From nobody Fri Apr  3 10:17:21 2026
Received: from mail-dy1-f195.google.com (mail-dy1-f195.google.com
 [74.125.82.195])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id D654536DA1A
	for <linux-kernel@vger.kernel.org>; Tue, 24 Mar 2026 15:30:33 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=74.125.82.195
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1774366236; cv=none;
 b=Vy0Nl5ZtmOiSOwJdh25kNzJHGyT4JSRxaHh8hbopSy0DV5hfsENo7wGIdKPA8FiwFwiko4/N8Icx2XIYW5b0P61NZpmuAP2Rv92iGYQ3Q+lo2Bxzse/uYCKV7DMIiHQUzr0BqnH+p28H3rLA5cHitIi2yw/OdgOcpoTA2L6nyOA=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1774366236; c=relaxed/simple;
	bh=eBU630oFfSvL+Z7ajS9wK93mpaQK8s/AQJ3EawS9+Wg=;
	h=From:To:Cc:Subject:Date:Message-ID:In-Reply-To:References:
	 MIME-Version;
 b=Fx594vTKeRHPMwzsxN0G7gJN2JS0km2MC0kmCwPwT+K7Ep0yjIt2gbs6PMaBYw2FrpEWcjKUeI3F1M7MNrU6hYAtPYYSbKseixYz3BBL1gCzMKdpPhoH+sicmq4tZQ1YttXt/qTStMko+WLuU6kfp6Cv6aB6M9NMlqf2MFpFwd4=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=UXzrcz3F; arc=none smtp.client-ip=74.125.82.195
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="UXzrcz3F"
Received: by mail-dy1-f195.google.com with SMTP id
 5a478bee46e88-2c0f754e756so1705111eec.1
        for <linux-kernel@vger.kernel.org>;
 Tue, 24 Mar 2026 08:30:33 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1774366233; x=1774971033;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:from:to:cc:subject:date
         :message-id:reply-to;
        bh=uCn/MqHA11tVXJNjwUhww9VSY0nIMQtmkoUGALB7eDo=;
        b=UXzrcz3FUh3FiLxKryacYOVz+oVftTxnOfu5kMOSIryHg1JE7oPEgm62AILlR58oSe
         K4cCHxieMdFlhIWTF++9tP6lThgQWFtLBEtyDnKx01SIDgsYZ0Ku/1GjMT1DDXXxn7Mi
         XDg3iou4t4n2GxCdXMQ61UlggzOqGCbiMDd/1mgWyGQaKVKnAWla6LQre89NXkHGKX5R
         1TgdNJRzkzoTf+E7J6Wf3v84HB8Qh7JGxo+ACVNQQBpSZQ9Xhstl9WbIho0HolQsxFuD
         lDIbLEQlpd1wHyQmjfQULxpXMjmsS/5IMj0yhBVgAKRJzTySqLp1uVU6HpZi4X/447Dg
         jdcQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1774366233; x=1774971033;
        h=content-transfer-encoding:mime-version:references:in-reply-to
         :message-id:date:subject:cc:to:from:x-gm-gg:x-gm-message-state:from
         :to:cc:subject:date:message-id:reply-to;
        bh=uCn/MqHA11tVXJNjwUhww9VSY0nIMQtmkoUGALB7eDo=;
        b=W88Jx4AZQM3us9U0nDdDz73TBov31cyKIvCyPNzHYOPk7SqwdQLARYHAH+snW1lb3D
         xfLEOt3x6hlxH+2zph61xlW3SOSMpMsElAsVUAZ3y8vvlQa1CTK8ZUMzFNSgQLv5ZV2a
         CCLV49r4bDMRlFnqOYDLqRFQRsEg5tHY6VdPS5A1IioimPm2kfb1ZkNUCEDBMfcbGYU0
         vnWdhpnY/3t3/Twtzfh1fqmDivQIVMZI5x21sVvXpxcBPNvDaxKBAY0LsF3FDERG17uz
         mPG/FGaKIWU0HmfhcQtNdpi4w5p4skwKhirTYaPOOwSNNRAH5jfmBOstCTMDm/Wnjd1+
         1/Ug==
X-Forwarded-Encrypted: i=1;
 AJvYcCUG5DuGibP/RQ3OstfkzVgGG8n14OgSEiMzBpU16bjX6wBY+LLygXEJfPKIRp/UJX2PW9NghdvppENzGTo=@vger.kernel.org
X-Gm-Message-State: AOJu0Ywh9gemn9uxlr5zynLWUt9SyLEgB1GziZ6g+jWL4mZjcxqmQ005
	S82PeFFGc+PDcpqduBEfFiORYlmp56+fST7yF3RSewOqV6tP9DoOMSyFcVhBFN5n++A=
X-Gm-Gg: ATEYQzzZvAvgqlnuEGSAz/k8zXtFZRFddTbBB/Y34P7FEqqUSwaogBbGvMx6FClXlwy
	rlHiym2nVLDU1BcQy1b3UBqwkrYPeXc0dpSykcRLYtA6A/wCC/JG4uiTmc6ycUYKmVLU7B9BySz
	tIfBV66OpelYH5K4r3vmSwBpSI9sAA6AWsJwLC8kGh2EG+fn4DDifsfkEY7SZBFUdrxfgDkoe6U
	dxau0TrTybyaqi/yhtgA/W2JX6O8eZkMT9hjDAYzuarwpG+aaMw8sZs6vXHEfNAbeNtkMKEg3DI
	dXhFRXIDTSlrwjp16MaXXr8K0hBPFKlZ0Yc7YUltFo56xUk0kyXwU7idFxhfnETsgLIer+gNWCN
	4D/3a5X56BmmRrcuZBXEs2bw0wiOwp12+V78wuqVLdgkZVOs/1wHXSrdHH+TKPh9FJTR1sO4Yg/
	ZcBr8UZdNKl6/239LeWDR0yVrFmGlkzeayaqDfKRp/+dptPePMuv+k5y5YRYomkTUrcWJj2FjGm
	SWmI+jh
X-Received: by 2002:a05:7300:bc8e:b0:2c0:ae1b:4573 with SMTP id
 5a478bee46e88-2c1095a5baamr8160636eec.7.1774366232827;
        Tue, 24 Mar 2026 08:30:32 -0700 (PDT)
Received: from localhost.localdomain ([38.244.25.197])
        by smtp.gmail.com with ESMTPSA id
 5a478bee46e88-2c10aefd778sm20842577eec.0.2026.03.24.08.30.30
        (version=TLS1_3 cipher=TLS_CHACHA20_POLY1305_SHA256 bits=256/256);
        Tue, 24 Mar 2026 08:30:32 -0700 (PDT)
From: Eric-Terminal <ericterminal@gmail.com>
To: asmadeus@codewreck.org,
	ericvh@kernel.org,
	lucho@ionkov.net
Cc: stefano.stabellini@amd.com,
	v9fs@lists.linux.dev,
	linux-kernel@vger.kernel.org,
	Yufan Chen <ericterminal@gmail.com>
Subject: [PATCH v3 1/2] 9p/trans_xen: make cleanup idempotent after dataring
 alloc errors
Date: Tue, 24 Mar 2026 23:30:22 +0800
Message-ID: <20260324153023.86853-2-ericterminal@gmail.com>
X-Mailer: git-send-email 2.53.0
In-Reply-To: <20260324153023.86853-1-ericterminal@gmail.com>
References: <20260324153023.86853-1-ericterminal@gmail.com>
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
X-Developer-Signature: v=1; a=openpgp-sha256; l=3464;
 i=ericterminal@gmail.com; h=from:subject;
 bh=vDNsz/omUMmP3CEetrmU1J5yJISS/nuy98ia+ZC4Yh4=;
 b=owGbwMvMwCXWM/dCzeS3H+sZT6slMWQeWqup5XD67uNZ+3kEygTn/5jXPf/RBxHWc/9zl+u4y
 c5r2bfBrWMiC4MYF4OlmCLL3f/75uZ63ZpznftwLswcViaQIdIiDQxAwMLAl5uYV2qkY6Rnqm2o
 Z2ikY6BjzMDFKQBTXbyckeH+2XsLvjlGSr7pWGT1ZA33V+FQlkfz6s/cnMH7ucki1bGB4Z9awql
 U3Rg7wQ0b8v+qTf3gee+q8I9+M/beugd/Z/zMV+YGAA==
X-Developer-Key: i=ericterminal@gmail.com; a=openpgp;
 fpr=DDFFBE9D6D4ADA9CD70BC36D8C9DD07C93EDF17F
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

From: Yufan Chen <ericterminal@gmail.com>

xen_9pfs_front_alloc_dataring() tears down resources on failure but
leaves ring fields stale. If xen_9pfs_front_init() later jumps to the
common error path, xen_9pfs_front_free() may touch the same resources
again, causing duplicate/invalid gnttab_end_foreign_access() calls and
potentially dereferencing a freed intf pointer.

Initialize dataring sentinels before allocation, gate teardown on those
sentinels, and clear ref/intf/data/irq immediately after each release.

This keeps cleanup idempotent for partially initialized rings and
prevents repeated teardown during init failure handling.

Signed-off-by: Yufan Chen <ericterminal@gmail.com>
---
v3:
- Split from mixed series into a dedicated 9p/trans_xen series.
- No functional changes since v2.

 net/9p/trans_xen.c | 51 +++++++++++++++++++++++++++++++++-------------
diff --git a/net/9p/trans_xen.c b/net/9p/trans_xen.c
index 47af5a10e..85b9ebfaa 100644
--- a/net/9p/trans_xen.c
+++ b/net/9p/trans_xen.c
@@ -283,25 +283,33 @@ static void xen_9pfs_front_free(struct xen_9pfs_front=
_priv *priv)
=20
 			cancel_work_sync(&ring->work);
=20
-			if (!priv->rings[i].intf)
+			if (!ring->intf)
 				break;
-			if (priv->rings[i].irq > 0)
-				unbind_from_irqhandler(priv->rings[i].irq, ring);
-			if (priv->rings[i].data.in) {
-				for (j =3D 0;
-				     j < (1 << priv->rings[i].intf->ring_order);
+			if (ring->irq >=3D 0) {
+				unbind_from_irqhandler(ring->irq, ring);
+				ring->irq =3D -1;
+			}
+			if (ring->data.in) {
+				for (j =3D 0; j < (1 << ring->intf->ring_order);
 				     j++) {
 					grant_ref_t ref;
=20
-					ref =3D priv->rings[i].intf->ref[j];
+					ref =3D ring->intf->ref[j];
 					gnttab_end_foreign_access(ref, NULL);
+					ring->intf->ref[j] =3D INVALID_GRANT_REF;
 				}
-				free_pages_exact(priv->rings[i].data.in,
-				   1UL << (priv->rings[i].intf->ring_order +
-					   XEN_PAGE_SHIFT));
+				free_pages_exact(ring->data.in,
+						 1UL << (ring->intf->ring_order +
+							 XEN_PAGE_SHIFT));
+				ring->data.in =3D NULL;
+				ring->data.out =3D NULL;
+			}
+			if (ring->ref !=3D INVALID_GRANT_REF) {
+				gnttab_end_foreign_access(ring->ref, NULL);
+				ring->ref =3D INVALID_GRANT_REF;
 			}
-			gnttab_end_foreign_access(priv->rings[i].ref, NULL);
-			free_page((unsigned long)priv->rings[i].intf);
+			free_page((unsigned long)ring->intf);
+			ring->intf =3D NULL;
 		}
 		kfree(priv->rings);
 	}
@@ -334,6 +342,12 @@ static int xen_9pfs_front_alloc_dataring(struct xenbus=
_device *dev,
 	int ret =3D -ENOMEM;
 	void *bytes =3D NULL;
=20
+	ring->intf =3D NULL;
+	ring->data.in =3D NULL;
+	ring->data.out =3D NULL;
+	ring->ref =3D INVALID_GRANT_REF;
+	ring->irq =3D -1;
+
 	init_waitqueue_head(&ring->wq);
 	spin_lock_init(&ring->lock);
 	INIT_WORK(&ring->work, p9_xen_response);
@@ -379,9 +393,18 @@ static int xen_9pfs_front_alloc_dataring(struct xenbus=
_device *dev,
 		for (i--; i >=3D 0; i--)
 			gnttab_end_foreign_access(ring->intf->ref[i], NULL);
 		free_pages_exact(bytes, 1UL << (order + XEN_PAGE_SHIFT));
+		ring->data.in =3D NULL;
+		ring->data.out =3D NULL;
+	}
+	if (ring->ref !=3D INVALID_GRANT_REF) {
+		gnttab_end_foreign_access(ring->ref, NULL);
+		ring->ref =3D INVALID_GRANT_REF;
+	}
+	if (ring->intf) {
+		free_page((unsigned long)ring->intf);
+		ring->intf =3D NULL;
 	}
-	gnttab_end_foreign_access(ring->ref, NULL);
-	free_page((unsigned long)ring->intf);
+	ring->irq =3D -1;
 	return ret;
 }
=20
--=20
2.47.3