Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp4365036imm; Mon, 8 Oct 2018 21:07:20 -0700 (PDT) X-Google-Smtp-Source: ACcGV619sNErIFvAOzrL8q4ncrvZeZCX8OyVzFo5NwpQYw2nl4pkAAyywL83HXwtkEHbSDlQ3knt X-Received: by 2002:a65:4301:: with SMTP id j1-v6mr23870722pgq.279.1539058040125; Mon, 08 Oct 2018 21:07:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539058040; cv=none; d=google.com; s=arc-20160816; b=iz8j4KTey58Npzi6vSM9u2mYJCfHDRCjev0OHeOL/ewsMt7YjtDUqioWCFAacuJNa7 a6FvfH8z1xsyfoZFFBui+GItzZICGNHWyKMH/Qe/cwhVHYdv3zD7eqIqX1ySphjs81bG zx+FGmn475xHzU69qX3rAkjgoTzjBQACu81Tro4MWDXg5K1nfpI1Dihxb0aEplCgmUSI JCRZQEnUx9kqXdUDAmikr4SwhS+YFSq0xjBqn8BjUZKGZVFkZrXBH2gcTyuK91lN6VrH jgZ+ErPf+2zh7D6PgWnNO4FJOOvoBjecQf7fHWp48ol4x+0T3h0TB6l184k9OefOCrgw Y/PA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:to:references:in-reply-to:message-id:date :subject:cc:from; bh=u+oXMCORdUM89Bc+3F27ve67TIoi/L4jX35DRhCB2GE=; b=EVkdaPHWpyqDco8zA9NHiYyiyS7VKBpPG09Mvh1xN3vbKDEISFcUsMYcuEXpjeL+Y+ sYT5tWxatQNrOshwDbPLSyGnCWvPrTCVgNvT2E8Ol2x/QfH9bU9IzdtX7gJWL3iQM2mj V3qUyDclrwIeMx/UE+OfH5JqNpSyfxOFwYpVjKvI94/kRHxPkUUsz0PdCLZ7QGJ5y38C Rf4qmgnzpLJPldX9v4kOn37HLM4+gT7CInnWq8VhvfzWNq04Ryplb1cIpfXY/v8WRsxw c9KI8aD4cIACXfZ5kWWCB6KIFVLEd4xi4fnGWfhZ9cdNy4+duUabkwyYQfamGGGLzjsV 0gfw== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 34-v6si18829122pgt.95.2018.10.08.21.07.06; Mon, 08 Oct 2018 21:07:20 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726523AbeJILVD (ORCPT + 99 others); Tue, 9 Oct 2018 07:21:03 -0400 Received: from nautica.notk.org ([91.121.71.147]:37482 "EHLO nautica.notk.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726427AbeJILVD (ORCPT ); Tue, 9 Oct 2018 07:21:03 -0400 Received: by nautica.notk.org (Postfix, from userid 1001) id 647D6C009; Tue, 9 Oct 2018 06:06:06 +0200 (CEST) From: Dominique Martinet Cc: Dominique Martinet , v9fs-developer@lists.sourceforge.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, Eric Van Hensbergen , Latchesar Ionkov Subject: [PATCH 1/2] 9p/trans_fd: abort p9_read_work if req status changed Date: Tue, 9 Oct 2018 06:05:55 +0200 Message-Id: <1539057956-23741-1-git-send-email-asmadeus@codewreck.org> X-Mailer: git-send-email 1.7.10.4 In-Reply-To: <20181009020949.GA29622@nautica> References: <20181009020949.GA29622@nautica> To: unlisted-recipients:; (no To-header on input) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dominique Martinet p9_read_work would try to handle an errored req even if it got put to error state by another thread between the lookup (that worked) and the time it had been fully read. The request itself is safe to use because we hold a ref to it from the lookup (for m->rreq, so it was safe to read into the request data buffer until this point), but the req_list has been deleted at the same time status changed, and client_cb already has been called as well, so we should not do either. Signed-off-by: Dominique Martinet Reported-by: syzbot+2222c34dc40b515f30dc@syzkaller.appspotmail.com Cc: Eric Van Hensbergen Cc: Latchesar Ionkov --- As written in reply to the bug report I'm not sure it's what syzbot complained about exactly, but it feels like a correct thing to do. The second patch is unrelated to the syzbot report, but something that occured to me while looking at this ; I'll take both into linux-next around the start of next week after getting some proper testing done unless remarks happen. (they pass basic tests already) net/9p/trans_fd.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c index 12559c474dde..a0317d459cde 100644 --- a/net/9p/trans_fd.c +++ b/net/9p/trans_fd.c @@ -292,7 +292,6 @@ static void p9_read_work(struct work_struct *work) __poll_t n; int err; struct p9_conn *m; - int status = REQ_STATUS_ERROR; m = container_of(work, struct p9_conn, rq); @@ -375,11 +374,17 @@ static void p9_read_work(struct work_struct *work) p9_debug(P9_DEBUG_TRANS, "got new packet\n"); m->rreq->rc.size = m->rc.offset; spin_lock(&m->client->lock); - if (m->rreq->status != REQ_STATUS_ERROR) - status = REQ_STATUS_RCVD; - list_del(&m->rreq->req_list); - /* update req->status while holding client->lock */ - p9_client_cb(m->client, m->rreq, status); + if (m->rreq->status == REQ_STATUS_SENT) { + list_del(&m->rreq->req_list); + p9_client_cb(m->client, m->rreq, REQ_STATUS_RCVD); + } else { + spin_unlock(&m->client->lock); + p9_debug(P9_DEBUG_ERROR, + "Request tag %d errored out while we were reading the reply\n", + m->rc.tag); + err = -EIO; + goto error; + } spin_unlock(&m->client->lock); m->rc.sdata = NULL; m->rc.offset = 0; -- 2.19.1