db099c625b
afs_make_call() calls rxrpc_kernel_begin_call() to begin a call (which may
get stalled in the background waiting for a connection to become
available); it then calls rxrpc_kernel_set_max_life() to set the timeouts -
but that starts the call timer so the call timer might then expire before
we get a connection assigned - leading to the following oops if the call
stalled:
BUG: kernel NULL pointer dereference, address: 0000000000000000
...
CPU: 1 PID: 5111 Comm: krxrpcio/0 Not tainted 6.3.0-rc7-build3+ #701
RIP: 0010:rxrpc_alloc_txbuf+0xc0/0x157
...
Call Trace:
<TASK>
rxrpc_send_ACK+0x50/0x13b
rxrpc_input_call_event+0x16a/0x67d
rxrpc_io_thread+0x1b6/0x45f
? _raw_spin_unlock_irqrestore+0x1f/0x35
? rxrpc_input_packet+0x519/0x519
kthread+0xe7/0xef
? kthread_complete_and_exit+0x1b/0x1b
ret_from_fork+0x22/0x30
Fix this by noting the timeouts in struct rxrpc_call when the call is
created. The timer will be started when the first packet is transmitted.
It shouldn't be possible to trigger this directly from userspace through
AF_RXRPC as sendmsg() will return EBUSY if the call is in the
waiting-for-conn state if it dropped out of the wait due to a signal.
Fixes: 9d35d880e0
("rxrpc: Move client call connection to the I/O thread")
Reported-by: Marc Dionne <marc.dionne@auristor.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: "David S. Miller" <davem@davemloft.net>
cc: Eric Dumazet <edumazet@google.com>
cc: Jakub Kicinski <kuba@kernel.org>
cc: Paolo Abeni <pabeni@redhat.com>
cc: linux-afs@lists.infradead.org
cc: netdev@vger.kernel.org
cc: linux-kernel@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
79 lines
2.9 KiB
C
79 lines
2.9 KiB
C
/* SPDX-License-Identifier: GPL-2.0-or-later */
|
|
/* RxRPC kernel service interface definitions
|
|
*
|
|
* Copyright (C) 2007 Red Hat, Inc. All Rights Reserved.
|
|
* Written by David Howells (dhowells@redhat.com)
|
|
*/
|
|
|
|
#ifndef _NET_RXRPC_H
|
|
#define _NET_RXRPC_H
|
|
|
|
#include <linux/rxrpc.h>
|
|
#include <linux/ktime.h>
|
|
|
|
struct key;
|
|
struct sock;
|
|
struct socket;
|
|
struct rxrpc_call;
|
|
enum rxrpc_abort_reason;
|
|
|
|
enum rxrpc_interruptibility {
|
|
RXRPC_INTERRUPTIBLE, /* Call is interruptible */
|
|
RXRPC_PREINTERRUPTIBLE, /* Call can be cancelled whilst waiting for a slot */
|
|
RXRPC_UNINTERRUPTIBLE, /* Call should not be interruptible at all */
|
|
};
|
|
|
|
/*
|
|
* Debug ID counter for tracing.
|
|
*/
|
|
extern atomic_t rxrpc_debug_id;
|
|
|
|
typedef void (*rxrpc_notify_rx_t)(struct sock *, struct rxrpc_call *,
|
|
unsigned long);
|
|
typedef void (*rxrpc_notify_end_tx_t)(struct sock *, struct rxrpc_call *,
|
|
unsigned long);
|
|
typedef void (*rxrpc_notify_new_call_t)(struct sock *, struct rxrpc_call *,
|
|
unsigned long);
|
|
typedef void (*rxrpc_discard_new_call_t)(struct rxrpc_call *, unsigned long);
|
|
typedef void (*rxrpc_user_attach_call_t)(struct rxrpc_call *, unsigned long);
|
|
|
|
void rxrpc_kernel_new_call_notification(struct socket *,
|
|
rxrpc_notify_new_call_t,
|
|
rxrpc_discard_new_call_t);
|
|
struct rxrpc_call *rxrpc_kernel_begin_call(struct socket *sock,
|
|
struct sockaddr_rxrpc *srx,
|
|
struct key *key,
|
|
unsigned long user_call_ID,
|
|
s64 tx_total_len,
|
|
u32 hard_timeout,
|
|
gfp_t gfp,
|
|
rxrpc_notify_rx_t notify_rx,
|
|
bool upgrade,
|
|
enum rxrpc_interruptibility interruptibility,
|
|
unsigned int debug_id);
|
|
int rxrpc_kernel_send_data(struct socket *, struct rxrpc_call *,
|
|
struct msghdr *, size_t,
|
|
rxrpc_notify_end_tx_t);
|
|
int rxrpc_kernel_recv_data(struct socket *, struct rxrpc_call *,
|
|
struct iov_iter *, size_t *, bool, u32 *, u16 *);
|
|
bool rxrpc_kernel_abort_call(struct socket *, struct rxrpc_call *,
|
|
u32, int, enum rxrpc_abort_reason);
|
|
void rxrpc_kernel_shutdown_call(struct socket *sock, struct rxrpc_call *call);
|
|
void rxrpc_kernel_put_call(struct socket *sock, struct rxrpc_call *call);
|
|
void rxrpc_kernel_get_peer(struct socket *, struct rxrpc_call *,
|
|
struct sockaddr_rxrpc *);
|
|
bool rxrpc_kernel_get_srtt(struct socket *, struct rxrpc_call *, u32 *);
|
|
int rxrpc_kernel_charge_accept(struct socket *, rxrpc_notify_rx_t,
|
|
rxrpc_user_attach_call_t, unsigned long, gfp_t,
|
|
unsigned int);
|
|
void rxrpc_kernel_set_tx_length(struct socket *, struct rxrpc_call *, s64);
|
|
bool rxrpc_kernel_check_life(const struct socket *, const struct rxrpc_call *);
|
|
u32 rxrpc_kernel_get_epoch(struct socket *, struct rxrpc_call *);
|
|
void rxrpc_kernel_set_max_life(struct socket *, struct rxrpc_call *,
|
|
unsigned long);
|
|
|
|
int rxrpc_sock_set_min_security_level(struct sock *sk, unsigned int val);
|
|
int rxrpc_sock_set_security_keyring(struct sock *, struct key *);
|
|
|
|
#endif /* _NET_RXRPC_H */
|