From: Dominique Martinet <asmadeus@codewreck.org>
Date: Wed, 17 Aug 2022 05:58:44 +0000 (+0900)
Subject: 9p: trans_fd/p9_conn_cancel: drop client lock earlier
X-Git-Tag: v5.15.92~1959
X-Git-Url: http://review.tizen.org/git/?a=commitdiff_plain;h=a4f1a01b2e81378fce9ca528d4d8a049e4b58fcd;p=platform%2Fkernel%2Flinux-rpi.git

9p: trans_fd/p9_conn_cancel: drop client lock earlier

commit 52f1c45dde9136f964d63a77d19826c8a74e2c7f upstream.

syzbot reported a double-lock here and we no longer need this
lock after requests have been moved off to local list:
just drop the lock earlier.

Link: https://lkml.kernel.org/r/20220904064028.1305220-1-asmadeus@codewreck.org
Reported-by: syzbot+50f7e8d06c3768dd97f3@syzkaller.appspotmail.com
Signed-off-by: Dominique Martinet <asmadeus@codewreck.org>
Tested-by: Schspa Shi <schspa@gmail.com>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/net/9p/trans_fd.c b/net/9p/trans_fd.c
index 6fe3719..ad4f0e0 100644
--- a/net/9p/trans_fd.c
+++ b/net/9p/trans_fd.c
@@ -207,6 +207,8 @@ static void p9_conn_cancel(struct p9_conn *m, int err)
 		list_move(&req->req_list, &cancel_list);
 	}
 
+	spin_unlock(&m->client->lock);
+
 	list_for_each_entry_safe(req, rtmp, &cancel_list, req_list) {
 		p9_debug(P9_DEBUG_ERROR, "call back req %p\n", req);
 		list_del(&req->req_list);
@@ -214,7 +216,6 @@ static void p9_conn_cancel(struct p9_conn *m, int err)
 			req->t_err = err;
 		p9_client_cb(m->client, req, REQ_STATUS_ERROR);
 	}
-	spin_unlock(&m->client->lock);
 }
 
 static __poll_t