[PATCH] v9fs: fix handling of malformed 9P messages (cb2e87a6) · Commits · e / devices / android_kernel_fairphone_FP4

fs/9p/error.h

+1 −0

Original line number	Original line	Diff line number	Diff line
	@@ -47,6 +47,7 @@ static struct errormap errmap[] = {
	{"Operation not permitted", EPERM},		{"Operation not permitted", EPERM},
	{"wstat prohibited", EPERM},		{"wstat prohibited", EPERM},
	{"No such file or directory", ENOENT},		{"No such file or directory", ENOENT},
			{"directory entry not found", ENOENT},
	{"file not found", ENOENT},		{"file not found", ENOENT},
	{"Interrupted system call", EINTR},		{"Interrupted system call", EINTR},
	{"Input/output error", EIO},		{"Input/output error", EIO},

fs/9p/mux.c

+34 −19

Original line number	Original line	Diff line number	Diff line
	@@ -162,17 +162,20 @@ static int v9fs_recv(struct v9fs_session_info v9ses, struct v9fs_rpcreq req)
	dprintk(DEBUG_MUX, "waiting for response: %d\n", req->tcall->tag);		dprintk(DEBUG_MUX, "waiting for response: %d\n", req->tcall->tag);
	ret = wait_event_interruptible(v9ses->read_wait,		ret = wait_event_interruptible(v9ses->read_wait,
	((v9ses->transport->status != Connected) \|\|		((v9ses->transport->status != Connected) \|\|
	(req->rcall != 0) \|\| dprintcond(v9ses, req)));		(req->rcall != 0) \|\| (req->err < 0) \|\|
			dprintcond(v9ses, req)));

	dprintk(DEBUG_MUX, "got it: rcall %p\n", req->rcall);		dprintk(DEBUG_MUX, "got it: rcall %p\n", req->rcall);
	if (v9ses->transport->status == Disconnected)
	return -ECONNRESET;

	if (ret == 0) {
	spin_lock(&v9ses->muxlock);		spin_lock(&v9ses->muxlock);
	list_del(&req->next);		list_del(&req->next);
	spin_unlock(&v9ses->muxlock);		spin_unlock(&v9ses->muxlock);
	}
			if (req->err < 0)
			return req->err;

			if (v9ses->transport->status == Disconnected)
			return -ECONNRESET;

	return ret;		return ret;
	}		}
	@@ -245,6 +248,9 @@ v9fs_mux_rpc(struct v9fs_session_info v9ses, struct v9fs_fcall tcall,
	if (!v9ses)		if (!v9ses)
	return -EINVAL;		return -EINVAL;

			if (!v9ses->transport \|\| v9ses->transport->status != Connected)
			return -EIO;

	if (rcall)		if (rcall)
	*rcall = NULL;		*rcall = NULL;

	@@ -257,6 +263,7 @@ v9fs_mux_rpc(struct v9fs_session_info v9ses, struct v9fs_fcall tcall,
	tcall->tag = tid;		tcall->tag = tid;

	req.tcall = tcall;		req.tcall = tcall;
			req.err = 0;
	req.rcall = NULL;		req.rcall = NULL;

	ret = v9fs_send(v9ses, &req);		ret = v9fs_send(v9ses, &req);
	@@ -371,11 +378,15 @@ static int v9fs_recvproc(void *data)
	}		}

	err = read_message(v9ses, rcall, v9ses->maxdata + V9FS_IOHDRSZ);		err = read_message(v9ses, rcall, v9ses->maxdata + V9FS_IOHDRSZ);
			spin_lock(&v9ses->muxlock);
	if (err < 0) {		if (err < 0) {
	kfree(rcall);		list_for_each_entry_safe(rreq, rptr, &v9ses->mux_fcalls, next) {
	break;		rreq->err = err;
	}		}
	spin_lock(&v9ses->muxlock);		if(err != -ERESTARTSYS)
			eprintk(KERN_ERR,
			"Transport error while reading message %d\n", err);
			} else {
	list_for_each_entry_safe(rreq, rptr, &v9ses->mux_fcalls, next) {		list_for_each_entry_safe(rreq, rptr, &v9ses->mux_fcalls, next) {
	if (rreq->tcall->tag == rcall->tag) {		if (rreq->tcall->tag == rcall->tag) {
	req = rreq;		req = rreq;
	@@ -383,6 +394,7 @@ static int v9fs_recvproc(void *data)
	break;		break;
	}		}
	}		}
			}

	if (req && (req->tcall->id == TFLUSH)) {		if (req && (req->tcall->id == TFLUSH)) {
	struct v9fs_rpcreq *treq = NULL;		struct v9fs_rpcreq *treq = NULL;
	@@ -399,6 +411,7 @@ static int v9fs_recvproc(void *data)
	spin_unlock(&v9ses->muxlock);		spin_unlock(&v9ses->muxlock);

	if (!req) {		if (!req) {
			if (err >= 0)
	dprintk(DEBUG_ERROR,		dprintk(DEBUG_ERROR,
	"unexpected response: id %d tag %d\n",		"unexpected response: id %d tag %d\n",
	rcall->id, rcall->tag);		rcall->id, rcall->tag);
	@@ -410,6 +423,8 @@ static int v9fs_recvproc(void *data)
	set_current_state(TASK_INTERRUPTIBLE);		set_current_state(TASK_INTERRUPTIBLE);
	}		}

			v9ses->transport->close(v9ses->transport);

	/* Inform all pending processes about the failure */		/* Inform all pending processes about the failure */
	wake_up_all(&v9ses->read_wait);		wake_up_all(&v9ses->read_wait);

fs/9p/mux.h

+1 −0

Original line number	Original line	Diff line number	Diff line
	@@ -28,6 +28,7 @@
	struct v9fs_rpcreq {		struct v9fs_rpcreq {
	struct v9fs_fcall *tcall;		struct v9fs_fcall *tcall;
	struct v9fs_fcall *rcall;		struct v9fs_fcall *rcall;
			int err; /* error code if response failed */

	/* XXX - could we put scatter/gather buffers here? */		/* XXX - could we put scatter/gather buffers here? */

fs/9p/trans_sock.c

+10 −2

Original line number	Original line	Diff line number	Diff line
	@@ -254,7 +254,12 @@ v9fs_unix_init(struct v9fs_session_info v9ses, const char dev_name,

	static void v9fs_sock_close(struct v9fs_transport *trans)		static void v9fs_sock_close(struct v9fs_transport *trans)
	{		{
	struct v9fs_trans_sock *ts = trans ? trans->priv : NULL;		struct v9fs_trans_sock *ts;

			if (!trans)
			return;

			ts = trans->priv;

	if ((ts) && (ts->s)) {		if ((ts) && (ts->s)) {
	dprintk(DEBUG_TRANS, "closing the socket %p\n", ts->s);		dprintk(DEBUG_TRANS, "closing the socket %p\n", ts->s);
	@@ -264,7 +269,10 @@ static void v9fs_sock_close(struct v9fs_transport *trans)
	dprintk(DEBUG_TRANS, "socket closed\n");		dprintk(DEBUG_TRANS, "socket closed\n");
	}		}

			if (ts)
	kfree(ts);		kfree(ts);

			trans->priv = NULL;
	}		}

	struct v9fs_transport v9fs_trans_tcp = {		struct v9fs_transport v9fs_trans_tcp = {