lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <2356596.7K3kzkM6Yp@silver>
Date:   Thu, 06 Oct 2022 15:16:40 +0200
From:   Christian Schoenebeck <linux_oss@...debyte.com>
To:     v9fs-developer@...ts.sourceforge.net,
        Tetsuo Handa <penguin-kernel@...ove.sakura.ne.jp>,
        Dominique Martinet <asmadeus@...ewreck.org>,
        syzbot <syzbot+2f20b523930c32c160cc@...kaller.appspotmail.com>
Cc:     syzkaller-bugs@...glegroups.com, linux-kernel@...r.kernel.org
Subject: Re: [PATCH] net/9p: use a dedicated spinlock for trans_fd

On Sonntag, 4. September 2022 13:29:28 CEST Dominique Martinet wrote:
> Shamelessly copying the explanation from Tetsuo Handa's suggested
> patch[1] (slightly reworded):
> syzbot is reporting inconsistent lock state in p9_req_put()[2],
> for p9_tag_remove() from p9_req_put() from IRQ context is using
> spin_lock_irqsave() on "struct p9_client"->lock but trans_fd
> (not from IRQ context) is using spin_lock().
> 
> Since the locks actually protect different things in client.c and in
> trans_fd.c, just replace trans_fd.c's lock by a new one specific to the
> transport instead of using spin_lock_irq* variants everywhere
> (client.c's protect the idr for tag allocations, while
> trans_fd.c's protects its own req list and request status field
> that acts as the transport's state machine)
> 
> Link:
> https://lkml.kernel.org/r/2470e028-9b05-2013-7198-1fdad071d999@I-love.SAKUR
> A.ne.jp [1] Link:
> https://syzkaller.appspot.com/bug?extid=2f20b523930c32c160cc [2]
> Reported-by: syzbot <syzbot+2f20b523930c32c160cc@...kaller.appspotmail.com>
> Reported-by: Tetsuo Handa <penguin-kernel@...ove.SAKURA.ne.jp>
> Signed-off-by: Dominique Martinet <asmadeus@...ewreck.org>
> ---
> Tetsuo Handa-san, thank you very much!
> I'm sorry for not respecting your opinion but it's been a pleasure to
> have submissions from someone on JST :)
> 
> Both this and your previous patch only impact trans_fd which I can't
> test super easily, so while I've sent the patch here I'll only queue it
> to -next hopefully next week after I've had time to setup a compatible
> server again...
> 
>  net/9p/trans_fd.c | 42 ++++++++++++++++++++++++++----------------
>  1 file changed, 26 insertions(+), 16 deletions(-)
>

Late on the party, sorry. Note that you already queued a slightly different 
version than this patch here, anyway, one thing ...

> diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
> index ef5760971f1e..5b4807411281 100644
> --- a/net/9p/trans_fd.c
> +++ b/net/9p/trans_fd.c
> @@ -91,6 +91,7 @@ struct p9_poll_wait {
>   * @mux_list: list link for mux to manage multiple connections (?)
>   * @client: reference to client instance for this connection
>   * @err: error state
> + * @req_lock: lock protecting req_list and requests statuses
>   * @req_list: accounting for requests which have been sent
>   * @unsent_req_list: accounting for requests that haven't been sent
>   * @rreq: read request
> @@ -114,6 +115,7 @@ struct p9_conn {
>  	struct list_head mux_list;
>  	struct p9_client *client;
>  	int err;
> +	spinlock_t req_lock;
>  	struct list_head req_list;
>  	struct list_head unsent_req_list;
>  	struct p9_req_t *rreq;
> @@ -189,10 +191,10 @@ static void p9_conn_cancel(struct p9_conn *m, int err)
> 
>  	p9_debug(P9_DEBUG_ERROR, "mux %p err %d\n", m, err);
> 
> -	spin_lock(&m->client->lock);
> +	spin_lock(&m->req_lock);
> 
>  	if (m->err) {
> -		spin_unlock(&m->client->lock);
> +		spin_unlock(&m->req_lock);
>  		return;
>  	}
> 
> @@ -205,7 +207,7 @@ static void p9_conn_cancel(struct p9_conn *m, int err)
>  		list_move(&req->req_list, &cancel_list);
>  	}
> 
> -	spin_unlock(&m->client->lock);
> +	spin_unlock(&m->req_lock);
> 
>  	list_for_each_entry_safe(req, rtmp, &cancel_list, req_list) {
>  		p9_debug(P9_DEBUG_ERROR, "call back req %p\n", req);
> @@ -360,7 +362,7 @@ static void p9_read_work(struct work_struct *work)
>  	if ((m->rreq) && (m->rc.offset == m->rc.capacity)) {
>  		p9_debug(P9_DEBUG_TRANS, "got new packet\n");
>  		m->rreq->rc.size = m->rc.offset;
> -		spin_lock(&m->client->lock);
> +		spin_lock(&m->req_lock);
>  		if (m->rreq->status == REQ_STATUS_SENT) {
>  			list_del(&m->rreq->req_list);
>  			p9_client_cb(m->client, m->rreq, 
REQ_STATUS_RCVD);
> @@ -369,14 +371,14 @@ static void p9_read_work(struct work_struct *work)
>  			p9_debug(P9_DEBUG_TRANS,
>  				 "Ignore replies associated with a 
cancelled request\n");
>  		} else {
> -			spin_unlock(&m->client->lock);
> +			spin_unlock(&m->req_lock);
>  			p9_debug(P9_DEBUG_ERROR,
>  				 "Request tag %d errored out while we 
were reading the reply\n",
>  				 m->rc.tag);
>  			err = -EIO;
>  			goto error;
>  		}
> -		spin_unlock(&m->client->lock);
> +		spin_unlock(&m->req_lock);
>  		m->rc.sdata = NULL;
>  		m->rc.offset = 0;
>  		m->rc.capacity = 0;
> @@ -454,10 +456,10 @@ static void p9_write_work(struct work_struct *work)
>  	}
> 
>  	if (!m->wsize) {
> -		spin_lock(&m->client->lock);
> +		spin_lock(&m->req_lock);
>  		if (list_empty(&m->unsent_req_list)) {
>  			clear_bit(Wworksched, &m->wsched);
> -			spin_unlock(&m->client->lock);
> +			spin_unlock(&m->req_lock);
>  			return;
>  		}
> 
> @@ -472,7 +474,7 @@ static void p9_write_work(struct work_struct *work)
>  		m->wpos = 0;
>  		p9_req_get(req);
>  		m->wreq = req;
> -		spin_unlock(&m->client->lock);
> +		spin_unlock(&m->req_lock);
>  	}
> 
>  	p9_debug(P9_DEBUG_TRANS, "mux %p pos %d size %d\n",
> @@ -670,10 +672,10 @@ static int p9_fd_request(struct p9_client *client,
> struct p9_req_t *req) if (m->err < 0)
>  		return m->err;
> 
> -	spin_lock(&client->lock);
> +	spin_lock(&m->req_lock);
>  	req->status = REQ_STATUS_UNSENT;
>  	list_add_tail(&req->req_list, &m->unsent_req_list);
> -	spin_unlock(&client->lock);
> +	spin_unlock(&m->req_lock);
> 
>  	if (test_and_clear_bit(Wpending, &m->wsched))
>  		n = EPOLLOUT;
> @@ -688,11 +690,13 @@ static int p9_fd_request(struct p9_client *client,
> struct p9_req_t *req)
> 
>  static int p9_fd_cancel(struct p9_client *client, struct p9_req_t *req)
>  {
> +	struct p9_trans_fd *ts = client->trans;
> +	struct p9_conn *m = &ts->conn;
>  	int ret = 1;
> 
>  	p9_debug(P9_DEBUG_TRANS, "client %p req %p\n", client, req);
> 
> -	spin_lock(&client->lock);
> +	spin_lock(&m->req_lock);
> 
>  	if (req->status == REQ_STATUS_UNSENT) {
>  		list_del(&req->req_list);
> @@ -700,21 +704,24 @@ static int p9_fd_cancel(struct p9_client *client,
> struct p9_req_t *req) p9_req_put(client, req);
>  		ret = 0;
>  	}
> -	spin_unlock(&client->lock);
> +	spin_unlock(&m->req_lock);
> 
>  	return ret;
>  }
> 
>  static int p9_fd_cancelled(struct p9_client *client, struct p9_req_t *req)
>  {
> +	struct p9_trans_fd *ts = client->trans;
> +	struct p9_conn *m = &ts->conn;
> +
>  	p9_debug(P9_DEBUG_TRANS, "client %p req %p\n", client, req);
> 
> -	spin_lock(&client->lock);
> +	spin_lock(&m->req_lock);
>  	/* Ignore cancelled request if message has been received
>  	 * before lock.
>  	 */
>  	if (req->status == REQ_STATUS_RCVD) {
> -		spin_unlock(&client->lock);
> +		spin_unlock(&m->req_lock);
>  		return 0;
>  	}
> 
> @@ -723,7 +730,8 @@ static int p9_fd_cancelled(struct p9_client *client,
> struct p9_req_t *req) */
>  	list_del(&req->req_list);
>  	req->status = REQ_STATUS_FLSHD;
> -	spin_unlock(&client->lock);
> +	spin_unlock(&m->req_lock);
> +
>  	p9_req_put(client, req);
> 
>  	return 0;
> @@ -832,6 +840,7 @@ static int p9_fd_open(struct p9_client *client, int rfd,
> int wfd)
> 
>  	client->trans = ts;
>  	client->status = Connected;
> +	spin_lock_init(&ts->conn.req_lock);

Are you sure this is the right place for spin_lock_init()? Not rather in 
p9_conn_create()?

>  	return 0;
> 
> @@ -866,6 +875,7 @@ static int p9_socket_open(struct p9_client *client,
> struct socket *csocket) p->wr = p->rd = file;
>  	client->trans = p;
>  	client->status = Connected;
> +	spin_lock_init(&p->conn.req_lock);

Same here.

> 
>  	p->rd->f_flags |= O_NONBLOCK;

The rest LGTM.

Best regards,
Christian Schoenebeck


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ