh=oZJ04wQb9VQD1IDeZM6xLQ7KZZE1HKHFwrviVZYog3Q=; b=irNZV+gLitxNa6dvybCM/KBMQLylx12rOF8j0WcdAGGmoMHfQ3FX3qWFXeYzjgWXs8 xIiChAs7uHntqJdb2wfh2azm5gmHO6IwyovpJntE1vhYvxCJzjEJznnM0NsbZ/VQw8jz +v5VzNwqDOnkHF1pII4Kx2kknyoa771YezTF1yuFJ/kcTYjcEPbIfW++dWW/f5TaeBB1 JFRLQTUQcNW2YEYs7NAIhDASbpk8CGbFcAhmKIY0WRhgdN5IPdXXFulmuS4wqQ9LYufI uilCAPdM11HYUWNfdNl7xE/4HxII8ys1MyQLYkvrFT9RUq195eH6sFSHfQXe1RrLExc8 4b/w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b="pDfSqxW/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id ay18-20020a056402203200b0052a40d398dfsi6120959edb.691.2023.08.29.12.16.21; Tue, 29 Aug 2023 12:17:11 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@google.com header.s=20221208 header.b="pDfSqxW/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=google.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S236844AbjH2OMI (ORCPT + 99 others); Tue, 29 Aug 2023 10:12:08 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:37636 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236906AbjH2OLy (ORCPT ); Tue, 29 Aug 2023 10:11:54 -0400 Received: from mail-wm1-x331.google.com (mail-wm1-x331.google.com [IPv6:2a00:1450:4864:20::331]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 5596F187 for ; Tue, 29 Aug 2023 07:11:46 -0700 (PDT) Received: by mail-wm1-x331.google.com with SMTP id 5b1f17b1804b1-4018af103bcso27943295e9.1 for ; Tue, 29 Aug 2023 07:11:46 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=20221208; t=1693318305; x=1693923105; h=user-agent:in-reply-to:content-disposition:mime-version:references :message-id:subject:cc:to:from:date:from:to:cc:subject:date :message-id:reply-to; bh=RJ8yJVk1WanTGK6noPSAuAu8J5j6k7b3gO5IRwPDORc=; b=pDfSqxW/VMwLUzzQxKkJcrvOyXGTdi+m78jrAmELfOR+jSL0bgTFPe2YgNMeaGm350 WqLnoRfNyy2lFNrVO4duvKoqPamj5nY9lGvzw2VhoxrwDxyj7nkjxn43BmXimhKvw9NY DwPWGVP7ItRZm6gATl1VZn6FI1X6ELDpEOqWG0TnhPeNPfxnOUX6sHhVBaDdH8trBDJi hF0O3b8w5t0r9ezlMaWcqBM+qQ9jSMzQrJV5eASglFcEEVeR3SVc+HS9Jh89cAsCIHTw tFvOYpPFIMwX50nbMcxQjp9qgV2+tdAd25nqTTPy2pS9KENK9Or7oO2a0fSmt6KedIbd fBOA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20221208; t=1693318305; x=1693923105; h=user-agent:in-reply-to:content-disposition:mime-version:references :message-id:subject:cc:to:from:date:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=RJ8yJVk1WanTGK6noPSAuAu8J5j6k7b3gO5IRwPDORc=; b=FOGlZc0BxRQRa33FlrnOCuS8aYpHZtPuVppRGz6Jy7siHvw/UpqrtGc0KctPKAOmqk 3frEkPWl5r0+v7aBzuRbcRYkJl+KBBRj1UipYJFSocj3ce7t7fwYaj25C73sfWX3R/kJ sNK+qc7BtkW+n+YD9YMmBVaYeq7S7ICl5BTjNHUcjEb+u0ik958rXQf5m5Eyf4Fx+zj/ k4ar/V2yAulDIa8ojJNWgdV3v2brJoTC8ELoUhm1GdY3G5hQedaKL1qC7Y6XqOkW+9J0 s9MKIBSBLKBu7EE3hL0NkglEPPt47z9Cwng86uBC9r3QSjObJl/ZLcC123pDx7MboAsw jLRA== X-Gm-Message-State: AOJu0YwBXKDHvE7/SC2GU6IpZWNQHmCO6Wf/mGIHnbxiB99G/zvwVOBU y26M5tMHfk+bDACqu+At++Uahw== X-Received: by 2002:a05:600c:3b07:b0:401:b53e:6c55 with SMTP id m7-20020a05600c3b0700b00401b53e6c55mr2216906wms.0.1693318304674; Tue, 29 Aug 2023 07:11:44 -0700 (PDT) Received: from elver.google.com ([2a00:79e0:9c:201:3380:af04:1905:46a]) by smtp.gmail.com with ESMTPSA id 24-20020a05600c22d800b003fbe791a0e8sm14138042wmg.0.2023.08.29.07.11.43 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 29 Aug 2023 07:11:43 -0700 (PDT) Date: Tue, 29 Aug 2023 16:11:38 +0200 From: Marco Elver To: Dominique Martinet Cc: syzbot , davem@davemloft.net, edumazet@google.com, ericvh@kernel.org, kuba@kernel.org, linux-fsdevel@vger.kernel.org, linux-kernel@vger.kernel.org, linux_oss@crudebyte.com, lucho@ionkov.net, netdev@vger.kernel.org, pabeni@redhat.com, syzkaller-bugs@googlegroups.com, v9fs@lists.linux.dev Subject: Re: [syzbot] [net?] [v9fs?] KCSAN: data-race in p9_fd_create / p9_fd_create (2) Message-ID: References: <000000000000d26ff606040c9719@google.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/2.2.9 (2022-11-12) X-Spam-Status: No, score=-17.6 required=5.0 tests=BAYES_00,DKIMWL_WL_MED, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF, ENV_AND_HDR_SPF_MATCH,RCVD_IN_DNSWL_BLOCKED,SPF_HELO_NONE,SPF_PASS, USER_IN_DEF_DKIM_WL,USER_IN_DEF_SPF_WL autolearn=unavailable autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Aug 29, 2023 at 07:57PM +0900, Dominique Martinet wrote: [...] > Yes well that doesn't seem too hard to hit, both threads are just > setting O_NONBLOCK to the same fd in parallel (0x800 is 04000, > O_NONBLOCK) > > I'm not quite sure why that'd be a problem; and I'm also pretty sure > that wouldn't work anyway (9p has no muxing or anything that'd allow > sharing the same fd between multiple mounts) > > Can this be flagged "don't care" ? If it's an intentional data race, it could be marked data_race() [1]. However, staring at this code for a bit, I wonder why the f_flags are set on open, and not on initialization somewhere... [1] https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/tree/tools/memory-model/Documentation/access-marking.txt Anyway, a patch like the below would document that the data race is intended and we assume that there is no way (famous last words) the compiler or the CPU can mess it up (and KCSAN won't report it again). ------ >8 ------ From: Marco Elver Date: Tue, 29 Aug 2023 15:48:58 +0200 Subject: [PATCH] 9p: Annotate data-racy writes to file::f_flags syzbot reported: | BUG: KCSAN: data-race in p9_fd_create / p9_fd_create | | read-write to 0xffff888130fb3d48 of 4 bytes by task 15599 on cpu 0: | p9_fd_open net/9p/trans_fd.c:842 [inline] | p9_fd_create+0x210/0x250 net/9p/trans_fd.c:1092 | p9_client_create+0x595/0xa70 net/9p/client.c:1010 | v9fs_session_init+0xf9/0xd90 fs/9p/v9fs.c:410 | v9fs_mount+0x69/0x630 fs/9p/vfs_super.c:123 | legacy_get_tree+0x74/0xd0 fs/fs_context.c:611 | vfs_get_tree+0x51/0x190 fs/super.c:1519 | do_new_mount+0x203/0x660 fs/namespace.c:3335 | path_mount+0x496/0xb30 fs/namespace.c:3662 | do_mount fs/namespace.c:3675 [inline] | __do_sys_mount fs/namespace.c:3884 [inline] | [...] | | read-write to 0xffff888130fb3d48 of 4 bytes by task 15563 on cpu 1: | p9_fd_open net/9p/trans_fd.c:842 [inline] | p9_fd_create+0x210/0x250 net/9p/trans_fd.c:1092 | p9_client_create+0x595/0xa70 net/9p/client.c:1010 | v9fs_session_init+0xf9/0xd90 fs/9p/v9fs.c:410 | v9fs_mount+0x69/0x630 fs/9p/vfs_super.c:123 | legacy_get_tree+0x74/0xd0 fs/fs_context.c:611 | vfs_get_tree+0x51/0x190 fs/super.c:1519 | do_new_mount+0x203/0x660 fs/namespace.c:3335 | path_mount+0x496/0xb30 fs/namespace.c:3662 | do_mount fs/namespace.c:3675 [inline] | __do_sys_mount fs/namespace.c:3884 [inline] | [...] | | value changed: 0x00008002 -> 0x00008802 Within p9_fd_open(), O_NONBLOCK is added to f_flags of the read and write files. This may happen concurrently if e.g. 2 tasks mount the same filesystem. Mark the plain read-modify-writes as intentional data-races, with the assumption that the result of executing the accesses concurrently will always result in the same result despite the accesses themselves not being atomic. Reported-by: syzbot+e441aeeb422763cc5511@syzkaller.appspotmail.com Signed-off-by: Marco Elver --- net/9p/trans_fd.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c index 00b684616e8d..9b01e15a758b 100644 --- a/net/9p/trans_fd.c +++ b/net/9p/trans_fd.c @@ -833,13 +833,13 @@ static int p9_fd_open(struct p9_client *client, int rfd, int wfd) if (!(ts->rd->f_mode & FMODE_READ)) goto out_put_rd; /* prevent workers from hanging on IO when fd is a pipe */ - ts->rd->f_flags |= O_NONBLOCK; + data_race(ts->rd->f_flags |= O_NONBLOCK); ts->wr = fget(wfd); if (!ts->wr) goto out_put_rd; if (!(ts->wr->f_mode & FMODE_WRITE)) goto out_put_wr; - ts->wr->f_flags |= O_NONBLOCK; + data_race(ts->wr->f_flags |= O_NONBLOCK); client->trans = ts; client->status = Connected; -- 2.42.0.rc2.253.gd59a3bf2b4-goog