Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp1203346rwb; Wed, 28 Sep 2022 14:57:18 -0700 (PDT) X-Google-Smtp-Source: AMsMyM7IwTSs45N+n10puf3uxdSBSb6A++S+x5KHy+e1s43U/YDqDW7Ik+1DPmSvfD0bBJMLdJ3v X-Received: by 2002:a17:902:d70e:b0:178:2d9d:ba7b with SMTP id w14-20020a170902d70e00b001782d9dba7bmr92195ply.90.1664402237986; Wed, 28 Sep 2022 14:57:17 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1664402237; cv=none; d=google.com; s=arc-20160816; b=FWK+Wc5HtqT0Bjr7kBbfQgEc6uvDR0AmT8axGslH6ftBde691lvRane7mAmCBc47id S/qNiDmpBI4N7KXnTVB4e7lcrQTLSOfVfHDVNea0wadyCEQ35h8t4Ch8OQzg9fAgem7E 1wgCCRteuVuL+7enExxlZBocqcD701MxHTUxSZvzhQyH4RiInMvGCKgEppcS4UQsL16m XWLbJsIqcBHdFlalmd91cS8G8/+WUTO0guLV9heTLttFjRqAM0Q4z+URta6l+jYaTXTA tL9R+DiI6pQbRuJIHjCFjETyQLMY0mwXmxbOAkpwRRRoo78ADsvsYkj5N6Qyl9WRbPVR WWxQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=UmhaJMECcRYmREt7/tMqA6aB1TydkXl9QzrOPmc/ArE=; b=Na/dUhkG0gxPc1s4unG+NmNxLC+Y93ED5ULSo3h6UwwO6UZ5MvN3Hkt3iCbR+9Dmqb 9StJEJpt00bbvWNnk0aQPgGWpHTuT1CzX0uOnZ38L33tSxguHGYX+y+I5Z/Bb9P9JPNF EqSI9IzJ2h3s5H7K8V6b02UMcBS3eH7kHM2jit7+ayXAoN6frA2bs6BjHFEC9neU2T4j JzHTzjv8ohMG80Po3SYcHgObGvUaEgtU5L7IzdHIzNHMs23/Q7wlDTeCsYRGsQlmuJKi g43USlgN+oTojpoh+IFuJ+MPMJRcPS8GqjaWweuk575RjZq5D9CR4kbz9tT1PWJLVra0 9grA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@codewreck.org header.s=2 header.b=EgiHNJZS; dkim=pass header.i=@codewreck.org header.s=2 header.b=yltSH9hC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=codewreck.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id z5-20020a170902ccc500b0017857e48068si5995609ple.146.2022.09.28.14.57.06; Wed, 28 Sep 2022 14:57:17 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@codewreck.org header.s=2 header.b=EgiHNJZS; dkim=pass header.i=@codewreck.org header.s=2 header.b=yltSH9hC; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=codewreck.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234211AbiI1Vom (ORCPT + 99 others); Wed, 28 Sep 2022 17:44:42 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52952 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233495AbiI1Vok (ORCPT ); Wed, 28 Sep 2022 17:44:40 -0400 Received: from nautica.notk.org (nautica.notk.org [91.121.71.147]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B91445FB2 for ; Wed, 28 Sep 2022 14:44:37 -0700 (PDT) Received: by nautica.notk.org (Postfix, from userid 108) id 8640DC01F; Wed, 28 Sep 2022 23:44:34 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=codewreck.org; s=2; t=1664401474; bh=UmhaJMECcRYmREt7/tMqA6aB1TydkXl9QzrOPmc/ArE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=EgiHNJZSmT706nye3erb+e0zf8MszeHX5843yn+BSuaO1TSnEul/h1Pnn0lrPoce1 WCmXZYSo+k/PFLQtCHFCHLQ+/Uhpks+2WX98PB9CrR/DElNCYvqbFQSd1nUNHQjAQa 7R0LD9Oz7GavNZ9L7Zjd3c6jQ075mxpGRQcOlsOr1u+e9SM+ljOJcEgf7VQkdd0KGP 5f9xqtEzABpRxvuSs5ZKp/Fnbt2wJbh1hyRuAS+2mf2uKo+V2LLRnGG+EpHQYG/CPx 5TSXPKPua+M0R2d0E8FnVO0vb+eYBCIcCugK5wxKE1G6U1NxUD0R9eng8yo4gEwpLr 4OEmESu6xL5Dg== X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 Received: from odin.codewreck.org (localhost [127.0.0.1]) by nautica.notk.org (Postfix) with ESMTPS id 8622EC009; Wed, 28 Sep 2022 23:44:31 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=codewreck.org; s=2; t=1664401473; bh=UmhaJMECcRYmREt7/tMqA6aB1TydkXl9QzrOPmc/ArE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=yltSH9hCDL97tJShageOdXo1pcVGpvqc7R5PJjb/bkqxP4ZqJhuoOtaLKZLuu7QC9 DJ0nLnbWKlbK7KUltKxQewcdvOwkC0KpYUoVbOdmbJUeC8StHnZ7Ja//aI3jz7dCoe 7l6AsIH1cGK8sP07aobThwBARiZmrWmfteJzGnymQUhoTiJRBmZBm88huGBKgSj4Uf 4XRGy8T5E4x/IytD4nK8oZR3galJZN/n13kWdPVS21e8myCFFRu8V6dULP847x8XRV UEFk+C6VBTNPh1rbu5uPxvnu6xgLt0tOe49b0Uc8wTK3Zx4Viij6q1FlcrwWU5CbBy nfGWembNZqeuA== Received: from localhost (odin.codewreck.org [local]) by odin.codewreck.org (OpenSMTPD) with ESMTPA id 8209d52e; Wed, 28 Sep 2022 21:44:29 +0000 (UTC) From: Dominique Martinet To: v9fs-developer@lists.sourceforge.net Cc: Leon Romanovsky , linux_oss@crudebyte.com, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, Dominique Martinet , syzbot+67d13108d855f451cafc@syzkaller.appspotmail.com Subject: [PATCH 1/2] 9p: client_create/destroy: only call trans_mod->close after create Date: Thu, 29 Sep 2022 06:44:16 +0900 Message-Id: <20220928214417.1749609-1-asmadeus@codewreck.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org destroy code would incorrectly call close() if trans_mod exists after some hasty code cleanup: we need to make sure we only call close after create Link: https://lkml.kernel.org/r/00000000000015ac7905e97ebaed@google.com Reported-by: syzbot+67d13108d855f451cafc@syzkaller.appspotmail.com Reported-by: Leon Romanovsky Fixes: 3ff51294a055 ("9p: p9_client_create: use p9_client_destroy on failure") Signed-off-by: Dominique Martinet --- I tried to make trans->create() return clnt->trans to assign directly from there, but rdma callbacks need clnt->trans to be set early during init and the diff was just too big for a simple fix. This should work for all transports without any change, and ensures we only call close if create succeeded. net/9p/client.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/net/9p/client.c b/net/9p/client.c index bfa80f01992e..40b59431a566 100644 --- a/net/9p/client.c +++ b/net/9p/client.c @@ -971,6 +971,7 @@ struct p9_client *p9_client_create(const char *dev_name, char *options) spin_lock_init(&clnt->lock); idr_init(&clnt->fids); idr_init(&clnt->reqs); + clnt->trans = ERR_PTR(-EINVAL); err = parse_opts(options, clnt); if (err < 0) @@ -992,6 +993,9 @@ struct p9_client *p9_client_create(const char *dev_name, char *options) err = clnt->trans_mod->create(clnt, dev_name, options); if (err) goto out; + // ensure clnt->trans is initialized to call close() on destroy + if (IS_ERR(clnt->trans)) + clnt->trans = NULL; if (clnt->msize > clnt->trans_mod->maxsize) { clnt->msize = clnt->trans_mod->maxsize; @@ -1036,7 +1040,7 @@ void p9_client_destroy(struct p9_client *clnt) p9_debug(P9_DEBUG_MUX, "clnt %p\n", clnt); - if (clnt->trans_mod) + if (clnt->trans_mod && !IS_ERR(client->trans)) clnt->trans_mod->close(clnt); v9fs_put_trans(clnt->trans_mod); -- 2.35.1