From: Dominique Martinet <asmadeus@codewreck.org>
To: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
Cc: v9fs@lists.linux.dev, Eric Van Hensbergen <ericvh@kernel.org>,
Latchesar Ionkov <lucho@ionkov.net>,
Christian Schoenebeck <linux_oss@crudebyte.com>,
linux-kernel@vger.kernel.org,
Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn>,
Ao Wang <wangao@seu.edu.cn>, Xuewei Feng <fengxw06@126.com>,
Qi Li <qli01@tsinghua.edu.cn>, Ke Xu <xuke@tsinghua.edu.cn>
Subject: Re: [PATCH] net/9p: fix race condition on rdma->state in trans_rdma.c
Date: Mon, 15 Jun 2026 22:22:17 +0900 [thread overview]
Message-ID: <ai_8iSfPkPDFB3l9@codewreck.org> (raw)
In-Reply-To: <20260529073933.77315-1-zhaoyz24@mails.tsinghua.edu.cn>
Yizhou Zhao wrote on Fri, May 29, 2026 at 03:39:31PM +0800:
> The rdma->state field is modified without holding req_lock in both
> recv_done() and p9_cm_event_handler(), while rdma_request() accesses
> the same field under the req_lock spinlock. This inconsistent locking
> creates a race condition:
>
> - recv_done() running in softirq completion context sets
> rdma->state = P9_RDMA_FLUSHING without acquiring req_lock
>
> - p9_cm_event_handler() modifies rdma->state at multiple points
> (ADDR_RESOLVED, ROUTE_RESOLVED, ESTABLISHED, CLOSED) without
> req_lock
>
> - rdma_request() uses spin_lock_irqsave(&rdma->req_lock, flags) to
> protect the read-modify-write of rdma->state
>
> The race can cause lost state transitions: recv_done() or the CM
> event handler could set state to FLUSHING/CLOSED while rdma_request()
> is concurrently checking or modifying state under the lock, leading to
> the FLUSHING transition being silently overwritten by CLOSING. This
> corrupts the connection state machine and can cause use-after-free on
> RDMA request objects during teardown.
>
> Fix by adding req_lock protection to all rdma->state modifications in
> recv_done() and p9_cm_event_handler(), matching the pattern already
> used in rdma_request(). Use spin_lock_irqsave/spin_unlock_irqrestore
> in the CM event handler since it can race with recv_done() which runs
> in softirq context.
>
> Tested with a kernel module that races two threads (simulating
> rdma_request and recv_done/CM handler) on rdma->state with proper
> locking: 5.5M+ FLUSHING writes over 27M iterations with 0 lost
> transitions.
>
> Fixes: 473c7dd1d7b5 ("9p/rdma: remove useless check in cm_event_handler")
> Reported-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
> Reported-by: Yuxiang Yang <yangyx22@mails.tsinghua.edu.cn>
> Reported-by: Ao Wang <wangao@seu.edu.cn>
> Reported-by: Xuewei Feng <fengxw06@126.com>
> Reported-by: Qi Li <qli01@tsinghua.edu.cn>
> Reported-by: Ke Xu <xuke@tsinghua.edu.cn>
> Assisted-by: GLM:GLM-5.1
> Signed-off-by: Yizhou Zhao <zhaoyz24@mails.tsinghua.edu.cn>
None of this is frequent so taking lock is sound, picking this up
--
Dominique
prev parent reply other threads:[~2026-06-15 13:22 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-29 7:39 [PATCH] net/9p: fix race condition on rdma->state in trans_rdma.c Yizhou Zhao
2026-06-15 13:22 ` Dominique Martinet [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ai_8iSfPkPDFB3l9@codewreck.org \
--to=asmadeus@codewreck.org \
--cc=ericvh@kernel.org \
--cc=fengxw06@126.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux_oss@crudebyte.com \
--cc=lucho@ionkov.net \
--cc=qli01@tsinghua.edu.cn \
--cc=v9fs@lists.linux.dev \
--cc=wangao@seu.edu.cn \
--cc=xuke@tsinghua.edu.cn \
--cc=yangyx22@mails.tsinghua.edu.cn \
--cc=zhaoyz24@mails.tsinghua.edu.cn \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.