github-mirror/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux.git synced 2026-05-17 11:08:02 +02:00
Code Issues Actions Packages Projects Releases Wiki Activity
94debe03e8
linux/net/rxrpc
History
David Howells 42f229c350 rxrpc: Fix incoming call setup race 
An incoming call can race with rxrpc socket destruction, leading to a
leaked call.  This may result in an oops when the call timer eventually
expires:

   BUG: kernel NULL pointer dereference, address: 0000000000000874
   RIP: 0010:_raw_spin_lock_irqsave+0x2a/0x50
   Call Trace:
    <IRQ>
    try_to_wake_up+0x59/0x550
    ? __local_bh_enable_ip+0x37/0x80
    ? rxrpc_poke_call+0x52/0x110 [rxrpc]
    ? rxrpc_poke_call+0x110/0x110 [rxrpc]
    ? rxrpc_poke_call+0x110/0x110 [rxrpc]
    call_timer_fn+0x24/0x120

with a warning in the kernel log looking something like:

   rxrpc: Call 00000000ba5e571a still in use (1,SvAwtACK,1061d,0)!

incurred during rmmod of rxrpc.  The 1061d is the call flags:

   RECVMSG_READ_ALL, RX_HEARD, BEGAN_RX_TIMER, RX_LAST, EXPOSED,
   IS_SERVICE, RELEASED

but no DISCONNECTED flag (0x800), so it's an incoming (service) call and
it's still connected.

The race appears to be that:

 (1) rxrpc_new_incoming_call() consults the service struct, checks sk_state
     and allocates a call - then pauses, possibly for an interrupt.

 (2) rxrpc_release_sock() sets RXRPC_CLOSE, nulls the service pointer,
     discards the prealloc and releases all calls attached to the socket.

 (3) rxrpc_new_incoming_call() resumes, launching the new call, including
     its timer and attaching it to the socket.

Fix this by read-locking local->services_lock to access the AF_RXRPC socket
providing the service rather than RCU in rxrpc_new_incoming_call().
There's no real need to use RCU here as local->services_lock is only
write-locked by the socket side in two places: when binding and when
shutting down.

Fixes: 5e6ef4f101 ("rxrpc: Make the I/O thread take over the call and local processor work")
Reported-by: Marc Dionne <marc.dionne@auristor.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: linux-afs@lists.infradead.org
2023-01-07 09:30:26 +00:00
..
af_rxrpc.c rxrpc: Fix incoming call setup race 2023-01-07 09:30:26 +00:00
ar-internal.h rxrpc: Fix incoming call setup race 2023-01-07 09:30:26 +00:00
call_accept.c rxrpc: Fix incoming call setup race 2023-01-07 09:30:26 +00:00
call_event.c rxrpc: Remove call->state_lock 2023-01-06 09:43:33 +00:00
call_object.c rxrpc: Move client call connection to the I/O thread 2023-01-06 09:43:33 +00:00
call_state.c rxrpc: Move client call connection to the I/O thread 2023-01-06 09:43:33 +00:00
conn_client.c rxrpc: Move client call connection to the I/O thread 2023-01-06 09:43:33 +00:00
conn_event.c rxrpc: Move client call connection to the I/O thread 2023-01-06 09:43:33 +00:00
conn_object.c rxrpc: Move client call connection to the I/O thread 2023-01-06 09:43:33 +00:00
conn_service.c rxrpc: Move client call connection to the I/O thread 2023-01-06 09:43:33 +00:00
input.c rxrpc: Remove call->state_lock 2023-01-06 09:43:33 +00:00
insecure.c rxrpc: Tidy up abort generation infrastructure 2023-01-06 09:43:32 +00:00
io_thread.c rxrpc: Move client call connection to the I/O thread 2023-01-06 09:43:33 +00:00
Kconfig rxrpc: Implement an in-kernel rxperf server for testing purposes 2022-12-01 13:36:37 +00:00
key.c rxrpc: Drop rxrpc_conn_parameters from rxrpc_connection and rxrpc_bundle 2022-12-01 13:36:38 +00:00
local_event.c rxrpc: Make the I/O thread take over the call and local processor work 2022-12-01 13:36:42 +00:00
local_object.c rxrpc: Move client call connection to the I/O thread 2023-01-06 09:43:33 +00:00
Makefile rxrpc: Split out the call state changing functions into their own file 2023-01-06 09:43:32 +00:00
misc.c rxrpc: Get rid of the Rx ring 2022-11-08 16:42:28 +00:00
net_ns.c rxrpc: Move the client conn cache management to the I/O thread 2023-01-06 09:43:33 +00:00
output.c rxrpc: Remove call->state_lock 2023-01-06 09:43:33 +00:00
peer_event.c rxrpc: Fix locking issues in rxrpc_put_peer_locked() 2022-12-19 09:51:31 +00:00
peer_object.c rxrpc: Stash the network namespace pointer in rxrpc_local 2023-01-06 09:43:31 +00:00
proc.c rxrpc: Move client call connection to the I/O thread 2023-01-06 09:43:33 +00:00
protocol.h rxrpc: Clone received jumbo subpackets and queue separately 2022-11-08 16:42:28 +00:00
recvmsg.c rxrpc: Move call state changes from recvmsg to I/O thread 2023-01-06 09:43:33 +00:00
rtt.c rxrpc: Fix _usecs_to_jiffies() by using usecs_to_jiffies() 2021-09-24 14:18:34 +01:00
rxkad.c rxrpc: Move client call connection to the I/O thread 2023-01-06 09:43:33 +00:00
rxperf.c rxrpc: Tidy up abort generation infrastructure 2023-01-06 09:43:32 +00:00
security.c rxrpc: Fix incoming call setup race 2023-01-07 09:30:26 +00:00
sendmsg.c rxrpc: Move client call connection to the I/O thread 2023-01-06 09:43:33 +00:00
server_key.c rxrpc: Implement an in-kernel rxperf server for testing purposes 2022-12-01 13:36:37 +00:00
skbuff.c rxrpc: trace: Don't use __builtin_return_address for sk_buff tracing 2022-12-01 13:36:39 +00:00
sysctl.c rxrpc: Get rid of the Rx ring 2022-11-08 16:42:28 +00:00
txbuf.c rxrpc: Transmit ACKs at the point of generation 2022-12-01 13:36:43 +00:00
utils.c