• David Howells's avatar
    rxrpc: Fix potential race in error handling in afs_make_call() · e0416e7d
    David Howells authored
    If the rxrpc call set up by afs_make_call() receives an error whilst it is
    transmitting the request, there's the possibility that it may get to the
    point the rxrpc call is ended (after the error_kill_call label) just as the
    call is queued for async processing.
    
    This could manifest itself as call->rxcall being seen as NULL in
    afs_deliver_to_call() when it tries to lock the call.
    
    Fix this by splitting rxrpc_kernel_end_call() into a function to shut down
    an rxrpc call and a function to release the caller's reference and calling
    the latter only when we get to afs_put_call().
    Reported-by: default avatarJeffrey Altman <jaltman@auristor.com>
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    Tested-by: kafs-testing+fedora36_64checkkafs-build-306@auristor.com
    cc: Marc Dionne <marc.dionne@auristor.com>
    cc: "David S. Miller" <davem@davemloft.net>
    cc: Eric Dumazet <edumazet@google.com>
    cc: Jakub Kicinski <kuba@kernel.org>
    cc: Paolo Abeni <pabeni@redhat.com>
    cc: linux-afs@lists.infradead.org
    cc: netdev@vger.kernel.org
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    e0416e7d
rxrpc.c 23.1 KB