From my test, the second mount will fail after umounting successfully.
The reason is that we put refcount of trans_mod in the correct case rather
than the error case in parse_opts() at last. That will cause the refcount
decrease to -1, and when we try to get trans_mod again in
try_module_get(), we could only increase refcount to 0 which will cause
failure as follows:
parse_opts
v9fs_get_trans_by_name
try_module_get : return NULL to caller which cause error
So we should put refcount of trans_mod in error case.
Fixes: 9421c3e64137ec ("net/9p/client.c: fix potential refcnt problem of trans module")
Signed-off-by: Jun Piao <[email protected]>
---
net/9p/client.c | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/net/9p/client.c b/net/9p/client.c
index 18c5271..5c13431 100644
--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -225,7 +225,8 @@ static int parse_opts(char *opts, struct p9_client *clnt)
}
free_and_return:
- v9fs_put_trans(clnt->trans_mod);
+ if (ret)
+ v9fs_put_trans(clnt->trans_mod);
kfree(tmp_options);
return ret;
}
--
On 2018/7/6 17:42, piaojun wrote:
>>From my test, the second mount will fail after umounting successfully.
> The reason is that we put refcount of trans_mod in the correct case rather
> than the error case in parse_opts() at last. That will cause the refcount
> decrease to -1, and when we try to get trans_mod again in
> try_module_get(), we could only increase refcount to 0 which will cause
> failure as follows:
> parse_opts
> v9fs_get_trans_by_name
> try_module_get : return NULL to caller which cause error
>
> So we should put refcount of trans_mod in error case.
>
> Fixes: 9421c3e64137ec ("net/9p/client.c: fix potential refcnt problem of trans module")
>
> Signed-off-by: Jun Piao <[email protected]>
It looks good to me.
Reviewed-by: Yiwen Jiang <[email protected]>
> ---
> net/9p/client.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/9p/client.c b/net/9p/client.c
> index 18c5271..5c13431 100644
> --- a/net/9p/client.c
> +++ b/net/9p/client.c
> @@ -225,7 +225,8 @@ static int parse_opts(char *opts, struct p9_client *clnt)
> }
>
> free_and_return:
> - v9fs_put_trans(clnt->trans_mod);
> + if (ret)
> + v9fs_put_trans(clnt->trans_mod);
> kfree(tmp_options);
> return ret;
> }
>
On Fri, 6 Jul 2018 17:42:56 +0800
piaojun <[email protected]> wrote:
> From my test, the second mount will fail after umounting successfully.
> The reason is that we put refcount of trans_mod in the correct case rather
> than the error case in parse_opts() at last. That will cause the refcount
> decrease to -1, and when we try to get trans_mod again in
> try_module_get(), we could only increase refcount to 0 which will cause
> failure as follows:
> parse_opts
> v9fs_get_trans_by_name
> try_module_get : return NULL to caller which cause error
>
> So we should put refcount of trans_mod in error case.
>
> Fixes: 9421c3e64137ec ("net/9p/client.c: fix potential refcnt problem of trans module")
>
> Signed-off-by: Jun Piao <[email protected]>
> ---
Reviewed-by: Greg Kurz <[email protected]>
> net/9p/client.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/9p/client.c b/net/9p/client.c
> index 18c5271..5c13431 100644
> --- a/net/9p/client.c
> +++ b/net/9p/client.c
> @@ -225,7 +225,8 @@ static int parse_opts(char *opts, struct p9_client *clnt)
> }
>
> free_and_return:
> - v9fs_put_trans(clnt->trans_mod);
> + if (ret)
> + v9fs_put_trans(clnt->trans_mod);
> kfree(tmp_options);
> return ret;
> }
Andrew,
there seem to be some renew of interest in 9P lately, so if you'd like I
can take care of rounding these up and prepare a pull request for 4.19
(as we're already well into 4.18 release cycle, I believe most of the
patches can wait)
This patch however I consider important enough to take for 4.18 so could
you please grab it for now?
I've gathered the Review tags and added my own, feel free to change my
Reviewed-and-tested-by tag to Signed-off-by if it seems more appropriate
as I'm actively pushing for this patch.
piaojun wrote on Fri, Jul 06, 2018:
> >From my test, the second mount will fail after umounting successfully.
> The reason is that we put refcount of trans_mod in the correct case rather
> than the error case in parse_opts() at last. That will cause the refcount
> decrease to -1, and when we try to get trans_mod again in
> try_module_get(), we could only increase refcount to 0 which will cause
> failure as follows:
> parse_opts
> v9fs_get_trans_by_name
> try_module_get : return NULL to caller which cause error
>
> So we should put refcount of trans_mod in error case.
>
> Fixes: 9421c3e64137ec ("net/9p/client.c: fix potential refcnt problem of trans module")
>
> Signed-off-by: Jun Piao <[email protected]>
Reviewed-by: Yiwen Jiang <[email protected]>
Reviewed-by: Greg Kurz <[email protected]>
Reviewed-and-tested-by: Dominique Martinet <[email protected]>
> ---
> net/9p/client.c | 3 ++-
> 1 file changed, 2 insertions(+), 1 deletion(-)
>
> diff --git a/net/9p/client.c b/net/9p/client.c
> index 18c5271..5c13431 100644
> --- a/net/9p/client.c
> +++ b/net/9p/client.c
> @@ -225,7 +225,8 @@ static int parse_opts(char *opts, struct p9_client *clnt)
> }
>
> free_and_return:
> - v9fs_put_trans(clnt->trans_mod);
> + if (ret)
> + v9fs_put_trans(clnt->trans_mod);
> kfree(tmp_options);
> return ret;
> }
Thanks,
--
Dominique Martinet