From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dominique Martinet Subject: Re: [PATCH] [V9fs-developer] [PATCH] /net/9p/trans_fd.c: fix race-condition by flushing workqueue before the kfree() Date: Mon, 23 Jul 2018 04:39:07 +0200 Message-ID: <20180723023907.GA24608@nautica> References: <20180720092730.27104-1-tomasbortoli@gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Cc: ericvh@gmail.com, rminnich@sandia.gov, lucho@ionkov.net, jiangyiwen@huawei.com, davem@davemloft.net, v9fs-developer@lists.sourceforge.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller@googlegroups.com To: Tomas Bortoli Return-path: Content-Disposition: inline In-Reply-To: <20180720092730.27104-1-tomasbortoli@gmail.com> Sender: linux-kernel-owner@vger.kernel.org List-Id: netdev.vger.kernel.org Tomas Bortoli wrote on Fri, Jul 20, 2018: > The patch adds the flush in p9_mux_poll_stop() as it the function used by > p9_conn_destroy(), in turn called by p9_fd_close() to stop the async > polling associated with the data regarding the connection. > > Signed-off-by: Tomas Bortoli > Reported-by: syzbot+39749ed7d9ef6dfb23f6@syzkaller.appspotmail.com Looks good to me, I'm taking this patch. If I had to say something, try to aim for slightly shorter subject lines if possible :) > --- > As shown by Syzbot, it is possible to provoke a race between p9_fd_close() > and p9_poll_workfn() that is called to take care of the async read/write work > to do. To make sure p9_fd_close() frees "trans" when it is not used anymore, > it has to explicitly flush p9_poll_work before the kfree(). > > net/9p/trans_fd.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c > index bf459ee0feab..a64b01c56e30 100644 > --- a/net/9p/trans_fd.c > +++ b/net/9p/trans_fd.c > @@ -185,6 +185,8 @@ static void p9_mux_poll_stop(struct p9_conn *m) > spin_lock_irqsave(&p9_poll_lock, flags); > list_del_init(&m->poll_pending_link); > spin_unlock_irqrestore(&p9_poll_lock, flags); > + > + flush_work(&p9_poll_work); > } > > /** -- Dominique Martinet