[PATCH 5.4 15/90] 9p/trans_fd: Fix concurrency del of req_list in p9_fd_cancelled/p9_read_work

linux-kernel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org,
	syzbot+77a25acfa0382e06ab23@syzkaller.appspotmail.com,
	Wang Hai <wanghai38@huawei.com>,
	Dominique Martinet <asmadeus@codewreck.org>
Subject: [PATCH 5.4 15/90] 9p/trans_fd: Fix concurrency del of req_list in p9_fd_cancelled/p9_read_work
Date: Mon,  3 Aug 2020 14:18:37 +0200	[thread overview]
Message-ID: <20200803121858.353670261@linuxfoundation.org> (raw)
In-Reply-To: <20200803121857.546052424@linuxfoundation.org>

From: Wang Hai <wanghai38@huawei.com>

commit 74d6a5d5662975aed7f25952f62efbb6f6dadd29 upstream.

p9_read_work and p9_fd_cancelled may be called concurrently.
In some cases, req->req_list may be deleted by both p9_read_work
and p9_fd_cancelled.

We can fix it by ignoring replies associated with a cancelled
request and ignoring cancelled request if message has been received
before lock.

Link: http://lkml.kernel.org/r/20200612090833.36149-1-wanghai38@huawei.com
Fixes: 60ff779c4abb ("9p: client: remove unused code and any reference to "cancelled" function")
Cc: <stable@vger.kernel.org> # v3.12+
Reported-by: syzbot+77a25acfa0382e06ab23@syzkaller.appspotmail.com
Signed-off-by: Wang Hai <wanghai38@huawei.com>
Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

---
 net/9p/trans_fd.c |   15 ++++++++++++++-
 1 file changed, 14 insertions(+), 1 deletion(-)

--- a/net/9p/trans_fd.c
+++ b/net/9p/trans_fd.c
@@ -362,6 +362,10 @@ static void p9_read_work(struct work_str
 		if (m->rreq->status == REQ_STATUS_SENT) {
 			list_del(&m->rreq->req_list);
 			p9_client_cb(m->client, m->rreq, REQ_STATUS_RCVD);
+		} else if (m->rreq->status == REQ_STATUS_FLSHD) {
+			/* Ignore replies associated with a cancelled request. */
+			p9_debug(P9_DEBUG_TRANS,
+				 "Ignore replies associated with a cancelled request\n");
 		} else {
 			spin_unlock(&m->client->lock);
 			p9_debug(P9_DEBUG_ERROR,
@@ -703,11 +707,20 @@ static int p9_fd_cancelled(struct p9_cli
 {
 	p9_debug(P9_DEBUG_TRANS, "client %p req %p\n", client, req);
 
+	spin_lock(&client->lock);
+	/* Ignore cancelled request if message has been received
+	 * before lock.
+	 */
+	if (req->status == REQ_STATUS_RCVD) {
+		spin_unlock(&client->lock);
+		return 0;
+	}
+
 	/* we haven't received a response for oldreq,
 	 * remove it from the list.
 	 */
-	spin_lock(&client->lock);
 	list_del(&req->req_list);
+	req->status = REQ_STATUS_FLSHD;
 	spin_unlock(&client->lock);
 	p9_req_put(req);

next prev parent reply	other threads:[~2020-08-03 12:46 UTC|newest]

Thread overview: 91+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-08-03 12:18 [PATCH 5.4 00/90] 5.4.56-rc1 review Greg Kroah-Hartman
2020-08-03 12:18 ` [PATCH 5.4 01/90] crypto: ccp - Release all allocated memory if sha type is invalid Greg Kroah-Hartman
2020-08-03 12:18 ` [PATCH 5.4 02/90] media: rc: prevent memory leak in cx23888_ir_probe Greg Kroah-Hartman
2020-08-03 12:18 ` [PATCH 5.4 03/90] sunrpc: check that domain table is empty at module unload Greg Kroah-Hartman
2020-08-03 12:18 ` [PATCH 5.4 04/90] ath10k: enable transmit data ack RSSI for QCA9884 Greg Kroah-Hartman
2020-08-03 12:18 ` [PATCH 5.4 05/90] PCI/ASPM: Disable ASPM on ASMedia ASM1083/1085 PCIe-to-PCI bridge Greg Kroah-Hartman
2020-08-03 12:18 ` [PATCH 5.4 06/90] mm/filemap.c: dont bother dropping mmap_sem for zero size readahead Greg Kroah-Hartman
2020-08-03 12:18 ` [PATCH 5.4 07/90] ALSA: usb-audio: Add implicit feedback quirk for SSL2 Greg Kroah-Hartman
2020-08-03 12:18 ` [PATCH 5.4 08/90] ALSA: hda/realtek: enable headset mic of ASUS ROG Zephyrus G15(GA502) series with ALC289 Greg Kroah-Hartman
2020-08-03 12:18 ` [PATCH 5.4 09/90] ALSA: hda/realtek: typo_fix: enable headset mic of ASUS ROG Zephyrus G14(GA401) " Greg Kroah-Hartman
2020-08-03 12:18 ` [PATCH 5.4 10/90] ALSA: hda/realtek: Fix add a "ultra_low_power" function for intel reference board (alc256) Greg Kroah-Hartman
2020-08-03 12:18 ` [PATCH 5.4 11/90] ALSA: hda/realtek - Fixed HP right speaker no sound Greg Kroah-Hartman
2020-08-03 12:18 ` [PATCH 5.4 12/90] ALSA: hda/hdmi: Fix keep_power assignment for non-component devices Greg Kroah-Hartman
2020-08-03 12:18 ` [PATCH 5.4 13/90] IB/rdmavt: Fix RQ counting issues causing use of an invalid RWQE Greg Kroah-Hartman
2020-08-03 12:18 ` [PATCH 5.4 14/90] vhost/scsi: fix up req type endian-ness Greg Kroah-Hartman
2020-08-03 12:18 ` Greg Kroah-Hartman [this message]
2020-08-03 12:18 ` [PATCH 5.4 16/90] wireless: Use offsetof instead of custom macro Greg Kroah-Hartman
2020-08-03 12:18 ` [PATCH 5.4 17/90] ARM: 8986/1: hw_breakpoint: Dont invoke overflow handler on uaccess watchpoints Greg Kroah-Hartman
2020-08-03 12:18 ` [PATCH 5.4 18/90] ARM: dts: imx6sx-sabreauto: Fix the phy-mode on fec2 Greg Kroah-Hartman
2020-08-03 12:18 ` [PATCH 5.4 19/90] ARM: dts: imx6sx-sdb: " Greg Kroah-Hartman
2020-08-03 12:18 ` [PATCH 5.4 20/90] ARM: dts: imx6qdl-icore: Fix OTG_ID pin and sdcard detect Greg Kroah-Hartman
2020-08-03 12:18 ` [PATCH 5.4 21/90] virtio_balloon: fix up endian-ness for free cmd id Greg Kroah-Hartman
2020-08-03 12:18 ` [PATCH 5.4 22/90] random32: update the net random state on interrupt and activity Greg Kroah-Hartman
2020-08-03 12:18 ` [PATCH 5.4 23/90] ARM: percpu.h: fix build error Greg Kroah-Hartman
2020-08-03 12:18 ` [PATCH 5.4 24/90] Revert "drm/amdgpu: Fix NULL dereference in dpm sysfs handlers" Greg Kroah-Hartman
2020-08-03 12:18 ` [PATCH 5.4 25/90] drm/amd/display: Clear dm_state for fast updates Greg Kroah-Hartman
2020-08-03 12:18 ` [PATCH 5.4 26/90] drm/amdgpu: Prevent kernel-infoleak in amdgpu_info_ioctl() Greg Kroah-Hartman
2020-08-03 12:18 ` [PATCH 5.4 27/90] drm/dbi: Fix SPI Type 1 (9-bit) transfer Greg Kroah-Hartman
2020-08-03 12:18 ` [PATCH 5.4 28/90] drm: hold gem reference until object is no longer accessed Greg Kroah-Hartman
2020-08-03 12:18 ` [PATCH 5.4 29/90] random: fix circular include dependency on arm64 after addition of percpu.h Greg Kroah-Hartman
2020-08-03 12:18 ` [PATCH 5.4 30/90] random32: remove net_rand_state from the latent entropy gcc plugin Greg Kroah-Hartman
2020-08-03 12:18 ` [PATCH 5.4 31/90] rds: Prevent kernel-infoleak in rds_notify_queue_get() Greg Kroah-Hartman
2020-08-03 12:18 ` [PATCH 5.4 32/90] libtraceevent: Fix build with binutils 2.35 Greg Kroah-Hartman
2020-08-03 12:18 ` [PATCH 5.4 33/90] net/x25: Fix x25_neigh refcnt leak when x25 disconnect Greg Kroah-Hartman
2020-08-03 12:18 ` [PATCH 5.4 34/90] net/x25: Fix null-ptr-deref in x25_disconnect Greg Kroah-Hartman
2020-08-03 12:18 ` [PATCH 5.4 35/90] xfrm: policy: match with both mark and mask on user interfaces Greg Kroah-Hartman
2020-08-03 12:18 ` [PATCH 5.4 36/90] ARM: dts sunxi: Relax a bit the CMA pool allocation range Greg Kroah-Hartman
2020-08-03 12:18 ` [PATCH 5.4 37/90] xfrm: Fix crash when the hold queue is used Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 38/90] ARM: dts: armada-38x: fix NETA lockup when repeatedly switching speeds Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 39/90] nvme-tcp: fix possible hang waiting for icresp response Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 40/90] selftests/net: rxtimestamp: fix clang issues for target arch PowerPC Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 41/90] selftests/net: psock_fanout: " Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 42/90] selftests/net: so_txtime: " Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 43/90] sh/tlb: Fix PGTABLE_LEVELS > 2 Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 44/90] sh: Fix validation of system call number Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 45/90] net: hns3: fix a TX timeout issue Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 46/90] net: hns3: fix aRFS FD rules leftover after add a user FD rule Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 47/90] net/mlx5: E-switch, Destroy TSAR when fail to enable the mode Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 48/90] net/mlx5e: Fix error path of device attach Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 49/90] net/mlx5: Verify Hardware supports requested ptp function on a given pin Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 50/90] net/mlx5e: Modify uplink state on interface up/down Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 51/90] net/mlx5e: Fix kernel crash when setting vf VLANID on a VF dev Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 52/90] net: lan78xx: add missing endpoint sanity check Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 53/90] net: lan78xx: fix transfer-buffer memory leak Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 54/90] rhashtable: Fix unprotected RCU dereference in __rht_ptr Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 55/90] mlx4: disable device on shutdown Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 56/90] mlxsw: core: Increase scope of RCU read-side critical section Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 57/90] mlxsw: core: Free EMAD transactions using kfree_rcu() Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 58/90] ibmvnic: Fix IRQ mapping disposal in error path Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 59/90] bpf: Fix map leak in HASH_OF_MAPS map Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 60/90] mac80211: mesh: Free ie data when leaving mesh Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 61/90] mac80211: mesh: Free pending skb when destroying a mpath Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 62/90] arm64/alternatives: move length validation inside the subsection Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 63/90] arm64: csum: Fix handling of bad packets Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 64/90] Bluetooth: fix kernel oops in store_pending_adv_report Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 65/90] net: nixge: fix potential memory leak in nixge_probe() Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 66/90] net: gemini: Fix missing clk_disable_unprepare() in error path of gemini_ethernet_port_probe() Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 67/90] net/mlx5e: fix bpf_prog reference count leaks in mlx5e_alloc_rq Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 68/90] perf tools: Fix record failure when mixed with ARM SPE event Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 69/90] vxlan: fix memleak of fdb Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 70/90] usb: hso: Fix debug compile warning on sparc32 Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 71/90] selftests: fib_nexthop_multiprefix: fix cleanup() netns deletion Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 72/90] qed: Disable "MFW indication via attention" SPAM every 5 minutes Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 73/90] selftests: net: ip_defrag: modprobe missing nf_defrag_ipv6 support Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 74/90] nfc: s3fwrn5: add missing release on skb in s3fwrn5_recv_frame Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 75/90] scsi: core: Run queue in case of I/O resource contention failure Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 76/90] parisc: add support for cmpxchg on u8 pointers Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 77/90] net: ethernet: ravb: exit if re-initialization fails in tx timeout Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 78/90] Revert "i2c: cadence: Fix the hold bit setting" Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 79/90] x86/unwind/orc: Fix ORC for newly forked tasks Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 80/90] x86/stacktrace: Fix reliable check for empty user task stacks Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 81/90] cxgb4: add missing release on skb in uld_send() Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 82/90] xen-netfront: fix potential deadlock in xennet_remove() Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 83/90] RISC-V: Set maximum number of mapped pages correctly Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 84/90] drivers/net/wan: lapb: Corrected the usage of skb_cow Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 85/90] KVM: arm64: Dont inherit exec permission across page-table levels Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 86/90] KVM: LAPIC: Prevent setting the tscdeadline timer if the lapic is hw disabled Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 87/90] x86/i8259: Use printk_deferred() to prevent deadlock Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 88/90] perf tests bp_account: Make global variable static Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 89/90] perf env: Do not return pointers to local variables Greg Kroah-Hartman
2020-08-03 12:19 ` [PATCH 5.4 90/90] perf bench: Share some global variables to fix build with gcc 10 Greg Kroah-Hartman

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20200803121858.353670261@linuxfoundation.org \
    --to=gregkh@linuxfoundation.org \
    --cc=asmadeus@codewreck.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+77a25acfa0382e06ab23@syzkaller.appspotmail.com \
    --cc=wanghai38@huawei.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).