linux/net/rxrpc
David Howells 88e2215975 rxrpc: Fix listen() setting the bar too high for the prealloc rings
AF_RXRPC's listen() handler lets you set the backlog up to 32 (if you bump
up the sysctl), but whilst the preallocation circular buffers have 32 slots
in them, one of them has to be a dead slot because we're using CIRC_CNT().

This means that listen(rxrpc_sock, 32) will cause an oops when the socket
is closed because rxrpc_service_prealloc_one() allocated one too many calls
and rxrpc_discard_prealloc() won't then be able to get rid of them because
it'll think the ring is empty.  rxrpc_release_calls_on_socket() then tries
to abort them, but oopses because call->peer isn't yet set.

Fix this by setting the maximum backlog to RXRPC_BACKLOG_MAX - 1 to match
the ring capacity.

 BUG: kernel NULL pointer dereference, address: 0000000000000086
 ...
 RIP: 0010:rxrpc_send_abort_packet+0x73/0x240 [rxrpc]
 Call Trace:
  <TASK>
  ? __wake_up_common_lock+0x7a/0x90
  ? rxrpc_notify_socket+0x8e/0x140 [rxrpc]
  ? rxrpc_abort_call+0x4c/0x60 [rxrpc]
  rxrpc_release_calls_on_socket+0x107/0x1a0 [rxrpc]
  rxrpc_release+0xc9/0x1c0 [rxrpc]
  __sock_release+0x37/0xa0
  sock_close+0x11/0x20
  __fput+0x89/0x240
  task_work_run+0x59/0x90
  do_exit+0x319/0xaa0

Fixes: 00e907127e ("rxrpc: Preallocate peers, conns and calls for incoming service requests")
Reported-by: Marc Dionne <marc.dionne@auristor.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: linux-afs@lists.infradead.org
Link: https://lists.infradead.org/pipermail/linux-afs/2022-March/005079.html
Signed-off-by: David S. Miller <davem@davemloft.net>
2022-05-22 21:30:53 +01:00
..
af_rxrpc.c rxrpc: Fix fall-through warnings for Clang 2021-06-04 17:40:04 -05:00
ar-internal.h rxrpc: Fix call timer start racing with call destruction 2022-03-31 12:25:25 +02:00
call_accept.c rxrpc: Fix memory leak in rxrpc_lookup_local 2021-01-28 13:12:14 -08:00
call_event.c rxrpc: Fix call timer start racing with call destruction 2022-03-31 12:25:25 +02:00
call_object.c rxrpc: Fix call timer start racing with call destruction 2022-03-31 12:25:25 +02:00
conn_client.c rxrpc: Fix rxrpc_peer leak in rxrpc_look_up_bundle() 2021-11-29 15:39:40 +00:00
conn_event.c rxrpc: Merge prime_packet_security into init_connection_security 2020-11-23 18:09:30 +00:00
conn_object.c rxrpc: Ask the security class how much space to allow in a packet 2020-11-23 19:53:11 +00:00
conn_service.c rxrpc: Don't retain the server key in the connection 2020-11-23 18:09:29 +00:00
input.c rxrpc: Call state should be read with READ_ONCE() under some circumstances 2021-01-13 10:38:20 -08:00
insecure.c rxrpc: Ask the security class how much space to allow in a packet 2020-11-23 19:53:11 +00:00
Kconfig net: RxRPC: make dependent Kconfig symbols be shown indented 2021-08-18 10:12:11 +01:00
key.c rxrpc: Fix handling of an unsupported token type in rxrpc_read() 2021-01-13 10:38:00 -08:00
local_event.c rxrpc: Fix a typo 2021-06-02 14:01:55 -07:00
local_object.c rxrpc: Enable IPv6 checksums on transport socket 2022-04-30 13:59:34 +01:00
Makefile rxrpc: Split the server key type (rxrpc_s) into its own file 2020-11-23 18:09:29 +00:00
misc.c rxrpc: Fix the excessive initial retransmission timeout 2020-05-11 16:42:28 +01:00
net_ns.c rxrpc: Restore removed timer deletion 2022-04-15 10:54:49 +01:00
output.c rxrpc: Adjust retransmission backoff 2022-01-22 02:03:24 +00:00
peer_event.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
peer_object.c rxrpc: Fix rxrpc_local leak in rxrpc_lookup_peer() 2021-11-29 15:40:02 +00:00
proc.c rxrpc: Rewrite the client connection manager 2020-09-08 21:11:43 +01:00
protocol.h rxrpc: Improve jumbo packet counting 2019-08-27 09:48:37 +01:00
recvmsg.c afs: Don't truncate iter during data fetch 2021-04-23 10:17:26 +01:00
rtt.c rxrpc: Fix _usecs_to_jiffies() by using usecs_to_jiffies() 2021-09-24 14:18:34 +01:00
rxkad.c rxrpc: rxkad: Remove redundant variable offset 2021-04-27 14:05:06 -07:00
security.c rxrpc: Hand server key parsing off to the security class 2020-11-23 18:09:29 +00:00
sendmsg.c rxrpc: Ask the security class how much space to allow in a packet 2020-11-23 19:53:11 +00:00
server_key.c rxrpc: fix some null-ptr-deref bugs in server_key.c 2022-03-31 15:21:31 +02:00
skbuff.c rxrpc: Use skb_unshare() rather than skb_cow_data() 2019-08-27 10:13:46 +01:00
sysctl.c rxrpc: Fix listen() setting the bar too high for the prealloc rings 2022-05-22 21:30:53 +01:00
utils.c treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 36 2019-05-24 17:27:11 +02:00