Merge tag '9p-for-6.7-rc7' of https://github.com/martinetd/linux

Pull 9p fixes from Dominique Martinet: "Two small fixes scheduled for stable trees: A tracepoint fix that's been reading past the end of messages forever, but semi-recently also went over the end of the buffer. And a potential incorrectly freeing garbage in pdu parsing error path" * tag '9p-for-6.7-rc7' of https://github.com/martinetd/linux: net: 9p: avoid freeing uninit memory in p9pdu_vreadf 9p: prevent read overrun in protocol dump tracepoint

Merge tag '9p-for-6.7-rc7' of https://github.com/martinetd/linux
Pull 9p fixes from Dominique Martinet: "Two small fixes scheduled for stable trees: A tracepoint fix that's been reading past the end of messages forever, but semi-recently also went over the end of the buffer. And a potential incorrectly freeing garbage in pdu parsing error path" * tag '9p-for-6.7-rc7' of https://github.com/martinetd/linux: net: 9p: avoid freeing uninit memory in p9pdu_vreadf 9p: prevent read overrun in protocol dump tracepoint
93a165cb · Linus Torvalds · 24e0d2e5 · ff49bf18 · 93a165cb · 93a165cb
Commit 93a165cb authored Dec 22, 2023 by Linus Torvalds
Show whitespace changes
Inline Side-by-side

Showing with 20 additions and 8 deletions

include/trace/events/9p.h include/trace/events/9p.h +7 -4

net/9p/protocol.c net/9p/protocol.c +13 -4

No files found.
--- a/include/trace/events/9p.h
+++ b/include/trace/events/9p.h
@@ -178,18 +178,21 @@ TRACE_EVENT(9p_protocol_dump,
 		    __field(	void *,		clnt				)
 		    __field(	__u8,		type				)
 		    __field(	__u16,		tag				)
-		    __array(	unsigned char,	line,	P9_PROTO_DUMP_SZ	)
+		    __dynamic_array(unsigned char, line,
+				min_t(size_t, pdu->capacity, P9_PROTO_DUMP_SZ))
 		    ),
 	    TP_fast_assign(
 		    __entry->clnt   =  clnt;
 		    __entry->type   =  pdu->id;
 		    __entry->tag    =  pdu->tag;
-		    memcpy(__entry->line, pdu->sdata, P9_PROTO_DUMP_SZ);
+		    memcpy(__get_dynamic_array(line), pdu->sdata,
+				__get_dynamic_array_len(line));
 		    ),
-	    TP_printk("clnt %lu %s(tag = %d)\n%.3x: %16ph\n%.3x: %16ph\n",
+	    TP_printk("clnt %lu %s(tag = %d)\n%*ph\n",
 		      (unsigned long)__entry->clnt, show_9p_op(__entry->type),
-		      __entry->tag, 0, __entry->line, 16, __entry->line + 16)
+		      __entry->tag, __get_dynamic_array_len(line),
+		      __get_dynamic_array(line))
 );

--- a/net/9p/protocol.c
+++ b/net/9p/protocol.c
@@ -394,6 +394,8 @@ p9pdu_vreadf(struct p9_fcall *pdu, int proto_version, const char *fmt,
 				uint16_t *nwname = va_arg(ap, uint16_t *);
 				char ***wnames = va_arg(ap, char ***);
+				*wnames = NULL;
 				errcode = p9pdu_readf(pdu, proto_version,
 								"w", nwname);
 				if (!errcode) {
@@ -403,6 +405,8 @@ p9pdu_vreadf(struct p9_fcall *pdu, int proto_version, const char *fmt,
 							  GFP_NOFS);
 					if (!*wnames)
 						errcode = -ENOMEM;
+					else
+						(*wnames)[0] = NULL;
 				}
 				if (!errcode) {
@@ -414,22 +418,27 @@ p9pdu_vreadf(struct p9_fcall *pdu, int proto_version, const char *fmt,
 								proto_version,
 								"s",
 								&(*wnames)[i]);
-						if (errcode)
+						if (errcode) {
+							(*wnames)[i] = NULL;
 							break;
 						}
 					}
+				}
 				if (errcode) {
 					if (*wnames) {
 						int i;
-						for (i = 0; i < *nwname; i++)
+						for (i = 0; i < *nwname; i++) {
+							if (!(*wnames)[i])
+								break;
 							kfree((*wnames)[i]);
 						}
 						kfree(*wnames);
 						*wnames = NULL;
 					}
 				}
+			}
 			break;
 		case 'R':{
 				uint16_t *nwqid = va_arg(ap, uint16_t *);