From: Dominique Martinet <asmadeus@codewreck.org>
To: Christian Schoenebeck <linux_oss@crudebyte.com>
Cc: v9fs-developer@lists.sourceforge.net,
linux-kernel@vger.kernel.org,
Dan Carpenter <dan.carpenter@oracle.com>,
Leon Romanovsky <leon@kernel.org>,
syzbot+67d13108d855f451cafc@syzkaller.appspotmail.com
Subject: Re: [PATCH 1/2] 9p: client_create/destroy: only call trans_mod->close after create
Date: Wed, 5 Oct 2022 07:05:02 +0900 [thread overview]
Message-ID: <YzyuDiQb6arOvUOm@codewreck.org> (raw)
In-Reply-To: <20221004215114.1850991-1-asmadeus@codewreck.org>
Dominique Martinet wrote on Wed, Oct 05, 2022 at 06:51:13AM +0900:
> destroy code would incorrectly call close() if trans_mod exists after some
> hasty code cleanup: we need to make sure we only call close after create
>
> The new bool added to track this has been added in a hole of the struct
> and will not increase p9_client's size.
> It might be possible to do better with a bit more work, but that will
> have to do for now.
>
> Link: https://lkml.kernel.org/r/00000000000015ac7905e97ebaed@google.com
> Reported-by: syzbot+67d13108d855f451cafc@syzkaller.appspotmail.com
> Reported-by: Leon Romanovsky <leon@kernel.org>
> Fixes: 3ff51294a055 ("9p: p9_client_create: use p9_client_destroy on failure")
Oh... Fixing tags for stable made me notice this actually wasn't merged
into 5.19 unlike what I thought, so we only have the original bug of
potentially freeing the idr with tags still in it.
That's a much smaller bug and I'll just remove the first
p9_client_destroy on failure patch for this merge window (small leak
that requires root on error) ; then we can take time to properly fix
this one way or another for next cycle.
--
Dominique
next prev parent reply other threads:[~2022-10-04 22:05 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-10-04 21:51 [PATCH 1/2] 9p: client_create/destroy: only call trans_mod->close after create Dominique Martinet
2022-10-04 21:51 ` [PATCH 2/2] 9p: avoid double put_trans on parse_opt failure Dominique Martinet
2022-10-04 22:05 ` Dominique Martinet [this message]
-- strict thread matches above, loose matches on Subject: below --
2022-09-28 10:07 [syzbot] KASAN: use-after-free Read in rdma_close Leon Romanovsky
2022-09-28 21:44 ` [PATCH 1/2] 9p: client_create/destroy: only call trans_mod->close after create Dominique Martinet
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YzyuDiQb6arOvUOm@codewreck.org \
--to=asmadeus@codewreck.org \
--cc=dan.carpenter@oracle.com \
--cc=leon@kernel.org \
--cc=linux-kernel@vger.kernel.org \
--cc=linux_oss@crudebyte.com \
--cc=syzbot+67d13108d855f451cafc@syzkaller.appspotmail.com \
--cc=v9fs-developer@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.