Received: by 2002:a05:6a10:a0d1:0:0:0:0 with SMTP id j17csp1194987pxa; Thu, 20 Aug 2020 05:19:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxxCUD5G22oD+96Dk2lp13lreBMpwVZkkEXSl8+0rxAgyayngU4iyxD4o/scKFC2GzKWXrB X-Received: by 2002:a17:906:2a49:: with SMTP id k9mr3057855eje.117.1597925961638; Thu, 20 Aug 2020 05:19:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1597925961; cv=none; d=google.com; s=arc-20160816; b=Q6ZrC4fz5LI638WnAPvDfimc6rOEOnYUX4wlUI55iKMArWyyHe+nrGYR+Jy4RC9eWv dxyIUeANZuhFXR9sZWmyCSziu2BjI7RyfaL0LUyRminzMR+am5yWhanI0BPNxdLswork A+1nxnmYDgfD3vc7WqNWVZ77FYoBXYYt5rGwQvCkf33C/7oRL7cQvAZyzQ4gT7ZU+nqu KzmRlvnMexq42WQHFt6UQnnI/tl0VHwhtEC9YwuTvA1z4914xXbH4KjaEhCU97JoVmv4 fV1p+82yCF9Cv6QEQbYLOyrXF7lXIk5bpjLybOCR1zcx6lgt+Ri+gv3qiQeXDdBYCK5F vYXA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=5ZkJ54Cu8uw6zW1HDr0jNtBBumEpa/XfXUjb+9DfQk0=; b=xR8worbYwqwSDlkMkxsbOIEyiihKLAxvsK2Pb70fMBxCvwbg9T0BRmVkaRkdI4Hnb5 aQhfNVaqXEQR7pUnSFQSIeXNCjj4WFFBhOD1aqe2lpY6h6LfIer1LpKRDpc4lr0LCFZM bcefUOQSADZYiLcwj/9ngdsnoXn/xxCkeg1f2mdmG5XwslHmoMr8E7QhLrCl5BVw0mGd 7oyRntGdYH+SHlyy8B4AYPDBaWLeW8DHqm4lXRdjI5L3PVf71Fkx7PYfG0eKLH/NwTwu QGKZRmTilTXsZosAlCLf+pWPFZgXnfzpjScYdqSLlNRZ13SFbXQ1oufAuUjKYQziXDY4 RdJw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=YCiXHZnm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id rk22si1062257ejb.48.2020.08.20.05.18.57; Thu, 20 Aug 2020 05:19:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=YCiXHZnm; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728855AbgHTMSV (ORCPT + 99 others); Thu, 20 Aug 2020 08:18:21 -0400 Received: from mail.kernel.org ([198.145.29.99]:39934 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730219AbgHTJ4a (ORCPT ); Thu, 20 Aug 2020 05:56:30 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5A5EE20855; Thu, 20 Aug 2020 09:56:29 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1597917389; bh=ETcx389IbtZs0pnuRneopJhc/DhdLoEkJcrfLvQfUnM=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=YCiXHZnmsR067ROyiJdGdsFTOF3D3RHwJY5g2KWesrBHEOIbRAt0TQgh0kQkLfzp2 qL+qEIXEoWuowqVG55I89jtOPR55+Xc1YLR+sAJSvtQhyLTRgsV+fJPJpubknTMAQY CbKF1MXfZyv+tzUGghDHtWlzqmaUb6X1/SCye1q4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Dominique Martinet , syzbot+2222c34dc40b515f30dc@syzkaller.appspotmail.com, Eric Van Hensbergen , Latchesar Ionkov , Sasha Levin Subject: [PATCH 4.9 015/212] 9p/trans_fd: abort p9_read_work if req status changed Date: Thu, 20 Aug 2020 11:19:48 +0200 Message-Id: <20200820091603.104543712@linuxfoundation.org> X-Mailer: git-send-email 2.28.0 In-Reply-To: <20200820091602.251285210@linuxfoundation.org> References: <20200820091602.251285210@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Dominique Martinet [ Upstream commit e4ca13f7d075e551dc158df6af18fb412a1dba0a ] p9_read_work would try to handle an errored req even if it got put to error state by another thread between the lookup (that worked) and the time it had been fully read. The request itself is safe to use because we hold a ref to it from the lookup (for m->rreq, so it was safe to read into the request data buffer until this point), but the req_list has been deleted at the same time status changed, and client_cb already has been called as well, so we should not do either. Link: http://lkml.kernel.org/r/1539057956-23741-1-git-send-email-asmadeus@codewreck.org Signed-off-by: Dominique Martinet Reported-by: syzbot+2222c34dc40b515f30dc@syzkaller.appspotmail.com Cc: Eric Van Hensbergen Cc: Latchesar Ionkov Signed-off-by: Sasha Levin --- net/9p/trans_fd.c | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c index aa4586672cee9..91f71958c2e16 100644 --- a/net/9p/trans_fd.c +++ b/net/9p/trans_fd.c @@ -295,7 +295,6 @@ static void p9_read_work(struct work_struct *work) { int n, err; struct p9_conn *m; - int status = REQ_STATUS_ERROR; m = container_of(work, struct p9_conn, rq); @@ -375,11 +374,17 @@ static void p9_read_work(struct work_struct *work) if ((m->req) && (m->rc.offset == m->rc.capacity)) { p9_debug(P9_DEBUG_TRANS, "got new packet\n"); spin_lock(&m->client->lock); - if (m->req->status != REQ_STATUS_ERROR) - status = REQ_STATUS_RCVD; - list_del(&m->req->req_list); - /* update req->status while holding client->lock */ - p9_client_cb(m->client, m->req, status); + if (m->req->status == REQ_STATUS_SENT) { + list_del(&m->req->req_list); + p9_client_cb(m->client, m->req, REQ_STATUS_RCVD); + } else { + spin_unlock(&m->client->lock); + p9_debug(P9_DEBUG_ERROR, + "Request tag %d errored out while we were reading the reply\n", + m->rc.tag); + err = -EIO; + goto error; + } spin_unlock(&m->client->lock); m->rc.sdata = NULL; m->rc.offset = 0; -- 2.25.1