From a84b69cb6e0a41e86bc593904faa6def3b957343 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Sat, 4 Jul 2015 16:04:19 -0400 Subject: 9p: forgetting to cancel request on interrupted zero-copy RPC If we'd already sent a request and decide to abort it, we *must* issue TFLUSH properly and not just blindly reuse the tag, or we'll get seriously screwed when response eventually arrives and we confuse it for response to later request that had reused the same tag. Cc: stable@vger.kernel.org # v3.2 and later Signed-off-by: Al Viro --- net/9p/client.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) (limited to 'net/9p') diff --git a/net/9p/client.c b/net/9p/client.c index 6f4c4c88db84..28f36e4556f9 100644 --- a/net/9p/client.c +++ b/net/9p/client.c @@ -843,7 +843,8 @@ static struct p9_req_t *p9_client_zc_rpc(struct p9_client *c, int8_t type, if (err < 0) { if (err == -EIO) c->status = Disconnected; - goto reterr; + if (err != -ERESTARTSYS) + goto reterr; } if (req->status == REQ_STATUS_ERROR) { p9_debug(P9_DEBUG_ERROR, "req_status error %d\n", req->t_err); -- cgit v1.2.3 From 67e808fbb0404a12d9b9830a44bbb48d447d8bc9 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Sat, 4 Jul 2015 16:11:05 -0400 Subject: p9_client_write(): avoid double p9_free_req() Braino in "9p: switch p9_client_write() to passing it struct iov_iter *"; if response is impossible to parse and we discard the request, get the out of the loop right there. Cc: stable@vger.kernel.org Signed-off-by: Al Viro --- net/9p/client.c | 1 + 1 file changed, 1 insertion(+) (limited to 'net/9p') diff --git a/net/9p/client.c b/net/9p/client.c index 28f36e4556f9..81925b923318 100644 --- a/net/9p/client.c +++ b/net/9p/client.c @@ -1648,6 +1648,7 @@ p9_client_write(struct p9_fid *fid, u64 offset, struct iov_iter *from, int *err) if (*err) { trace_9p_protocol_dump(clnt, req->rc); p9_free_req(clnt, req); + break; } p9_debug(P9_DEBUG_9P, "<<< RWRITE count %d\n", count); -- cgit v1.2.3 From 0f1db7dee200127da4c07928189748918c312031 Mon Sep 17 00:00:00 2001 From: Al Viro Date: Sat, 4 Jul 2015 16:17:39 -0400 Subject: 9p: cope with bogus responses from server in p9_client_{read,write} if server claims to have written/read more than we'd told it to, warn and cap the claimed byte count to avoid advancing more than we are ready to. --- net/9p/client.c | 8 ++++++++ 1 file changed, 8 insertions(+) (limited to 'net/9p') diff --git a/net/9p/client.c b/net/9p/client.c index 81925b923318..498454b3c06c 100644 --- a/net/9p/client.c +++ b/net/9p/client.c @@ -1583,6 +1583,10 @@ p9_client_read(struct p9_fid *fid, u64 offset, struct iov_iter *to, int *err) p9_free_req(clnt, req); break; } + if (rsize < count) { + pr_err("bogus RREAD count (%d > %d)\n", count, rsize); + count = rsize; + } p9_debug(P9_DEBUG_9P, "<<< RREAD count %d\n", count); if (!count) { @@ -1650,6 +1654,10 @@ p9_client_write(struct p9_fid *fid, u64 offset, struct iov_iter *from, int *err) p9_free_req(clnt, req); break; } + if (rsize < count) { + pr_err("bogus RWRITE count (%d > %d)\n", count, rsize); + count = rsize; + } p9_debug(P9_DEBUG_9P, "<<< RWRITE count %d\n", count); -- cgit v1.2.3