linux/net/rxrpc
David Howells b13023421b rxrpc: Fix net namespace cleanup
In rxrpc_destroy_all_calls(), there are two phases: (1) make sure the
->calls list is empty, emitting error messages if not, and (2) wait for the
RCU cleanup to happen on outstanding calls (ie. ->nr_calls becomes 0).

To avoid taking the call_lock, the function prechecks ->calls and if empty,
it returns to avoid taking the lock - this is wrong, however: it still
needs to go and do the second phase and wait for ->nr_calls to become 0.

Without this, the rxrpc_net struct may get deallocated before we get to the
RCU cleanup for the last calls.  This can lead to:

  Slab corruption (Not tainted): kmalloc-16k start=ffff88802b178000, len=16384
  050: 6b 6b 6b 6b 6b 6b 6b 6b 61 6b 6b 6b 6b 6b 6b 6b  kkkkkkkkakkkkkkk

Note the "61" at offset 0x58.  This corresponds to the ->nr_calls member of
struct rxrpc_net (which is >9k in size, and thus allocated out of the 16k
slab).

Fix this by flipping the condition on the if-statement, putting the locked
section inside the if-body and dropping the return from there.  The
function will then always go on to wait for the RCU cleanup on outstanding
calls.

Fixes: 2baec2c3f8 ("rxrpc: Support network namespacing")
Signed-off-by: David Howells <dhowells@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-04-30 10:50:50 -04:00
..
af_rxrpc.c rxrpc: Make rxrpc_kernel_check_life() indicate if call completed 2019-04-12 16:57:23 -07:00
ar-internal.h rxrpc: Fix detection of out of order acks 2019-04-12 16:57:23 -07:00
call_accept.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-10-19 11:03:06 -07:00
call_event.c rxrpc: Fix lockup due to no error backoff after ack transmit error 2018-11-02 23:59:26 -07:00
call_object.c rxrpc: Fix net namespace cleanup 2019-04-30 10:50:50 -04:00
conn_client.c rxrpc: Fix client call queueing, waiting for channel 2019-03-08 18:24:53 -08:00
conn_event.c rxrpc: Trace received connection aborts 2019-04-12 16:57:23 -07:00
conn_object.c rxrpc: Drop the local endpoint arg from rxrpc_extract_addr_from_skb() 2018-10-04 09:32:28 +01:00
conn_service.c rxrpc: Fix apparent leak of rxrpc_local objects 2018-03-30 21:05:33 +01:00
input.c rxrpc: fix race condition in rxrpc_input_packet() 2019-04-24 14:05:09 -07:00
insecure.c
Kconfig
key.c
local_event.c rxrpc: Drop the local endpoint arg from rxrpc_extract_addr_from_skb() 2018-10-04 09:32:28 +01:00
local_object.c rxrpc: fix race condition in rxrpc_input_packet() 2019-04-24 14:05:09 -07:00
Makefile
misc.c rxrpc: Fix call timeouts 2017-11-24 10:18:41 +00:00
net_ns.c rxrpc: Add /proc/net/rxrpc/peers to display peer list 2018-10-15 22:52:58 -07:00
output.c rxrpc: avoid clang -Wuninitialized warning 2019-03-23 21:48:30 -04:00
peer_event.c rxrpc: Clear socket error 2019-04-12 16:57:23 -07:00
peer_object.c rxrpc: Fix the packet reception routine 2018-10-08 22:42:04 +01:00
proc.c rxrpc: Add /proc/net/rxrpc/peers to display peer list 2018-10-15 22:52:58 -07:00
protocol.h rxrpc: Improve up-front incoming packet checking 2018-09-28 10:32:31 +01:00
recvmsg.c rxrpc: bad unlock balance in rxrpc_recvmsg 2019-02-06 10:54:07 -08:00
rxkad.c rxrpc: Remove VLA usage of skcipher 2018-09-28 12:46:07 +08:00
security.c rxrpc: remove unused static variables 2018-03-30 21:04:44 +01:00
sendmsg.c rxrpc: Allow errors to be returned from rxrpc_queue_packet() 2019-04-12 16:57:23 -07:00
skbuff.c rxrpc: Use rxrpc_free_skb() rather than rxrpc_lose_skb() 2018-10-04 09:32:27 +01:00
sysctl.c rxrpc: remove redundant static int 'zero' 2018-08-11 11:25:18 -07:00
utils.c rxrpc: Drop the local endpoint arg from rxrpc_extract_addr_from_skb() 2018-10-04 09:32:28 +01:00