Received: by 2002:ac0:a5a7:0:0:0:0:0 with SMTP id m36-v6csp5737485imm; Mon, 23 Jul 2018 05:20:35 -0700 (PDT) X-Google-Smtp-Source: AAOMgpfgVDxVhp0bGHZ2w4Rj4XDogVPEiMgbcLOPPwbBU+eXD3GvXcf738ZHaiYGWrdcC8bY3yJf X-Received: by 2002:a62:9f85:: with SMTP id v5-v6mr13037729pfk.27.1532348435120; Mon, 23 Jul 2018 05:20:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1532348435; cv=none; d=google.com; s=arc-20160816; b=xheN1aQ2DClhv6NPSbxMuX0J5xWSBqP8AR8aP+KoKmMeeIzfCRaB/G52OK38NYp0aT YU8B9X1+qOWcl/4pNEWBzl7Ol6d0Sa75IYuQN1r3OZoCBwtwn3RWDjSJjfuJwzlT4q7k Zglo/8U3+aFwkTvURun00cMLFBhRkSNgxR721AZxkxck6ShWqFE5zaL5Athqm/4wbIvz RkP+wKBYxrG0g9xFiJW9woFzaspLrIwWVDfHSEe/uFsS4DYUh/BMOEYA2AD36Mx0wE6p 66py/bMMFHjAN7+6nSMRC2sZjm3efv0KGhIAzqx5YjRTOvHdYmSHSy7MEJIm8jtSuohH JShA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature:arc-authentication-results; bh=Hv32lahhaRqGCgdud2Rs8jGB7WzXUbmwdFisszOca0M=; b=goPyUFk5o86OdhPpWLUOp9fIsupACvzlzEzs/nmAqT3GRFgmk2kwXih4l1aT5e8jFO 7CI8UrSP8o/BEtB+PNP5pK2/awYAjZqZaoB+n6MNvzcTVU+j+LT4iZu+1WK7rewsaI7P boH8ZMPnMQ0V8IFpgr3dGRE8KOmjPxOSiKkHdfBYmoLHKUCiY8DhefHWSRK3ISWtTu5j 8k8XY/rhhedz0nSIct9RFS2v71ZMjdapLzUfZZzxOg9EDoNWEcp5RonUgxN7V3pMz6mn IYbbYOeWlZuieS8uNWJc2CV8XhvT0L+lH1POW71cOO5fnePW1Z16rfVaWXNJNcfTDpiM XEJg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Elo8++oj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id b16-v6si7782225pls.474.2018.07.23.05.20.19; Mon, 23 Jul 2018 05:20:35 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@gmail.com header.s=20161025 header.b=Elo8++oj; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387989AbeGWNUY (ORCPT + 99 others); Mon, 23 Jul 2018 09:20:24 -0400 Received: from mail-lj1-f194.google.com ([209.85.208.194]:42351 "EHLO mail-lj1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2387910AbeGWNUY (ORCPT ); Mon, 23 Jul 2018 09:20:24 -0400 Received: by mail-lj1-f194.google.com with SMTP id f1-v6so357429ljc.9; Mon, 23 Jul 2018 05:19:27 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=Hv32lahhaRqGCgdud2Rs8jGB7WzXUbmwdFisszOca0M=; b=Elo8++oj3KacK1tHDAwDHSIeL9K1YiGlyUndptjuEgeZFdpa2xxKuyQNI95HyaoVSS PzNQFtlZdIAVM5ixsQQpQYJ5Lli6CrVoM7z8fgVEOgojx/mzyk3CPQsckGhNISamJZkE q8G55X3oQbIR4COdArquxk3a3Yp+1+QL/27IWZAK1cLvqVNG9FCP5DTNFvDWUqu3p0oo tCxpn2AF/GuTtcNxdnY97+Z8CH7Dd1zYX4O3FiKXH5Ux8jvHJpbuFjR+fDFb/1dx/3mt PTqIqVeTTw3ZJ0xn+7s19lRIihwzw7P8vxxmGD3xISxPtBT/ZRZh/zIXhEjdYXJinDD+ Fx3A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=Hv32lahhaRqGCgdud2Rs8jGB7WzXUbmwdFisszOca0M=; b=a8tqjO2zk5iBn9oN6lz9EH2FzQmwbwPc0FvPtInEnh0TI0k0L7T+uw8SSUimIaqISm dSMrCqxUP7+RvLXpVpMALnHHgq2oHNRlFl9mwF9eQKhAUdzEFyOQuo+ERKj4CofLTYVu tySxMbTzgPchL1dHqop72b9JYRNmTtYHFexkZ7CtJ/rbmYo2xES0hO90IliQcuve+ZAJ DEaxh60K1lpJj07e0bBqhe/k5hgie3j+XIWhjQ8pRB4j1v2rKR5jiecw4rGkLYMDj44Z WrEyPjxZg6SqWfV9af3Ob1iQOSx+GYAIOS4L1Bln+HOPL7hRnkk2Qx0sbznnoNSiSThf nIaw== X-Gm-Message-State: AOUpUlFotZyCc/ASzeU8RydSEd6eyS1pvy/BqRqutAuUlj3Ry8M07w+W n7f0Lp/xFoyXTNHCfYqzBQ4= X-Received: by 2002:a2e:9448:: with SMTP id o8-v6mr8635385ljh.34.1532348366641; Mon, 23 Jul 2018 05:19:26 -0700 (PDT) Received: from debian-tom.lan ([2001:2012:22e:1b00:f2e2:9015:9262:3fde]) by smtp.gmail.com with ESMTPSA id w12-v6sm1824757lji.63.2018.07.23.05.19.25 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 23 Jul 2018 05:19:25 -0700 (PDT) From: Tomas Bortoli To: ericvh@gmail.com, rminnich@sandia.gov, lucho@ionkov.net Cc: asmadeus@codewreck.org, jiangyiwen@huawei.com, davem@davemloft.net, v9fs-developer@lists.sourceforge.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller@googlegroups.com, Tomas Bortoli Subject: [PATCH] net/p9/trans_fd.c: fix double list_del() Date: Mon, 23 Jul 2018 14:19:02 +0200 Message-Id: <20180723121902.20201-1-tomasbortoli@gmail.com> X-Mailer: git-send-email 2.11.0 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org A double list_del(&req->req_list) is possible in p9_fd_cancel() as shown by Syzbot. To prevent it we have to ensure that we have the client->lock when deleting the list. Furthermore, we have to update the status of the request before releasing the lock, to prevent the race. Signed-off-by: Tomas Bortoli Reported-by: syzbot+735d926e9d1317c3310c@syzkaller.appspotmail.com --- net/9p/trans_fd.c | 9 ++++----- 1 file changed, 4 insertions(+), 5 deletions(-) diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c index a64b01c56e30..370c6c69a05c 100644 --- a/net/9p/trans_fd.c +++ b/net/9p/trans_fd.c @@ -199,15 +199,14 @@ static void p9_mux_poll_stop(struct p9_conn *m) static void p9_conn_cancel(struct p9_conn *m, int err) { struct p9_req_t *req, *rtmp; - unsigned long flags; LIST_HEAD(cancel_list); p9_debug(P9_DEBUG_ERROR, "mux %p err %d\n", m, err); - spin_lock_irqsave(&m->client->lock, flags); + spin_lock(&m->client->lock); if (m->err) { - spin_unlock_irqrestore(&m->client->lock, flags); + spin_unlock(&m->client->lock); return; } @@ -219,7 +218,6 @@ static void p9_conn_cancel(struct p9_conn *m, int err) list_for_each_entry_safe(req, rtmp, &m->unsent_req_list, req_list) { list_move(&req->req_list, &cancel_list); } - spin_unlock_irqrestore(&m->client->lock, flags); list_for_each_entry_safe(req, rtmp, &cancel_list, req_list) { p9_debug(P9_DEBUG_ERROR, "call back req %p\n", req); @@ -228,6 +226,7 @@ static void p9_conn_cancel(struct p9_conn *m, int err) req->t_err = err; p9_client_cb(m->client, req, REQ_STATUS_ERROR); } + spin_unlock(&m->client->lock); } static __poll_t @@ -370,12 +369,12 @@ static void p9_read_work(struct work_struct *work) if (m->req->status != REQ_STATUS_ERROR) status = REQ_STATUS_RCVD; list_del(&m->req->req_list); - spin_unlock(&m->client->lock); p9_client_cb(m->client, m->req, status); m->rc.sdata = NULL; m->rc.offset = 0; m->rc.capacity = 0; m->req = NULL; + spin_unlock(&m->client->lock); } end_clear: -- 2.11.0