Received: by 2002:a25:ad19:0:0:0:0:0 with SMTP id y25csp3055225ybi; Tue, 2 Jul 2019 01:15:07 -0700 (PDT) X-Google-Smtp-Source: APXvYqxGzWQxRx5zK/YbTXwR0BDxxQIGvEGqfP9UwRPzIeKZVIPf6xTpDUF9tkLXuOJ0ifzGOnHT X-Received: by 2002:a17:90a:32c7:: with SMTP id l65mr4155168pjb.1.1562055307559; Tue, 02 Jul 2019 01:15:07 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1562055307; cv=none; d=google.com; s=arc-20160816; b=KKZu4aALGYgrDOgTYVwmFfKLNk6jqsZKnxo5Xn0VyqdsnNHYNplVp5exoABq25tXjH DQTGTuBzIzsj6Qpci/knm3UDbp6rGDxtheAWmPB9eCjMFKaD9O1GSMIXJ+ptzqUn4wka zA7NGUYDzwgeomluStVEfsau2axgsHKQsVMxw/MQ6lLg2W6PBsu0JHfrKk3sl9DXiUzv JhgNNcc3O4vv4Lv0ECLzYcxEKkF8+SYNkWolmLu8VEzIfRr/4ADnBYcbOCNIZbXAs/gw w8w96CH1xyp+kJdGlZ65A9HLCiBwnzLCBFuExbGAprs1XkNYqDFpvCCTZCveYxEaHAAe 1nUw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=GHAJKBzpGf//aQSrf6iiT/XwgpDFNxwtVZtN2WFdA7A=; b=ykgpS9Y41hJKuI/TnNzMK4VgIdrah6UsYGhFK+ZptH12FvgaiPdrywoHP/h8oK3pwn McUUbh4ayGzznTq4aFxviT/3gNim5c8wXIGYXpSKSrG9pvhzzNKsvRTEliEvpjCCkshO SPZd455bGA3rWWMnOf0TbbPgv1ZThdPSbkBkvq84yaxue6Q0UB0EP9fteSWJK+hT41v3 qlLoemFDToelzMVi/JfJZdSmPafT7JkTmpHM+3NFWkWo5lOwA2Hpi+ncC8WZZ53CFgYy tQ+LSI6/qf3I/6fLa3u0ewKk24XKIoM+VGMDMvD+EAxxY7PJRILp4D3MdlBMiUG3OdaQ 7A1g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=YKGao9t0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id s14si12032695pgs.254.2019.07.02.01.14.53; Tue, 02 Jul 2019 01:15:07 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=YKGao9t0; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728051AbfGBIGL (ORCPT + 99 others); Tue, 2 Jul 2019 04:06:11 -0400 Received: from mail.kernel.org ([198.145.29.99]:52402 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727342AbfGBIGE (ORCPT ); Tue, 2 Jul 2019 04:06:04 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 0BA4B21841; Tue, 2 Jul 2019 08:06:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1562054763; bh=FE+f3XSKY1HJoAhc4roae3H3YR1STBtAYQXgL3bvoTY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=YKGao9t0vXN87ZSFk98aXX187Wm+aEhqe5bJ0/hUC2ftoPiMUszyyaL1QbNw43FOF vwDIt34d0FpO9EqDC0YHOrvYo3jK++PO1/TUfXrL0QfQq/8Ut+GpcAQOPNBzN1eO6F FuQOxvOt04JsW3oQuwOPolWXqgcmjLEoMRyhWgrY= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dominique Martinet , syzbot+2222c34dc40b515f30dc@syzkaller.appspotmail.com, Eric Van Hensbergen , Latchesar Ionkov , Sasha Levin Subject: [PATCH 4.19 19/72] 9p/trans_fd: abort p9_read_work if req status changed Date: Tue, 2 Jul 2019 10:01:20 +0200 Message-Id: <20190702080125.656500245@linuxfoundation.org> X-Mailer: git-send-email 2.22.0 In-Reply-To: <20190702080124.564652899@linuxfoundation.org> References: <20190702080124.564652899@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit e4ca13f7d075e551dc158df6af18fb412a1dba0a ] p9_read_work would try to handle an errored req even if it got put to error state by another thread between the lookup (that worked) and the time it had been fully read. The request itself is safe to use because we hold a ref to it from the lookup (for m->rreq, so it was safe to read into the request data buffer until this point), but the req_list has been deleted at the same time status changed, and client_cb already has been called as well, so we should not do either. Link: http://lkml.kernel.org/r/1539057956-23741-1-git-send-email-asmadeus@codewreck.org Signed-off-by: Dominique Martinet Reported-by: syzbot+2222c34dc40b515f30dc@syzkaller.appspotmail.com Cc: Eric Van Hensbergen Cc: Latchesar Ionkov Signed-off-by: Sasha Levin --- net/9p/trans_fd.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c index 12559c474dde..a0317d459cde 100644 --- a/net/9p/trans_fd.c +++ b/net/9p/trans_fd.c @@ -292,7 +292,6 @@ static void p9_read_work(struct work_struct *work) __poll_t n; int err; struct p9_conn *m; - int status = REQ_STATUS_ERROR; m = container_of(work, struct p9_conn, rq); @@ -375,11 +374,17 @@ static void p9_read_work(struct work_struct *work) p9_debug(P9_DEBUG_TRANS, "got new packet\n"); m->rreq->rc.size = m->rc.offset; spin_lock(&m->client->lock); - if (m->rreq->status != REQ_STATUS_ERROR) - status = REQ_STATUS_RCVD; - list_del(&m->rreq->req_list); - /* update req->status while holding client->lock */ - p9_client_cb(m->client, m->rreq, status); + if (m->rreq->status == REQ_STATUS_SENT) { + list_del(&m->rreq->req_list); + p9_client_cb(m->client, m->rreq, REQ_STATUS_RCVD); + } else { + spin_unlock(&m->client->lock); + p9_debug(P9_DEBUG_ERROR, + "Request tag %d errored out while we were reading the reply\n", + m->rc.tag); + err = -EIO; + goto error; + } spin_unlock(&m->client->lock); m->rc.sdata = NULL; m->rc.offset = 0; -- 2.20.1