All of lore.kernel.org
 help / color / mirror / Atom feed
* [PATCH 1/2] 9p: client_create/destroy: only call trans_mod->close after create
@ 2022-10-04 21:51 Dominique Martinet
  2022-10-04 21:51 ` [PATCH 2/2] 9p: avoid double put_trans on parse_opt failure Dominique Martinet
  2022-10-04 22:05 ` [PATCH 1/2] 9p: client_create/destroy: only call trans_mod->close after create Dominique Martinet
  0 siblings, 2 replies; 4+ messages in thread
From: Dominique Martinet @ 2022-10-04 21:51 UTC (permalink / raw)
  To: Christian Schoenebeck
  Cc: v9fs-developer, linux-kernel, Dan Carpenter, Leon Romanovsky,
	Dominique Martinet, syzbot+67d13108d855f451cafc

destroy code would incorrectly call close() if trans_mod exists after some
hasty code cleanup: we need to make sure we only call close after create

The new bool added to track this has been added in a hole of the struct
and will not increase p9_client's size.
It might be possible to do better with a bit more work, but that will
have to do for now.

Link: https://lkml.kernel.org/r/00000000000015ac7905e97ebaed@google.com
Reported-by: syzbot+67d13108d855f451cafc@syzkaller.appspotmail.com
Reported-by: Leon Romanovsky <leon@kernel.org>
Fixes: 3ff51294a055 ("9p: p9_client_create: use p9_client_destroy on failure")
Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
---
v4: start over from scratch with a pool to properly track initialization
state instead of kludging over clnt->trans itself which is "private" to
the trans

 include/net/9p/client.h | 2 ++
 net/9p/client.c         | 3 ++-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/include/net/9p/client.h b/include/net/9p/client.h
index 78ebcf782ce5..3f7f473da05a 100644
--- a/include/net/9p/client.h
+++ b/include/net/9p/client.h
@@ -89,6 +89,7 @@ struct p9_req_t {
  * @lock: protect @fids and @reqs
  * @msize: maximum data size negotiated by protocol
  * @proto_version: 9P protocol version to use
+ * @trans_initialized: Whether transport's close() is safe to call
  * @trans_mod: module API instantiated with this client
  * @status: connection state
  * @trans: tranport instance state and API
@@ -103,6 +104,7 @@ struct p9_client {
 	spinlock_t lock;
 	unsigned int msize;
 	unsigned char proto_version;
+	bool trans_initialized;
 	struct p9_trans_module *trans_mod;
 	enum p9_trans_status status;
 	void *trans;
diff --git a/net/9p/client.c b/net/9p/client.c
index bfa80f01992e..cf2d5b60b61b 100644
--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -992,6 +992,7 @@ struct p9_client *p9_client_create(const char *dev_name, char *options)
 	err = clnt->trans_mod->create(clnt, dev_name, options);
 	if (err)
 		goto out;
+	clnt->trans_initialized = true;
 
 	if (clnt->msize > clnt->trans_mod->maxsize) {
 		clnt->msize = clnt->trans_mod->maxsize;
@@ -1036,7 +1037,7 @@ void p9_client_destroy(struct p9_client *clnt)
 
 	p9_debug(P9_DEBUG_MUX, "clnt %p\n", clnt);
 
-	if (clnt->trans_mod)
+	if (clnt->trans_mod && clnt->trans_initialized)
 		clnt->trans_mod->close(clnt);
 
 	v9fs_put_trans(clnt->trans_mod);
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* [PATCH 2/2] 9p: avoid double put_trans on parse_opt failure
  2022-10-04 21:51 [PATCH 1/2] 9p: client_create/destroy: only call trans_mod->close after create Dominique Martinet
@ 2022-10-04 21:51 ` Dominique Martinet
  2022-10-04 22:05 ` [PATCH 1/2] 9p: client_create/destroy: only call trans_mod->close after create Dominique Martinet
  1 sibling, 0 replies; 4+ messages in thread
From: Dominique Martinet @ 2022-10-04 21:51 UTC (permalink / raw)
  To: Christian Schoenebeck
  Cc: v9fs-developer, linux-kernel, Dan Carpenter, Leon Romanovsky,
	Dominique Martinet

p9_client_destroy will catch that trans and put it when p9_client_create fails

This was brought up when reviewing an alternative implementation of the
previous patch [1]

Link: https://lkml.kernel.org/r/YzVzjR4Yz3Oo3JS+@codewreck.org [1]
Fixes: 3ff51294a055 ("9p: p9_client_create: use p9_client_destroy on failure")
Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
---
 net/9p/client.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/net/9p/client.c b/net/9p/client.c
index cf2d5b60b61b..693e06213a04 100644
--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -212,8 +212,6 @@ static int parse_opts(char *opts, struct p9_client *clnt)
 	}
 
 free_and_return:
-	if (ret)
-		v9fs_put_trans(clnt->trans_mod);
 	kfree(tmp_options);
 	return ret;
 }
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH 1/2] 9p: client_create/destroy: only call trans_mod->close after create
  2022-10-04 21:51 [PATCH 1/2] 9p: client_create/destroy: only call trans_mod->close after create Dominique Martinet
  2022-10-04 21:51 ` [PATCH 2/2] 9p: avoid double put_trans on parse_opt failure Dominique Martinet
@ 2022-10-04 22:05 ` Dominique Martinet
  1 sibling, 0 replies; 4+ messages in thread
From: Dominique Martinet @ 2022-10-04 22:05 UTC (permalink / raw)
  To: Christian Schoenebeck
  Cc: v9fs-developer, linux-kernel, Dan Carpenter, Leon Romanovsky,
	syzbot+67d13108d855f451cafc

Dominique Martinet wrote on Wed, Oct 05, 2022 at 06:51:13AM +0900:
> destroy code would incorrectly call close() if trans_mod exists after some
> hasty code cleanup: we need to make sure we only call close after create
> 
> The new bool added to track this has been added in a hole of the struct
> and will not increase p9_client's size.
> It might be possible to do better with a bit more work, but that will
> have to do for now.
> 
> Link: https://lkml.kernel.org/r/00000000000015ac7905e97ebaed@google.com
> Reported-by: syzbot+67d13108d855f451cafc@syzkaller.appspotmail.com
> Reported-by: Leon Romanovsky <leon@kernel.org>
> Fixes: 3ff51294a055 ("9p: p9_client_create: use p9_client_destroy on failure")

Oh... Fixing tags for stable made me notice this actually wasn't merged
into 5.19 unlike what I thought, so we only have the original bug of
potentially freeing the idr with tags still in it.

That's a much smaller bug and I'll just remove the first
p9_client_destroy on failure patch for this merge window (small leak
that requires root on error) ; then we can take time to properly fix
this one way or another for next cycle.

--
Dominique

^ permalink raw reply	[flat|nested] 4+ messages in thread
* [PATCH 1/2] 9p: client_create/destroy: only call trans_mod->close after create
  2022-09-28 10:07 [syzbot] KASAN: use-after-free Read in rdma_close Leon Romanovsky
@ 2022-09-28 21:44 ` Dominique Martinet
  0 siblings, 0 replies; 4+ messages in thread
From: Dominique Martinet @ 2022-09-28 21:44 UTC (permalink / raw)
  To: v9fs-developer
  Cc: Leon Romanovsky, linux_oss, linux-kernel, syzkaller-bugs,
	Dominique Martinet, syzbot+67d13108d855f451cafc

destroy code would incorrectly call close() if trans_mod exists after some
hasty code cleanup: we need to make sure we only call close after create

Link: https://lkml.kernel.org/r/00000000000015ac7905e97ebaed@google.com
Reported-by: syzbot+67d13108d855f451cafc@syzkaller.appspotmail.com
Reported-by: Leon Romanovsky <leon@kernel.org>
Fixes: 3ff51294a055 ("9p: p9_client_create: use p9_client_destroy on failure")
Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
---
I tried to make trans->create() return clnt->trans to assign directly
from there, but rdma callbacks need clnt->trans to be set early during
init and the diff was just too big for a simple fix.
This should work for all transports without any change, and ensures we
only call close if create succeeded.

 net/9p/client.c | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/net/9p/client.c b/net/9p/client.c
index bfa80f01992e..40b59431a566 100644
--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -971,6 +971,7 @@ struct p9_client *p9_client_create(const char *dev_name, char *options)
 	spin_lock_init(&clnt->lock);
 	idr_init(&clnt->fids);
 	idr_init(&clnt->reqs);
+	clnt->trans = ERR_PTR(-EINVAL);
 
 	err = parse_opts(options, clnt);
 	if (err < 0)
@@ -992,6 +993,9 @@ struct p9_client *p9_client_create(const char *dev_name, char *options)
 	err = clnt->trans_mod->create(clnt, dev_name, options);
 	if (err)
 		goto out;
+	// ensure clnt->trans is initialized to call close() on destroy
+	if (IS_ERR(clnt->trans))
+		clnt->trans = NULL;
 
 	if (clnt->msize > clnt->trans_mod->maxsize) {
 		clnt->msize = clnt->trans_mod->maxsize;
@@ -1036,7 +1040,7 @@ void p9_client_destroy(struct p9_client *clnt)
 
 	p9_debug(P9_DEBUG_MUX, "clnt %p\n", clnt);
 
-	if (clnt->trans_mod)
+	if (clnt->trans_mod && !IS_ERR(client->trans))
 		clnt->trans_mod->close(clnt);
 
 	v9fs_put_trans(clnt->trans_mod);
-- 
2.35.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2022-10-04 22:05 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-10-04 21:51 [PATCH 1/2] 9p: client_create/destroy: only call trans_mod->close after create Dominique Martinet
2022-10-04 21:51 ` [PATCH 2/2] 9p: avoid double put_trans on parse_opt failure Dominique Martinet
2022-10-04 22:05 ` [PATCH 1/2] 9p: client_create/destroy: only call trans_mod->close after create Dominique Martinet
  -- strict thread matches above, loose matches on Subject: below --
2022-09-28 10:07 [syzbot] KASAN: use-after-free Read in rdma_close Leon Romanovsky
2022-09-28 21:44 ` [PATCH 1/2] 9p: client_create/destroy: only call trans_mod->close after create Dominique Martinet

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.