Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp4364694imm; Mon, 8 Oct 2018 21:06:49 -0700 (PDT) X-Google-Smtp-Source: ACcGV610eqyV6LhS81sbyOIpjuvhNq2b6KgInqHv1tYJE9odyGjy1NGZRklKiManPxyO1eiNG/zi X-Received: by 2002:a62:9850:: with SMTP id q77-v6mr27770412pfd.249.1539058009723; Mon, 08 Oct 2018 21:06:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539058009; cv=none; d=google.com; s=arc-20160816; b=dlz15A8Ehxu8oC+zXALaeSdhKfwdPkI7c2KBlA8u8lLZ48JcedUsWCdh6m7ciZLOtq 8wudqxSuDeredtWlkYbhKKn80xOiS00UWO6zgfQXDCmaVac6PqtNHIuYt5pvEZdxhywL FCAIsqEo5aZzpBRTbdhyL2llF51UUmVhyJttW943p4ntC2E/NmvBUSXkLMCYNICO6i5J TREZqhRMyPXoKcKUEjWBq9OxvrfIqIwN2+zb5pWZ3rOAGPaYYzEFgSeLrzlv9Yn3doZI AptDin/yNt/IPXizV/rcRryIH4TmQryysUALcpqwf9u8cSym5zuXnrriKJKZ1RpBDIbE 0CIA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:in-reply-to:message-id:date :subject:cc:from; bh=9wTZ76h4P0Ct2qDhdutz7PDYPei4+dihXzpWRx5zAtY=; b=wRF4mAl2/T4ngforZfN8KWI4x+4kb9he7hQNm0JkC6hVD+MoSDZS2fiwNd7thDhFTZ /mNPJ4yAMs5afm4JwARWOnTvhLvFNVJrYVLCfY1D2suKfQ9MOtCx3wDU0KDl4RWXOfHi mWM0FNk3/eGMyQFHmbjyJzKIfxEuXTuJ151azS9l+7eCU0bCeZgKesZeYp+5+ryDfRR6 nItGAJqQFjLm4d8x4UDvA32B/EQuTtCGK4HMTGd+LDMCJLJRHb7l8rjsyY5Gdp/8IZZY zF1MwaQgi9RaUWXFk0hWsTwOTySD4RrK8lI4ZcZwkbt3qmxdQ6AUqHWUa7B3AZGlCf4Z HTXA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id v12-v6si18824586pgn.547.2018.10.08.21.06.35; Mon, 08 Oct 2018 21:06:49 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726613AbeJILVE (ORCPT + 99 others); Tue, 9 Oct 2018 07:21:04 -0400 Received: from nautica.notk.org ([91.121.71.147]:37492 "EHLO nautica.notk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726434AbeJILVD (ORCPT ); Tue, 9 Oct 2018 07:21:03 -0400 Received: by nautica.notk.org (Postfix, from userid 1001) id DE4C4C01A; Tue, 9 Oct 2018 06:06:07 +0200 (CEST) From: Dominique Martinet Cc: Dominique Martinet , v9fs-developer@lists.sourceforge.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Eric Van Hensbergen , Latchesar Ionkov , Tomas Bortoli Subject: [PATCH 2/2] 9p/trans_fd: put worker reqs on destroy Date: Tue, 9 Oct 2018 06:05:56 +0200 Message-Id: <1539057956-23741-2-git-send-email-asmadeus@codewreck.org> X-Mailer: git-send-email 1.7.10.4 In-Reply-To: <1539057956-23741-1-git-send-email-asmadeus@codewreck.org> References: <20181009020949.GA29622@nautica> <1539057956-23741-1-git-send-email-asmadeus@codewreck.org> To: unlisted-recipients:; (no To-header on input) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dominique Martinet p9_read_work/p9_write_work might still hold references to a req after having been cancelled; make sure we put any of these to avoid potential request leak on disconnect. Fixes: 728356dedeff8 ("9p: Add refcount to p9_req_t") Signed-off-by: Dominique Martinet Cc: Eric Van Hensbergen Cc: Latchesar Ionkov Cc: Tomas Bortoli --- Noticed we could leak a ref while looking at the syzbot report, this should be safe enough after the work has been cancelled... Probably. net/9p/trans_fd.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c index a0317d459cde..f868cf6fba79 100644 --- a/net/9p/trans_fd.c +++ b/net/9p/trans_fd.c @@ -876,7 +876,15 @@ static void p9_conn_destroy(struct p9_conn *m) p9_mux_poll_stop(m); cancel_work_sync(&m->rq); + if (m->rreq) { + p9_req_put(m->rreq); + m->rreq = NULL; + } cancel_work_sync(&m->wq); + if (m->wreq) { + p9_req_put(m->wreq); + m->wreq = NULL; + } p9_conn_cancel(m, -ECONNRESET); -- 2.19.1