mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git
synced 2024-10-28 07:13:34 +00:00
db099c625b
afs_make_call() calls rxrpc_kernel_begin_call() to begin a call (which may
get stalled in the background waiting for a connection to become
available); it then calls rxrpc_kernel_set_max_life() to set the timeouts -
but that starts the call timer so the call timer might then expire before
we get a connection assigned - leading to the following oops if the call
stalled:
BUG: kernel NULL pointer dereference, address: 0000000000000000
...
CPU: 1 PID: 5111 Comm: krxrpcio/0 Not tainted 6.3.0-rc7-build3+ #701
RIP: 0010:rxrpc_alloc_txbuf+0xc0/0x157
...
Call Trace:
<TASK>
rxrpc_send_ACK+0x50/0x13b
rxrpc_input_call_event+0x16a/0x67d
rxrpc_io_thread+0x1b6/0x45f
? _raw_spin_unlock_irqrestore+0x1f/0x35
? rxrpc_input_packet+0x519/0x519
kthread+0xe7/0xef
? kthread_complete_and_exit+0x1b/0x1b
ret_from_fork+0x22/0x30
Fix this by noting the timeouts in struct rxrpc_call when the call is
created. The timer will be started when the first packet is transmitted.
It shouldn't be possible to trigger this directly from userspace through
AF_RXRPC as sendmsg() will return EBUSY if the call is in the
waiting-for-conn state if it dropped out of the wait due to a signal.
Fixes:
|
||
|---|---|---|
| .. | ||
| af_rxrpc.c | ||
| ar-internal.h | ||
| call_accept.c | ||
| call_event.c | ||
| call_object.c | ||
| call_state.c | ||
| conn_client.c | ||
| conn_event.c | ||
| conn_object.c | ||
| conn_service.c | ||
| input.c | ||
| insecure.c | ||
| io_thread.c | ||
| Kconfig | ||
| key.c | ||
| local_event.c | ||
| local_object.c | ||
| Makefile | ||
| misc.c | ||
| net_ns.c | ||
| output.c | ||
| peer_event.c | ||
| peer_object.c | ||
| proc.c | ||
| protocol.h | ||
| recvmsg.c | ||
| rtt.c | ||
| rxkad.c | ||
| rxperf.c | ||
| security.c | ||
| sendmsg.c | ||
| server_key.c | ||
| skbuff.c | ||
| sysctl.c | ||
| txbuf.c | ||
| utils.c | ||