mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-28 07:13:34 +00:00
db099c625b
afs_make_call() calls rxrpc_kernel_begin_call() to begin a call (which may
get stalled in the background waiting for a connection to become
available); it then calls rxrpc_kernel_set_max_life() to set the timeouts -
but that starts the call timer so the call timer might then expire before
we get a connection assigned - leading to the following oops if the call
stalled:
BUG: kernel NULL pointer dereference, address: 0000000000000000
...
CPU: 1 PID: 5111 Comm: krxrpcio/0 Not tainted 6.3.0-rc7-build3+ #701
RIP: 0010:rxrpc_alloc_txbuf+0xc0/0x157
...
Call Trace:
<TASK>
rxrpc_send_ACK+0x50/0x13b
rxrpc_input_call_event+0x16a/0x67d
rxrpc_io_thread+0x1b6/0x45f
? _raw_spin_unlock_irqrestore+0x1f/0x35
? rxrpc_input_packet+0x519/0x519
kthread+0xe7/0xef
? kthread_complete_and_exit+0x1b/0x1b
ret_from_fork+0x22/0x30
Fix this by noting the timeouts in struct rxrpc_call when the call is
created. The timer will be started when the first packet is transmitted.
It shouldn't be possible to trigger this directly from userspace through
AF_RXRPC as sendmsg() will return EBUSY if the call is in the
waiting-for-conn state if it dropped out of the wait due to a signal.
Fixes:
|
||
---|---|---|
.. | ||
af_rxrpc.c | ||
ar-internal.h | ||
call_accept.c | ||
call_event.c | ||
call_object.c | ||
call_state.c | ||
conn_client.c | ||
conn_event.c | ||
conn_object.c | ||
conn_service.c | ||
input.c | ||
insecure.c | ||
io_thread.c | ||
Kconfig | ||
key.c | ||
local_event.c | ||
local_object.c | ||
Makefile | ||
misc.c | ||
net_ns.c | ||
output.c | ||
peer_event.c | ||
peer_object.c | ||
proc.c | ||
protocol.h | ||
recvmsg.c | ||
rtt.c | ||
rxkad.c | ||
rxperf.c | ||
security.c | ||
sendmsg.c | ||
server_key.c | ||
skbuff.c | ||
sysctl.c | ||
txbuf.c | ||
utils.c |