Commit 946acde0 authored Aug 17, 2022 by Dominique Martinet Committed by sanglipeng Jul 20, 2023

9p: trans_fd/p9_conn_cancel: drop client lock earlier

stable inclusion
from stable-v5.10.156
commit f14858bc77c567e089965962877ee726ffad0556
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I7MCG1

Reference: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?id=f14858bc77c567e089965962877ee726ffad0556

--------------------------------

commit 52f1c45d upstream.

syzbot reported a double-lock here and we no longer need this
lock after requests have been moved off to local list:
just drop the lock earlier.

Link: https://lkml.kernel.org/r/20220904064028.1305220-1-asmadeus@codewreck.org


Reported-by:  <syzbot+50f7e8d06c3768dd97f3@syzkaller.appspotmail.com>
Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
Tested-by: Schspa Shi <schspa@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: sanglipeng <sanglipeng1@jd.com>

parent 64c2a349

net/9p/trans_fd.c

+2 −1

Original line number	Diff line number	Diff line
		@@ -205,6 +205,8 @@ static void p9_conn_cancel(struct p9_conn *m, int err)
		list_move(&req->req_list, &cancel_list);
		}

		spin_unlock(&m->client->lock);

		list_for_each_entry_safe(req, rtmp, &cancel_list, req_list) {
		p9_debug(P9_DEBUG_ERROR, "call back req %p\n", req);
		list_del(&req->req_list);
		@@ -212,7 +214,6 @@ static void p9_conn_cancel(struct p9_conn *m, int err)
		req->t_err = err;
		p9_client_cb(m->client, req, REQ_STATUS_ERROR);
		}
		spin_unlock(&m->client->lock);
		}

		static __poll_t