[PATCH] 9p net: cache tag in p9_client_cb

From: Dominique Martinet
Date: Tue Jun 22 2021 - 13:12:20 EST

Next message: Dominique Martinet: "Re: [V9fs-developer] KCSAN BUG report on p9_client_cb / p9_client_rpc"
Previous message: Paul E. McKenney: "Re: linux-next: manual merge of the rcu tree with the tip tree"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

req->tc.tag is not safe to access after status has been set,
because tag is reclaimed by p9_client_rpc and not by the p9_req_put
below as one might think.

Reported-by: jim.cromie@xxxxxxxxx
Signed-off-by: Dominique Martinet <asmadeus@xxxxxxxxxxxxx>
---
net/9p/client.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/9p/client.c b/net/9p/client.c
index b7b958f61faf..3e95a56ead80 100644
--- a/net/9p/client.c
+++ b/net/9p/client.c
@@ -419,7 +419,8 @@ static void p9_tag_cleanup(struct p9_client *c)
*/
void p9_client_cb(struct p9_client *c, struct p9_req_t *req, int status)
{
- p9_debug(P9_DEBUG_MUX, " tag %d\n", req->tc.tag);
+ u16 tag = req->tc.tag;
+ p9_debug(P9_DEBUG_MUX, " tag %d\n", tag);

/*
* This barrier is needed to make sure any change made to req before
@@ -429,7 +430,8 @@ void p9_client_cb(struct p9_client *c, struct p9_req_t *req, int status)
req->status = status;

wake_up(&req->wq);
- p9_debug(P9_DEBUG_MUX, "wakeup: %d\n", req->tc.tag);
+ /* req->tc.tag is not safe to access after status has been set */
+ p9_debug(P9_DEBUG_MUX, "wakeup: %d\n", tag);
p9_req_put(req);
}
EXPORT_SYMBOL(p9_client_cb);
--
2.31.1

--6SucSdJFMdQFulNL--

Next message: Dominique Martinet: "Re: [V9fs-developer] KCSAN BUG report on p9_client_cb / p9_client_rpc"
Previous message: Paul E. McKenney: "Re: linux-next: manual merge of the rcu tree with the tip tree"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]