This is a note to let you know that I've just added the patch titled 9p: trans_fd/p9_conn_cancel: drop client lock earlier to the 6.0-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: 9p-trans_fd-p9_conn_cancel-drop-client-lock-earlier.patch and it can be found in the queue-6.0 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From 52f1c45dde9136f964d63a77d19826c8a74e2c7f Mon Sep 17 00:00:00 2001 From: Dominique Martinet <asmadeus@xxxxxxxxxxxxx> Date: Wed, 17 Aug 2022 14:58:44 +0900 Subject: 9p: trans_fd/p9_conn_cancel: drop client lock earlier From: Dominique Martinet <asmadeus@xxxxxxxxxxxxx> commit 52f1c45dde9136f964d63a77d19826c8a74e2c7f upstream. syzbot reported a double-lock here and we no longer need this lock after requests have been moved off to local list: just drop the lock earlier. Link: https://lkml.kernel.org/r/20220904064028.1305220-1-asmadeus@xxxxxxxxxxxxx Reported-by: syzbot+50f7e8d06c3768dd97f3@xxxxxxxxxxxxxxxxxxxxxxxxx Signed-off-by: Dominique Martinet <asmadeus@xxxxxxxxxxxxx> Tested-by: Schspa Shi <schspa@xxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- net/9p/trans_fd.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) --- a/net/9p/trans_fd.c +++ b/net/9p/trans_fd.c @@ -205,6 +205,8 @@ static void p9_conn_cancel(struct p9_con list_move(&req->req_list, &cancel_list); } + spin_unlock(&m->client->lock); + list_for_each_entry_safe(req, rtmp, &cancel_list, req_list) { p9_debug(P9_DEBUG_ERROR, "call back req %p\n", req); list_del(&req->req_list); @@ -212,7 +214,6 @@ static void p9_conn_cancel(struct p9_con req->t_err = err; p9_client_cb(m->client, req, REQ_STATUS_ERROR); } - spin_unlock(&m->client->lock); } static __poll_t Patches currently in stable-queue which might be from asmadeus@xxxxxxxxxxxxx are queue-6.0/9p-trans_fd-always-use-o_nonblock-read-write.patch queue-6.0/9p-trans_fd-p9_conn_cancel-drop-client-lock-earlier.patch