tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

Merge tag '9p-for-5.8-2' of git://github.com/martinetd/linux into master

Pull 9p fixes from Dominique Martinet:
"A couple of syzcaller fixes for 5.8

The first one in particular has been quite noisy ("broke" in -rc5) so
this would be worth landing even this late even if users likely won't
see a difference"

* tag '9p-for-5.8-2' of git://github.com/martinetd/linux:
9p/trans_fd: Fix concurrency del of req_list in p9_fd_cancelled/p9_read_work
net/9p: validate fds in p9_fd_open

Linus Torvalds 21391520 c2f3850d

+30 -9
+30 -9
net/9p/trans_fd.c
··· 362 362 if (m->rreq->status == REQ_STATUS_SENT) { 363 363 list_del(&m->rreq->req_list); 364 364 p9_client_cb(m->client, m->rreq, REQ_STATUS_RCVD); 365 + } else if (m->rreq->status == REQ_STATUS_FLSHD) { 366 + /* Ignore replies associated with a cancelled request. */ 367 + p9_debug(P9_DEBUG_TRANS, 368 + "Ignore replies associated with a cancelled request\n"); 365 369 } else { 366 370 spin_unlock(&m->client->lock); 367 371 p9_debug(P9_DEBUG_ERROR, ··· 707 703 { 708 704 p9_debug(P9_DEBUG_TRANS, "client %p req %p\n", client, req); 709 705 706 + spin_lock(&client->lock); 707 + /* Ignore cancelled request if message has been received 708 + * before lock. 709 + */ 710 + if (req->status == REQ_STATUS_RCVD) { 711 + spin_unlock(&client->lock); 712 + return 0; 713 + } 714 + 710 715 /* we haven't received a response for oldreq, 711 716 * remove it from the list. 712 717 */ 713 - spin_lock(&client->lock); 714 718 list_del(&req->req_list); 719 + req->status = REQ_STATUS_FLSHD; 715 720 spin_unlock(&client->lock); 716 721 p9_req_put(req); 717 722 ··· 816 803 return -ENOMEM; 817 804 818 805 ts->rd = fget(rfd); 806 + if (!ts->rd) 807 + goto out_free_ts; 808 + if (!(ts->rd->f_mode & FMODE_READ)) 809 + goto out_put_rd; 819 810 ts->wr = fget(wfd); 820 - if (!ts->rd || !ts->wr) { 821 - if (ts->rd) 822 - fput(ts->rd); 823 - if (ts->wr) 824 - fput(ts->wr); 825 - kfree(ts); 826 - return -EIO; 827 - } 811 + if (!ts->wr) 812 + goto out_put_rd; 813 + if (!(ts->wr->f_mode & FMODE_WRITE)) 814 + goto out_put_wr; 828 815 829 816 client->trans = ts; 830 817 client->status = Connected; 831 818 832 819 return 0; 820 + 821 + out_put_wr: 822 + fput(ts->wr); 823 + out_put_rd: 824 + fput(ts->rd); 825 + out_free_ts: 826 + kfree(ts); 827 + return -EIO; 833 828 } 834 829 835 830 static int p9_socket_open(struct p9_client *client, struct socket *csocket)