Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp1263530rwb; Wed, 28 Sep 2022 15:59:49 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5O2xucEWdvBr4RNm/1QSfrZ0MXBj5D1CcL6wh8YCRZ4c+uCEfgb1oYFYELWmwkMB7wmyuI X-Received: by 2002:a17:907:a079:b0:770:78cb:6650 with SMTP id ia25-20020a170907a07900b0077078cb6650mr163821ejc.515.1664405989189; Wed, 28 Sep 2022 15:59:49 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1664405989; cv=none; d=google.com; s=arc-20160816; b=fZQFY4GeF2GOUIP7HamfQCOmWjrdFbsGl3x7YZGExMVwTLYJjzdzbvhU+trwIfA41l dOf3LZsMQYxRDjT/VuUZqWHrbQP+ltlletMi9AjoaT+zXoqGHu993n6N0r0KwHP4sP0Y Aq+SKblG9z+J9J4GkZlRKMQhtXHv+9x9m6KYTZbk/RgEO6e7pF34+A54+gyN4iSSrtax Bta3nmuu5/xLALbbM6yVbOdnxC4GHWmRW4vjF6S/TO+wwYyG8tZGtseBJliCS4jzKUiY tRz4E1h7644gY7rDKN2x3JJ2Px2RgA8WYbOutcfdvNxbdjycHwoutPrs/m0laUyWALSq SOzA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature:dkim-signature; bh=Xms6OhcaZEPNuIqUCXLPQE9kG90emaV6twlho5yTI74=; b=cL0FeSV6EfXaVTRq9kMYJdY6qD+FN9dfo2qbrmHfCzCwBEVMbHTiDNNZ2A4VnaQcgy l9OJRar5Z12nhJq2hyp/VMVCyIps1VXO4DszcbWVWkoic1+sUMKDpzl2aTdDP8S+zMkz E04IPw/Gu41PzDht7zUSP8m3V32H9+l/htwASsRjA/QndvzlWOkfowzdkKteVY3QB/C7 qpkj7iEC0/4wWXevHPlHnOCA4BK0dRm5wnNYtNKICmVdlxf3zbnC0OEbNpr3/zdEC/FC KQcfqcMDEDbA8Hy5BywHiujYH1BDWi6y98bjbl/2NbW0e+8Nr52t5u51EJubw17fkkl3 VWtw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@codewreck.org header.s=2 header.b=XTY3wRxa; dkim=pass header.i=@codewreck.org header.s=2 header.b=FcNNyH5V; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=codewreck.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id hq38-20020a1709073f2600b007823edcf3dbsi6792582ejc.19.2022.09.28.15.59.21; Wed, 28 Sep 2022 15:59:49 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@codewreck.org header.s=2 header.b=XTY3wRxa; dkim=pass header.i=@codewreck.org header.s=2 header.b=FcNNyH5V; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=codewreck.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S232431AbiI1V6M (ORCPT + 99 others); Wed, 28 Sep 2022 17:58:12 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52246 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S230015AbiI1V6K (ORCPT ); Wed, 28 Sep 2022 17:58:10 -0400 Received: from nautica.notk.org (nautica.notk.org [91.121.71.147]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 75A1390190 for ; Wed, 28 Sep 2022 14:58:09 -0700 (PDT) Received: by nautica.notk.org (Postfix, from userid 108) id 55E07C01A; Wed, 28 Sep 2022 23:58:07 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=codewreck.org; s=2; t=1664402287; bh=Xms6OhcaZEPNuIqUCXLPQE9kG90emaV6twlho5yTI74=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=XTY3wRxaUDIhe38PxByPCNAAUQUE6P7HVlJE6U1HEfyUlWlPOTwpj6eCv1diEzL0Y e+YojKW38ZnNXsqsaMbr6bma3ullio5lO1yZxMdV5Vp9gqjCqhwOtHEkUwOny5aZzQ nAv6bh2y3gbI/nPZOnBziCPokVNeUZ1NH46JgcPjScz1x9JSYhv9HDiU6K9OhoqLO6 WJEdrOPTiaBAqGYCRVDgnQoPW0XqrVmHL5oMXsviZUrO1WfG6gU4LZtJVkBTBFir6T L+VcXGbl0XNBQK6udUzvEsST+jG/KYvLByNip6sMLaBgRTCdkxuiqtjszG5mHqioin DjNOuQLO+SIDg== X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net X-Spam-Level: X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 Received: from odin.codewreck.org (localhost [127.0.0.1]) by nautica.notk.org (Postfix) with ESMTPS id 44333C009; Wed, 28 Sep 2022 23:58:04 +0200 (CEST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=codewreck.org; s=2; t=1664402286; bh=Xms6OhcaZEPNuIqUCXLPQE9kG90emaV6twlho5yTI74=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=FcNNyH5VJD3MWqo305PALLdeO9RvzGf3OesebRR3BBOb3ZOrYjYg2sVJhWTIXd154 jZ7p065pdWNCO6/0jWVd8JcaOxhjku3TaO1Fp2xPtgsy8ISp/fiuHNS8Aqx8OgiO6u 2lQbktiDFTd9Tdn8fq60Vnk/6UM+IzXS0uKRnUn0bKCVOr8L7uftIpPY2OgIe30L7/ X7TDVZZ8uOC/gmcfE7k8eMlaIR2Tw4XajPC0U0imVaR9A4X1rEzVfyfLGD37BhLDP4 FCU+YwZocIpZ2HtS7UAvXg9vHjACMm8cvZ8mjTCQuyFUYE/ZPSvdBic9B6RN5m6KMv odQ4cgMzlzFlw== Received: from localhost (odin.codewreck.org [local]) by odin.codewreck.org (OpenSMTPD) with ESMTPA id 90872eb6; Wed, 28 Sep 2022 21:58:02 +0000 (UTC) From: Dominique Martinet To: v9fs-developer@lists.sourceforge.net Cc: Leon Romanovsky , linux_oss@crudebyte.com, linux-kernel@vger.kernel.org, syzkaller-bugs@googlegroups.com, Dominique Martinet , syzbot+67d13108d855f451cafc@syzkaller.appspotmail.com Subject: [PATCH 1/2 v2] 9p: client_create/destroy: only call trans_mod->close after create Date: Thu, 29 Sep 2022 06:58:00 +0900 Message-Id: <20220928215800.1749929-1-asmadeus@codewreck.org> X-Mailer: git-send-email 2.37.1 In-Reply-To: <20220928214417.1749609-1-asmadeus@codewreck.org> References: <20220928214417.1749609-1-asmadeus@codewreck.org> MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org destroy code would incorrectly call close() if trans_mod exists after some hasty code cleanup: we need to make sure we only call close after create Link: https://lkml.kernel.org/r/00000000000015ac7905e97ebaed@google.com Reported-by: syzbot+67d13108d855f451cafc@syzkaller.appspotmail.com Reported-by: Leon Romanovsky Fixes: 3ff51294a055 ("9p: p9_client_create: use p9_client_destroy on failure") Signed-off-by: Dominique Martinet --- As pointed out in later mail, rdma actually does set trans->priv then fails, so we also need to reset clnt->trans on create errors. That's getting uglier than I wish it'd be, but the cleanup code I just trashed away really isn't pretty either so I guess it'll have to do... At least close() should now really never be called on create failures. net/9p/client.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/net/9p/client.c b/net/9p/client.c index bfa80f01992e..8cf952f2de68 100644 --- a/net/9p/client.c +++ b/net/9p/client.c @@ -971,6 +971,7 @@ struct p9_client *p9_client_create(const char *dev_name, char *options) spin_lock_init(&clnt->lock); idr_init(&clnt->fids); idr_init(&clnt->reqs); + clnt->trans = ERR_PTR(-EINVAL); err = parse_opts(options, clnt); if (err < 0) @@ -990,8 +991,14 @@ struct p9_client *p9_client_create(const char *dev_name, char *options) clnt, clnt->trans_mod, clnt->msize, clnt->proto_version); err = clnt->trans_mod->create(clnt, dev_name, options); - if (err) + // ensure clnt->trans is initialized to call close() on destroy + // if and only if create succeeded + if (err < 0) { + clnt->trans = PTR_ERR(err); goto out; + } + if (IS_ERR(clnt->trans)) + clnt->trans = NULL; if (clnt->msize > clnt->trans_mod->maxsize) { clnt->msize = clnt->trans_mod->maxsize; @@ -1036,7 +1043,7 @@ void p9_client_destroy(struct p9_client *clnt) p9_debug(P9_DEBUG_MUX, "clnt %p\n", clnt); - if (clnt->trans_mod) + if (clnt->trans_mod && !IS_ERR(client->trans)) clnt->trans_mod->close(clnt); v9fs_put_trans(clnt->trans_mod); -- 2.35.1