diff options
| author | Zhengchao Shao <shaozhengchao@huawei.com> | 2022-11-10 20:26:06 +0800 |
|---|---|---|
| committer | Greg Kroah-Hartman <gregkh@linuxfoundation.org> | 2022-12-02 17:41:04 +0100 |
| commit | ee3ccd1abbe1124ab81626457c8451ba6ae07a4a (patch) | |
| tree | e992eadebaff449e8b15208708b7dfe4062bbe3b /net/9p | |
| parent | 131c2eeabc72a0b4cd55c160b4d2ccc5873a62d8 (diff) | |
| download | linux-ee3ccd1abbe1124ab81626457c8451ba6ae07a4a.tar.gz linux-ee3ccd1abbe1124ab81626457c8451ba6ae07a4a.tar.bz2 linux-ee3ccd1abbe1124ab81626457c8451ba6ae07a4a.zip | |
9p/fd: fix issue of list_del corruption in p9_fd_cancel()
[ Upstream commit 11c10956515b8ec44cf4f2a7b9d8bf8b9dc05ec4 ]
Syz reported the following issue:
kernel BUG at lib/list_debug.c:53!
invalid opcode: 0000 [#1] PREEMPT SMP KASAN
RIP: 0010:__list_del_entry_valid.cold+0x5c/0x72
Call Trace:
<TASK>
p9_fd_cancel+0xb1/0x270
p9_client_rpc+0x8ea/0xba0
p9_client_create+0x9c0/0xed0
v9fs_session_init+0x1e0/0x1620
v9fs_mount+0xba/0xb80
legacy_get_tree+0x103/0x200
vfs_get_tree+0x89/0x2d0
path_mount+0x4c0/0x1ac0
__x64_sys_mount+0x33b/0x430
do_syscall_64+0x35/0x80
entry_SYSCALL_64_after_hwframe+0x46/0xb0
</TASK>
The process is as follows:
Thread A: Thread B:
p9_poll_workfn() p9_client_create()
... ...
p9_conn_cancel() p9_fd_cancel()
list_del() ...
... list_del() //list_del
corruption
There is no lock protection when deleting list in p9_conn_cancel(). After
deleting list in Thread A, thread B will delete the same list again. It
will cause issue of list_del corruption.
Setting req->status to REQ_STATUS_ERROR under lock prevents other
cleanup paths from trying to manipulate req_list.
The other thread can safely check req->status because it still holds a
reference to req at this point.
Link: https://lkml.kernel.org/r/20221110122606.383352-1-shaozhengchao@huawei.com
Fixes: 52f1c45dde91 ("9p: trans_fd/p9_conn_cancel: drop client lock earlier")
Reported-by: syzbot+9b69b8d10ab4a7d88056@syzkaller.appspotmail.com
Signed-off-by: Zhengchao Shao <shaozhengchao@huawei.com>
[Dominique: add description of the fix in commit message]
Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
Diffstat (limited to 'net/9p')
| -rw-r--r-- | net/9p/trans_fd.c | 2 |
1 files changed, 2 insertions, 0 deletions
diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c index a8c1f742148c..31f2026514f3 100644 --- a/net/9p/trans_fd.c +++ b/net/9p/trans_fd.c @@ -204,9 +204,11 @@ static void p9_conn_cancel(struct p9_conn *m, int err) list_for_each_entry_safe(req, rtmp, &m->req_list, req_list) { list_move(&req->req_list, &cancel_list); + req->status = REQ_STATUS_ERROR; } list_for_each_entry_safe(req, rtmp, &m->unsent_req_list, req_list) { list_move(&req->req_list, &cancel_list); + req->status = REQ_STATUS_ERROR; } spin_unlock(&m->req_lock); |