From nobody Fri Apr 17 00:17:20 2026
Received: from mail-pj1-f66.google.com (mail-pj1-f66.google.com
 [209.85.216.66])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9C94E126BF7
	for <linux-kernel@vger.kernel.org>; Wed, 25 Feb 2026 01:09:10 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.66
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1771981753; cv=none;
 b=elOW1B/i1ZZlBf0ccuymhr4r5/0Jx+/Y2dYXAyavud6zxVOcjKocBnOotqdUCrK/JTyq9hVrNEHqSdZZWEvteye+d4O5bIHnoLM/u5u27bo4yCBrsVCsoPJlpyoX/9a9ZvAYF9MmIzElWBq5InlVsGJP+iJqH3BnpCt4UOn4/Ek=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1771981753; c=relaxed/simple;
	bh=UzebxA6/a7fg3sjOiWp/u7lzb1dFODtxX1sVJYsce3s=;
	h=From:To:Cc:Subject:Date:Message-ID:MIME-Version;
 b=HmEK9c9JNlrbKaKaVXCb0hQfljny9IY2b2ePfyyX+uCR711NWyUfyBH1+wuUO8Ohw6d+L/jpiRNoOnn2GUi3RKE5iBSKZkrAQFb4gus5Ate+YZqN0U2gENQTERJy9fyJgGUcLb4eSP31/8djHT5A1P7X0kPATwEQtG5DLXPcXRc=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=DdsrmIyF; arc=none smtp.client-ip=209.85.216.66
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="DdsrmIyF"
Received: by mail-pj1-f66.google.com with SMTP id
 98e67ed59e1d1-358ed696623so522361a91.0
        for <linux-kernel@vger.kernel.org>;
 Tue, 24 Feb 2026 17:09:10 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20230601; t=1771981750; x=1772586550;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=JqCX+A7B/xYK3O+/EJk4ZtsIswe0wWdZp+sEMdt10Pc=;
        b=DdsrmIyFPAQXkHCoIC+JtCuDyccBOM57DUIq+DMRggk0QzvvaQcw8lc9RobmtTRBhR
         OygWi6janaO0T3FceYqHCD3Ckqcjp1LhJGzyzL7cQWiYDC1tm0NH2RpMNvSxQYS53nDZ
         Fp8KQzym3kOk3PyAquovznxwSPxRWqUfZlj8sq6xeBKpg5Ny+S/L7dl1kM2gksG0QW+Z
         6d4uhuaTWIqFkD2CoxFyZyTn30WB3+qz2UOpwQa/YKTNWEgCuJtVX4qd9y1yR4OsXrFD
         osXpkLAghxF3nTGXAaxHy9/n4pCOzIkO7lQ9hS3oRQ7JlTe+oAiHByaFyeub7qckNAM1
         4WfA==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20230601; t=1771981750; x=1772586550;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=JqCX+A7B/xYK3O+/EJk4ZtsIswe0wWdZp+sEMdt10Pc=;
        b=b66LP0zdoNlAj0fJmckUtBv/4pIC9TuRUADmQZjbbUeLzeKZGTKYRpy/L17k2q9nZn
         gU2fBceIZsHZzXsNkw/VrRhV0gWJMioWi+9Wg83JGn63H5ioRwTi4fN1Fu8a7UltkZ2r
         3dFObbg8u8++Z1ZWG29IKp78GqB5agkdWbjR32OR5iu6OV5kX69JXXJL4VEjMdtXXuCg
         Hcm5rM44Yt4Ol0AKr+u+KOXJb5mGt6MQ3NGfthmoO5PEHs6LpijPr+xFqQ0ex2wu6imF
         hk/Hg3oXIXT0lBxMmKMc5JvJPOwYJoxDcua5y8GRHogsDr1AoZDXs+ulGXK7uMeLlWgx
         FZSw==
X-Forwarded-Encrypted: i=1;
 AJvYcCW0NGf5RuTwfPfox5OCP3+pg5Mxnfwi6CeiEC4m8ImQ8McSDDDoJFIZ5Rg1UrqAuh9g+zLTgEeZygxN7Ww=@vger.kernel.org
X-Gm-Message-State: AOJu0YyfYKFikn4ddO24JV8dgjS2yyQB8UhPCXCvKWdL2FSpEmAGxDnX
	+t7Cnqj65iusknhGglvoyH6nOx9BurHbZQIh6oLjJSnE7LYSEuOsuGIL
X-Gm-Gg: ATEYQzyKM8ByqIsnSjOBD6q/85l5WaC0k65Nbi2Zn52KOAfIB2U4n6ZFpHl4hy+oC5T
	1oVTZ00dW2dksBNwe51c5YHsG5gJs5B09fynsLGGEcsdh93VN9mFND3PVB8pG0tKNwT3Ih19+jm
	yQKXh6tFZ6d5W8tsCUTaO6U8J24jxyUG4ZBndPh9E70Zfe31oPBDv6TB5eDDqJVPBWgiO531vpq
	y/LjPuNskfZn4Q/U1pqCYhGu/ErwBo5tyCugHgMmQYYM8MOabJpRjmHBvotA5kujRpuDfE3FuH7
	YZlGQQKh17ecv3JH3s9HvpFy2IALl8K/d9eZ/cHCFEudMUrB5XgJNiCU8sxtesP76MOm7DmDGoh
	Yz51j5DvOTBl8zwyMvMdVLVtYrl8R2++welUIhx9KDQq5dafs7h81jdUb8po4c+6ooLNUkRhYz8
	nzF1FlF0CkqzzPCVSxYMJokC6rRk2J5Q4+iysB+2TLLNn4nD4Mb2rzSkLB/M7iamtntgj8iQOhP
	7Q//u48
X-Received: by 2002:a17:90b:5847:b0:358:ee2d:df2d with SMTP id
 98e67ed59e1d1-3590f069d87mr523046a91.8.1771981749874;
        Tue, 24 Feb 2026 17:09:09 -0800 (PST)
Received: from localhost.localdomain ([138.199.21.245])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-359034bbfd4sm913979a91.10.2026.02.24.17.09.07
        (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
        Tue, 24 Feb 2026 17:09:09 -0800 (PST)
From: Eric-Terminal <ericterminal@gmail.com>
To: Eric Van Hensbergen <ericvh@kernel.org>
Cc: Latchesar Ionkov <lucho@ionkov.net>,
	Dominique Martinet <asmadeus@codewreck.org>,
	Christian Schoenebeck <linux_oss@crudebyte.com>,
	v9fs@lists.linux.dev,
	linux-kernel@vger.kernel.org,
	Yufan Chen <ericterminal@gmail.com>
Subject: [PATCH] 9p/trans_xen: make cleanup idempotent after dataring alloc
 errors
Date: Wed, 25 Feb 2026 09:08:53 +0800
Message-ID: <20260225010853.15916-1-ericterminal@gmail.com>
X-Mailer: git-send-email 2.53.0
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=3411;
 i=ericterminal@gmail.com; h=from:subject;
 bh=Gu0MyqKlwATaZLTHkAVxYELyEu7nRq9nuCfzTHc2Ad8=;
 b=owGbwMvMwCXWM/dCzeS3H+sZT6slMWTO8/ymNvFnBEdYb9COjg8Tnm/nDXv7WiK3993d/QqzR
 JOnnbOz6yhlYRDjYpAVU2S5+3/f3FyvW3Oucx/OhZnDygQyhIGLUwAm8raZ4Z+WWAhP1R273cFR
 uhP8En8G3s8z53vxSH++4artOQqy/kWMDD2753rVvbh2x9z8VZOtzzVtIa52jYM1gm3592b5Xt8
 vyAQA
X-Developer-Key: i=ericterminal@gmail.com; a=openpgp;
 fpr=DDFFBE9D6D4ADA9CD70BC36D8C9DD07C93EDF17F
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Yufan Chen <ericterminal@gmail.com>

xen_9pfs_front_alloc_dataring() tears down resources on failure but
leaves ring fields stale. If xen_9pfs_front_init() later jumps to the
common error path, xen_9pfs_front_free() may touch the same resources
again, causing duplicate/invalid gnttab_end_foreign_access() calls and
potentially dereferencing a freed intf pointer.

Initialize dataring sentinels before allocation, gate teardown on those
sentinels, and clear ref/intf/data/irq immediately after each release.

This keeps cleanup idempotent for partially initialized rings and
prevents repeated teardown during init failure handling.

Signed-off-by: Yufan Chen <ericterminal@gmail.com>
---
 net/9p/trans_xen.c | 51 +++++++++++++++++++++++++++++++++-------------
 1 file changed, 37 insertions(+), 14 deletions(-)

diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c
index 47af5a10e..85b9ebfaa 100644
--- a/net/9p/trans_xen.c
+++ b/net/9p/trans_xen.c
@@ -283,25 +283,33 @@ static void xen_9pfs_front_free(struct xen_9pfs_front=
_priv *priv)
=20
 			cancel_work_sync(&ring->work);
=20
-			if (!priv->rings[i].intf)
+			if (!ring->intf)
 				break;
-			if (priv->rings[i].irq > 0)
-				unbind_from_irqhandler(priv->rings[i].irq, ring);
-			if (priv->rings[i].data.in) {
-				for (j =3D 0;
-				     j < (1 << priv->rings[i].intf->ring_order);
+			if (ring->irq >=3D 0) {
+				unbind_from_irqhandler(ring->irq, ring);
+				ring->irq =3D -1;
+			}
+			if (ring->data.in) {
+				for (j =3D 0; j < (1 << ring->intf->ring_order);
 				     j++) {
 					grant_ref_t ref;
=20
-					ref =3D priv->rings[i].intf->ref[j];
+					ref =3D ring->intf->ref[j];
 					gnttab_end_foreign_access(ref, NULL);
+					ring->intf->ref[j] =3D INVALID_GRANT_REF;
 				}
-				free_pages_exact(priv->rings[i].data.in,
-				   1UL << (priv->rings[i].intf->ring_order +
-					   XEN_PAGE_SHIFT));
+				free_pages_exact(ring->data.in,
+						 1UL << (ring->intf->ring_order +
+							 XEN_PAGE_SHIFT));
+				ring->data.in =3D NULL;
+				ring->data.out =3D NULL;
+			}
+			if (ring->ref !=3D INVALID_GRANT_REF) {
+				gnttab_end_foreign_access(ring->ref, NULL);
+				ring->ref =3D INVALID_GRANT_REF;
 			}
-			gnttab_end_foreign_access(priv->rings[i].ref, NULL);
-			free_page((unsigned long)priv->rings[i].intf);
+			free_page((unsigned long)ring->intf);
+			ring->intf =3D NULL;
 		}
 		kfree(priv->rings);
 	}
@@ -334,6 +342,12 @@ static int xen_9pfs_front_alloc_dataring(struct xenbus=
_device *dev,
 	int ret =3D -ENOMEM;
 	void *bytes =3D NULL;
=20
+	ring->intf =3D NULL;
+	ring->data.in =3D NULL;
+	ring->data.out =3D NULL;
+	ring->ref =3D INVALID_GRANT_REF;
+	ring->irq =3D -1;
+
 	init_waitqueue_head(&ring->wq);
 	spin_lock_init(&ring->lock);
 	INIT_WORK(&ring->work, p9_xen_response);
@@ -379,9 +393,18 @@ static int xen_9pfs_front_alloc_dataring(struct xenbus=
_device *dev,
 		for (i--; i >=3D 0; i--)
 			gnttab_end_foreign_access(ring->intf->ref[i], NULL);
 		free_pages_exact(bytes, 1UL << (order + XEN_PAGE_SHIFT));
+		ring->data.in =3D NULL;
+		ring->data.out =3D NULL;
+	}
+	if (ring->ref !=3D INVALID_GRANT_REF) {
+		gnttab_end_foreign_access(ring->ref, NULL);
+		ring->ref =3D INVALID_GRANT_REF;
+	}
+	if (ring->intf) {
+		free_page((unsigned long)ring->intf);
+		ring->intf =3D NULL;
 	}
-	gnttab_end_foreign_access(ring->ref, NULL);
-	free_page((unsigned long)ring->intf);
+	ring->irq =3D -1;
 	return ret;
 }
=20
--=20
2.47.3