From: Greg Kroah-Hartman Date: Sat, 1 Aug 2020 11:47:03 +0000 (+0200) Subject: 4.19-stable patches X-Git-Tag: v5.7.13~60 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=9c753fe7c6a623adc51d76c9ae527c91f798c5c3;p=thirdparty%2Fkernel%2Fstable-queue.git 4.19-stable patches added patches: 9p-trans_fd-fix-concurrency-del-of-req_list-in-p9_fd_cancelled-p9_read_work.patch --- diff --git a/queue-4.19/9p-trans_fd-fix-concurrency-del-of-req_list-in-p9_fd_cancelled-p9_read_work.patch b/queue-4.19/9p-trans_fd-fix-concurrency-del-of-req_list-in-p9_fd_cancelled-p9_read_work.patch new file mode 100644 index 00000000000..6ce1b0a6671 --- /dev/null +++ b/queue-4.19/9p-trans_fd-fix-concurrency-del-of-req_list-in-p9_fd_cancelled-p9_read_work.patch @@ -0,0 +1,64 @@ +From 74d6a5d5662975aed7f25952f62efbb6f6dadd29 Mon Sep 17 00:00:00 2001 +From: Wang Hai +Date: Fri, 12 Jun 2020 17:08:33 +0800 +Subject: 9p/trans_fd: Fix concurrency del of req_list in p9_fd_cancelled/p9_read_work + +From: Wang Hai + +commit 74d6a5d5662975aed7f25952f62efbb6f6dadd29 upstream. + +p9_read_work and p9_fd_cancelled may be called concurrently. +In some cases, req->req_list may be deleted by both p9_read_work +and p9_fd_cancelled. + +We can fix it by ignoring replies associated with a cancelled +request and ignoring cancelled request if message has been received +before lock. + +Link: http://lkml.kernel.org/r/20200612090833.36149-1-wanghai38@huawei.com +Fixes: 60ff779c4abb ("9p: client: remove unused code and any reference to "cancelled" function") +Cc: # v3.12+ +Reported-by: syzbot+77a25acfa0382e06ab23@syzkaller.appspotmail.com +Signed-off-by: Wang Hai +Signed-off-by: Dominique Martinet +Signed-off-by: Greg Kroah-Hartman + +--- + net/9p/trans_fd.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +--- a/net/9p/trans_fd.c ++++ b/net/9p/trans_fd.c +@@ -377,6 +377,10 @@ static void p9_read_work(struct work_str + if (m->rreq->status == REQ_STATUS_SENT) { + list_del(&m->rreq->req_list); + p9_client_cb(m->client, m->rreq, REQ_STATUS_RCVD); ++ } else if (m->rreq->status == REQ_STATUS_FLSHD) { ++ /* Ignore replies associated with a cancelled request. */ ++ p9_debug(P9_DEBUG_TRANS, ++ "Ignore replies associated with a cancelled request\n"); + } else { + spin_unlock(&m->client->lock); + p9_debug(P9_DEBUG_ERROR, +@@ -718,11 +722,20 @@ static int p9_fd_cancelled(struct p9_cli + { + p9_debug(P9_DEBUG_TRANS, "client %p req %p\n", client, req); + ++ spin_lock(&client->lock); ++ /* Ignore cancelled request if message has been received ++ * before lock. ++ */ ++ if (req->status == REQ_STATUS_RCVD) { ++ spin_unlock(&client->lock); ++ return 0; ++ } ++ + /* we haven't received a response for oldreq, + * remove it from the list. + */ +- spin_lock(&client->lock); + list_del(&req->req_list); ++ req->status = REQ_STATUS_FLSHD; + spin_unlock(&client->lock); + p9_req_put(req); + diff --git a/queue-4.19/series b/queue-4.19/series index 6906767b6a7..9c16ad9e993 100644 --- a/queue-4.19/series +++ b/queue-4.19/series @@ -10,3 +10,4 @@ btrfs-inode-verify-inode-mode-to-avoid-null-pointer-.patch sctp-implement-memory-accounting-on-tx-path.patch btrfs-fix-selftests-failure-due-to-uninitialized-i_m.patch pci-aspm-disable-aspm-on-asmedia-asm1083-1085-pcie-to-pci-bridge.patch +9p-trans_fd-fix-concurrency-del-of-req_list-in-p9_fd_cancelled-p9_read_work.patch