db099c625b
afs_make_call() calls rxrpc_kernel_begin_call() to begin a call (which may get stalled in the background waiting for a connection to become available); it then calls rxrpc_kernel_set_max_life() to set the timeouts - but that starts the call timer so the call timer might then expire before we get a connection assigned - leading to the following oops if the call stalled: BUG: kernel NULL pointer dereference, address: 0000000000000000 ... CPU: 1 PID: 5111 Comm: krxrpcio/0 Not tainted 6.3.0-rc7-build3+ #701 RIP: 0010:rxrpc_alloc_txbuf+0xc0/0x157 ... Call Trace: <TASK> rxrpc_send_ACK+0x50/0x13b rxrpc_input_call_event+0x16a/0x67d rxrpc_io_thread+0x1b6/0x45f ? _raw_spin_unlock_irqrestore+0x1f/0x35 ? rxrpc_input_packet+0x519/0x519 kthread+0xe7/0xef ? kthread_complete_and_exit+0x1b/0x1b ret_from_fork+0x22/0x30 Fix this by noting the timeouts in struct rxrpc_call when the call is created. The timer will be started when the first packet is transmitted. It shouldn't be possible to trigger this directly from userspace through AF_RXRPC as sendmsg() will return EBUSY if the call is in the waiting-for-conn state if it dropped out of the wait due to a signal. Fixes: 9d35d880e0e4 ("rxrpc: Move client call connection to the I/O thread") Reported-by: Marc Dionne <marc.dionne@auristor.com> Signed-off-by: David Howells <dhowells@redhat.com> cc: "David S. Miller" <davem@davemloft.net> cc: Eric Dumazet <edumazet@google.com> cc: Jakub Kicinski <kuba@kernel.org> cc: Paolo Abeni <pabeni@redhat.com> cc: linux-afs@lists.infradead.org cc: netdev@vger.kernel.org cc: linux-kernel@vger.kernel.org Signed-off-by: David S. Miller <davem@davemloft.net>
79 lines
2.9 KiB
C
79 lines
2.9 KiB
C
/* SPDX-License-Identifier: GPL-2.0-or-later */
|
|
/* RxRPC kernel service interface definitions
|
|
*
|
|
* Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
|
|
* Written by David Howells (dhowells@redhat.com)
|
|
*/
|
|
|
|
#ifndef _NET_RXRPC_H
|
|
#define _NET_RXRPC_H
|
|
|
|
#include <linux/rxrpc.h>
|
|
#include <linux/ktime.h>
|
|
|
|
struct key;
|
|
struct sock;
|
|
struct socket;
|
|
struct rxrpc_call;
|
|
enum rxrpc_abort_reason;
|
|
|
|
enum rxrpc_interruptibility {
|
|
RXRPC_INTERRUPTIBLE, /* Call is interruptible */
|
|
RXRPC_PREINTERRUPTIBLE, /* Call can be cancelled whilst waiting for a slot */
|
|
RXRPC_UNINTERRUPTIBLE, /* Call should not be interruptible at all */
|
|
};
|
|
|
|
/*
|
|
* Debug ID counter for tracing.
|
|
*/
|
|
extern atomic_t rxrpc_debug_id;
|
|
|
|
typedef void (*rxrpc_notify_rx_t)(struct sock *, struct rxrpc_call *,
|
|
unsigned long);
|
|
typedef void (*rxrpc_notify_end_tx_t)(struct sock *, struct rxrpc_call *,
|
|
unsigned long);
|
|
typedef void (*rxrpc_notify_new_call_t)(struct sock *, struct rxrpc_call *,
|
|
unsigned long);
|
|
typedef void (*rxrpc_discard_new_call_t)(struct rxrpc_call *, unsigned long);
|
|
typedef void (*rxrpc_user_attach_call_t)(struct rxrpc_call *, unsigned long);
|
|
|
|
void rxrpc_kernel_new_call_notification(struct socket *,
|
|
rxrpc_notify_new_call_t,
|
|
rxrpc_discard_new_call_t);
|
|
struct rxrpc_call *rxrpc_kernel_begin_call(struct socket *sock,
|
|
struct sockaddr_rxrpc *srx,
|
|
struct key *key,
|
|
unsigned long user_call_ID,
|
|
s64 tx_total_len,
|
|
u32 hard_timeout,
|
|
gfp_t gfp,
|
|
rxrpc_notify_rx_t notify_rx,
|
|
bool upgrade,
|
|
enum rxrpc_interruptibility interruptibility,
|
|
unsigned int debug_id);
|
|
int rxrpc_kernel_send_data(struct socket *, struct rxrpc_call *,
|
|
struct msghdr *, size_t,
|
|
rxrpc_notify_end_tx_t);
|
|
int rxrpc_kernel_recv_data(struct socket *, struct rxrpc_call *,
|
|
struct iov_iter *, size_t *, bool, u32 *, u16 *);
|
|
bool rxrpc_kernel_abort_call(struct socket *, struct rxrpc_call *,
|
|
u32, int, enum rxrpc_abort_reason);
|
|
void rxrpc_kernel_shutdown_call(struct socket *sock, struct rxrpc_call *call);
|
|
void rxrpc_kernel_put_call(struct socket *sock, struct rxrpc_call *call);
|
|
void rxrpc_kernel_get_peer(struct socket *, struct rxrpc_call *,
|
|
struct sockaddr_rxrpc *);
|
|
bool rxrpc_kernel_get_srtt(struct socket *, struct rxrpc_call *, u32 *);
|
|
int rxrpc_kernel_charge_accept(struct socket *, rxrpc_notify_rx_t,
|
|
rxrpc_user_attach_call_t, unsigned long, gfp_t,
|
|
unsigned int);
|
|
void rxrpc_kernel_set_tx_length(struct socket *, struct rxrpc_call *, s64);
|
|
bool rxrpc_kernel_check_life(const struct socket *, const struct rxrpc_call *);
|
|
u32 rxrpc_kernel_get_epoch(struct socket *, struct rxrpc_call *);
|
|
void rxrpc_kernel_set_max_life(struct socket *, struct rxrpc_call *,
|
|
unsigned long);
|
|
|
|
int rxrpc_sock_set_min_security_level(struct sock *sk, unsigned int val);
|
|
int rxrpc_sock_set_security_keyring(struct sock *, struct key *);
|
|
|
|
#endif /* _NET_RXRPC_H */
|