From mboxrd@z Thu Jan 1 00:00:00 1970 From: Dominique Martinet Subject: [PATCH 2/2] 9p/trans_fd: put worker reqs on destroy Date: Tue, 9 Oct 2018 06:05:56 +0200 Message-ID: <1539057956-23741-2-git-send-email-asmadeus@codewreck.org> References: <20181009020949.GA29622@nautica> <1539057956-23741-1-git-send-email-asmadeus@codewreck.org> Cc: Dominique Martinet , v9fs-developer@lists.sourceforge.net, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, Eric Van Hensbergen , Latchesar Ionkov , Tomas Bortoli To: unlisted-recipients:; (no To-header on input) Return-path: In-Reply-To: <1539057956-23741-1-git-send-email-asmadeus@codewreck.org> Sender: linux-kernel-owner@vger.kernel.org List-Id: netdev.vger.kernel.org From: Dominique Martinet p9_read_work/p9_write_work might still hold references to a req after having been cancelled; make sure we put any of these to avoid potential request leak on disconnect. Fixes: 728356dedeff8 ("9p: Add refcount to p9_req_t") Signed-off-by: Dominique Martinet Cc: Eric Van Hensbergen Cc: Latchesar Ionkov Cc: Tomas Bortoli --- Noticed we could leak a ref while looking at the syzbot report, this should be safe enough after the work has been cancelled... Probably. net/9p/trans_fd.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c index a0317d459cde..f868cf6fba79 100644 --- a/net/9p/trans_fd.c +++ b/net/9p/trans_fd.c @@ -876,7 +876,15 @@ static void p9_conn_destroy(struct p9_conn *m) p9_mux_poll_stop(m); cancel_work_sync(&m->rq); + if (m->rreq) { + p9_req_put(m->rreq); + m->rreq = NULL; + } cancel_work_sync(&m->wq); + if (m->wreq) { + p9_req_put(m->wreq); + m->wreq = NULL; + } p9_conn_cancel(m, -ECONNRESET); -- 2.19.1