[PATCH] 9p: trans_fd/p9_conn_cancel: drop client lock earlier

From: Dominique Martinet
Date: Wed Aug 17 2022 - 01:58:44 EST

Next message: asmadeus: "Re: [syzbot] KASAN: use-after-free Read in p9_req_put"
Previous message: Krzysztof Kozlowski: "Re: [RFC v4 01/10] dt-bindings: pwm: Document Synopsys DesignWare snps,pwm-dw-apb-timers-pwm2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

syzbot reported a double-lock here and we no longer need this
lock after requests have been moved off to local list:
just drop the lock earlier.

Reported-by: syzbot+50f7e8d06c3768dd97f3@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Dominique Martinet <asmadeus@xxxxxxxxxxxxx>

diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
index e758978b44be..60fcc6b30b46 100644
--- a/net/9p/trans_fd.c
+++ b/net/9p/trans_fd.c
@@ -205,6 +205,8 @@ static void p9_conn_cancel(struct p9_conn *m, int err)
list_move(&req->req_list, &cancel_list);
}

+ spin_unlock(&m->client->lock);
+
list_for_each_entry_safe(req, rtmp, &cancel_list, req_list) {
p9_debug(P9_DEBUG_ERROR, "call back req %p\n", req);
list_del(&req->req_list);
@@ -212,7 +214,6 @@ static void p9_conn_cancel(struct p9_conn *m, int err)
req->t_err = err;
p9_client_cb(m->client, req, REQ_STATUS_ERROR);
}
- spin_unlock(&m->client->lock);
}

static __poll_t
----

- but I don't get the two 'inconsistent lock state', the hint says it's
possibly an interrupt while the lock was held but that doesn't seem to
be the case from the stack trace (unless we leaked the lock, at which
point anything goes)
I'd need to take time to look at it, feel free to beat me to these.

--
Dominique

Next message: asmadeus: "Re: [syzbot] KASAN: use-after-free Read in p9_req_put"
Previous message: Krzysztof Kozlowski: "Re: [RFC v4 01/10] dt-bindings: pwm: Document Synopsys DesignWare snps,pwm-dw-apb-timers-pwm2"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]