• David Howells's avatar
    rxrpc: Fix timeout of a call that hasn't yet been granted a channel · db099c62
    David Howells authored
    afs_make_call() calls rxrpc_kernel_begin_call() to begin a call (which may
    get stalled in the background waiting for a connection to become
    available); it then calls rxrpc_kernel_set_max_life() to set the timeouts -
    but that starts the call timer so the call timer might then expire before
    we get a connection assigned - leading to the following oops if the call
    stalled:
    
    	BUG: kernel NULL pointer dereference, address: 0000000000000000
    	...
    	CPU: 1 PID: 5111 Comm: krxrpcio/0 Not tainted 6.3.0-rc7-build3+ #701
    	RIP: 0010:rxrpc_alloc_txbuf+0xc0/0x157
    	...
    	Call Trace:
    	 <TASK>
    	 rxrpc_send_ACK+0x50/0x13b
    	 rxrpc_input_call_event+0x16a/0x67d
    	 rxrpc_io_thread+0x1b6/0x45f
    	 ? _raw_spin_unlock_irqrestore+0x1f/0x35
    	 ? rxrpc_input_packet+0x519/0x519
    	 kthread+0xe7/0xef
    	 ? kthread_complete_and_exit+0x1b/0x1b
    	 ret_from_fork+0x22/0x30
    
    Fix this by noting the timeouts in struct rxrpc_call when the call is
    created.  The timer will be started when the first packet is transmitted.
    
    It shouldn't be possible to trigger this directly from userspace through
    AF_RXRPC as sendmsg() will return EBUSY if the call is in the
    waiting-for-conn state if it dropped out of the wait due to a signal.
    
    Fixes: 9d35d880 ("rxrpc: Move client call connection to the I/O thread")
    Reported-by: default avatarMarc Dionne <marc.dionne@auristor.com>
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    cc: "David S. Miller" <davem@davemloft.net>
    cc: Eric Dumazet <edumazet@google.com>
    cc: Jakub Kicinski <kuba@kernel.org>
    cc: Paolo Abeni <pabeni@redhat.com>
    cc: linux-afs@lists.infradead.org
    cc: netdev@vger.kernel.org
    cc: linux-kernel@vger.kernel.org
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    db099c62
af_rxrpc.c 25.5 KB