Wind River Support Network

Description

In the Linux kernel, the following vulnerability has been resolved:EOL][EOL]net/9p: fix double req put in p9_fd_cancelled[EOL][EOL]Syzkaller reports a KASAN issue as below:[EOL][EOL]general protection fault, probably for non-canonical address 0xfbd59c0000000021: 0000 [#1] PREEMPT SMP KASAN NOPTI[EOL]KASAN: maybe wild-memory-access in range [0xdead000000000108-0xdead00000000010f][EOL]CPU: 0 PID: 5083 Comm: syz-executor.2 Not tainted 6.1.134-syzkaller-00037-g855bd1d7d838 #0[EOL]Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.12.0-1 04/01/2014[EOL]RIP: 0010:__list_del include/linux/list.h:114 [inline][EOL]RIP: 0010:__list_del_entry include/linux/list.h:137 [inline][EOL]RIP: 0010:list_del include/linux/list.h:148 [inline][EOL]RIP: 0010:p9_fd_cancelled+0xe9/0x200 net/9p/trans_fd.c:734[EOL][EOL]Call Trace:[EOL] <TASK>[EOL] p9_client_flush+0x351/0x440 net/9p/client.c:614[EOL] p9_client_rpc+0xb6b/0xc70 net/9p/client.c:734[EOL] p9_client_version net/9p/client.c:920 [inline][EOL] p9_client_create+0xb51/0x1240 net/9p/client.c:1027[EOL] v9fs_session_init+0x1f0/0x18f0 fs/9p/v9fs.c:408[EOL] v9fs_mount+0xba/0xcb0 fs/9p/vfs_super.c:126[EOL] legacy_get_tree+0x108/0x220 fs/fs_context.c:632[EOL] vfs_get_tree+0x8e/0x300 fs/super.c:1573[EOL] do_new_mount fs/namespace.c:3056 [inline][EOL] path_mount+0x6a6/0x1e90 fs/namespace.c:3386[EOL] do_mount fs/namespace.c:3399 [inline][EOL] __do_sys_mount fs/namespace.c:3607 [inline][EOL] __se_sys_mount fs/namespace.c:3584 [inline][EOL] __x64_sys_mount+0x283/0x300 fs/namespace.c:3584[EOL] do_syscall_x64 arch/x86/entry/common.c:51 [inline][EOL] do_syscall_64+0x35/0x80 arch/x86/entry/common.c:81[EOL] entry_SYSCALL_64_after_hwframe+0x6e/0xd8[EOL][EOL]This happens because of a race condition between:[EOL][EOL]- The 9p client sending an invalid flush request and later cleaning it up;[EOL]- The 9p client in p9_read_work() canceled all pending requests.[EOL][EOL]      Thread 1                              Thread 2[EOL]    ...[EOL]    p9_client_create()[EOL]    ...[EOL]    p9_fd_create()[EOL]    ...[EOL]    p9_conn_create()[EOL]    ...[EOL]    // start Thread 2[EOL]    INIT_WORK(&m->rq, p9_read_work);[EOL]                                        p9_read_work()[EOL]    ...[EOL]    p9_client_rpc()[EOL]    ...[EOL]                                        ...[EOL]                                        p9_conn_cancel()[EOL]                                        ...[EOL]                                        spin_lock(&m->req_lock);[EOL]    ...[EOL]    p9_fd_cancelled()[EOL]    ...[EOL]                                        ...[EOL]                                        spin_unlock(&m->req_lock);[EOL]                                        // status rewrite[EOL]                                        p9_client_cb(m->client, req, REQ_STATUS_ERROR)[EOL]                                        // first remove[EOL]                                        list_del(&req->req_list);[EOL]                                        ...[EOL][EOL]    spin_lock(&m->req_lock)[EOL]    ...[EOL]    // second remove[EOL]    list_del(&req->req_list);[EOL]    spin_unlock(&m->req_lock)[EOL]  ...[EOL][EOL]Commit 74d6a5d56629 ("9p/trans_fd: Fix concurrency del of req_list in[EOL]p9_fd_cancelled/p9_read_work") fixes a concurrency issue in the 9p filesystem[EOL]client where the req_list could be deleted simultaneously by both[EOL]p9_read_work and p9_fd_cancelled functions, but for the case where req->status[EOL]equals REQ_STATUS_RCVD.[EOL][EOL]Update the check for req->status in p9_fd_cancelled to skip processing not[EOL]just received requests, but anything that is not SENT, as whatever[EOL]changed the state from SENT also removed the request from its list.[EOL][EOL]Found by Linux Verification Center (linuxtesting.org) with Syzkaller.[EOL][EOL][updated the check from status == RECV  (| status == ERROR to status != SENT)