From mboxrd@z Thu Jan  1 00:00:00 1970
From: Dominique Martinet <asmadeus@codewreck.org>
Subject: Re: [V9fs-developer] [PATCH] 9p: fix Use-After-Free in
 p9_write_work()
Date: Mon, 30 Jul 2018 02:18:00 +0200
Message-ID: <20180730001800.GA5960@nautica>
References: <20180729130248.29612-1-tomasbortoli@gmail.com>
 <20180729233336.GB28684@nautica>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Cc: v9fs-developer@lists.sourceforge.net, syzkaller@googlegroups.com,
        davem@davemloft.net, linux-kernel@vger.kernel.org,
        netdev@vger.kernel.org
To: Tomas Bortoli <tomasbortoli@gmail.com>
Return-path: <linux-kernel-owner@vger.kernel.org>
Content-Disposition: inline
In-Reply-To: <20180729233336.GB28684@nautica>
Sender: linux-kernel-owner@vger.kernel.org
List-Id: netdev.vger.kernel.org

Dominique Martinet wrote on Mon, Jul 30, 2018:
> Basically, a more global view of the problem is a race between
> p9_tag_lookup returning a p9_req_t and another thread freeing it.

(just correcting myself here, p9_tag_lookup won't be enough for the
write side, but similarily you'd just need to increment the refcount
when you schedule work with it and decrement when the worker is done)

-- 
Dominique