linux

mirror of https://github.com/torvalds/linux synced 2024-10-15 07:47:34 +00:00

History

David Howells 2b5fdc0f5c rxrpc: Fix potential data race in rxrpc_wait_to_be_connected() Inside the loop in rxrpc_wait_to_be_connected() it checks call->error to see if it should exit the loop without first checking the call state. This is probably safe as if call->error is set, the call is dead anyway, but we should probably wait for the call state to have been set to completion first, lest it cause surprise on the way out. Fix this by only accessing call->error if the call is complete. We don't actually need to access the error inside the loop as we'll do that after. This caused the following report: BUG: KCSAN: data-race in rxrpc_send_data / rxrpc_set_call_completion write to 0xffff888159cf3c50 of 4 bytes by task 25673 on cpu 1: rxrpc_set_call_completion+0x71/0x1c0 net/rxrpc/call_state.c:22 rxrpc_send_data_packet+0xba9/0x1650 net/rxrpc/output.c:479 rxrpc_transmit_one+0x1e/0x130 net/rxrpc/output.c:714 rxrpc_decant_prepared_tx net/rxrpc/call_event.c:326 [inline] rxrpc_transmit_some_data+0x496/0x600 net/rxrpc/call_event.c:350 rxrpc_input_call_event+0x564/0x1220 net/rxrpc/call_event.c:464 rxrpc_io_thread+0x307/0x1d80 net/rxrpc/io_thread.c:461 kthread+0x1ac/0x1e0 kernel/kthread.c:376 ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:308 read to 0xffff888159cf3c50 of 4 bytes by task 25672 on cpu 0: rxrpc_send_data+0x29e/0x1950 net/rxrpc/sendmsg.c:296 rxrpc_do_sendmsg+0xb7a/0xc20 net/rxrpc/sendmsg.c:726 rxrpc_sendmsg+0x413/0x520 net/rxrpc/af_rxrpc.c:565 sock_sendmsg_nosec net/socket.c:724 [inline] sock_sendmsg net/socket.c:747 [inline] ____sys_sendmsg+0x375/0x4c0 net/socket.c:2501 ___sys_sendmsg net/socket.c:2555 [inline] __sys_sendmmsg+0x263/0x500 net/socket.c:2641 __do_sys_sendmmsg net/socket.c:2670 [inline] __se_sys_sendmmsg net/socket.c:2667 [inline] __x64_sys_sendmmsg+0x57/0x60 net/socket.c:2667 do_syscall_x64 arch/x86/entry/common.c:50 [inline] do_syscall_64+0x41/0xc0 arch/x86/entry/common.c:80 entry_SYSCALL_64_after_hwframe+0x63/0xcd value changed: 0x00000000 -> 0xffffffea Fixes: `9d35d880e0` ("rxrpc: Move client call connection to the I/O thread") Reported-by: syzbot+ebc945fdb4acd72cba78@syzkaller.appspotmail.com Link: https://lore.kernel.org/r/000000000000e7c6d205fa10a3cd@google.com/ Signed-off-by: David Howells <dhowells@redhat.com> cc: Marc Dionne <marc.dionne@auristor.com> cc: Dmitry Vyukov <dvyukov@google.com> cc: "David S. Miller" <davem@davemloft.net> cc: Eric Dumazet <edumazet@google.com> cc: Jakub Kicinski <kuba@kernel.org> cc: Paolo Abeni <pabeni@redhat.com> cc: linux-afs@lists.infradead.org cc: linux-fsdevel@vger.kernel.org cc: netdev@vger.kernel.org Link: https://lore.kernel.org/r/508133.1682427395@warthog.procyon.org.uk Signed-off-by: Paolo Abeni <pabeni@redhat.com>		2023-04-27 09:17:41 +02:00
..
af_rxrpc.c	rxrpc: Fix potential race in error handling in afs_make_call()	2023-04-22 15:16:39 +01:00
ar-internal.h	Networking changes for 6.3.	2023-02-21 18:24:12 -08:00
call_accept.c	rxrpc: Fix trace string	2023-01-30 14:13:29 +00:00
call_event.c	rxrpc: De-atomic call->ackr_window and call->ackr_nr_unacked	2023-01-31 16:38:26 +00:00
call_object.c	rxrpc: Fix overwaking on call poking	2023-02-07 23:11:21 +00:00
call_state.c	rxrpc: Move client call connection to the I/O thread	2023-01-06 09:43:33 +00:00
conn_client.c	rxrpc: Move client call connection to the I/O thread	2023-01-06 09:43:33 +00:00
conn_event.c	rxrpc: Trace ack.rwind	2023-02-07 23:11:21 +00:00
conn_object.c	rxrpc: Move client call connection to the I/O thread	2023-01-06 09:43:33 +00:00
conn_service.c	rxrpc: Kill service bundle	2023-01-31 16:38:35 +00:00
input.c	rxrpc: Fix overproduction of wakeups to recvmsg()	2023-02-20 08:33:25 +01:00
insecure.c	rxrpc: Tidy up abort generation infrastructure	2023-01-06 09:43:32 +00:00
io_thread.c	rxrpc: Allow a delay to be injected into packet reception	2023-01-31 16:38:09 +00:00
Kconfig	rxrpc: Allow a delay to be injected into packet reception	2023-01-31 16:38:09 +00:00
key.c	rxrpc: Fix error when reading rxrpc tokens	2023-04-23 13:38:28 +01:00
local_event.c	rxrpc: Make the I/O thread take over the call and local processor work	2022-12-01 13:36:42 +00:00
local_object.c	rxrpc: Remove local->defrag_sem	2023-01-31 16:38:35 +00:00
Makefile	rxrpc: Split out the call state changing functions into their own file	2023-01-06 09:43:32 +00:00
misc.c	rxrpc: Allow a delay to be injected into packet reception	2023-01-31 16:38:09 +00:00
net_ns.c	rxrpc: Move the client conn cache management to the I/O thread	2023-01-06 09:43:33 +00:00
output.c	rxrpc: Trace ack.rwind	2023-02-07 23:11:21 +00:00
peer_event.c	rxrpc: Fix locking issues in rxrpc_put_peer_locked()	2022-12-19 09:51:31 +00:00
peer_object.c	rxrpc: Stash the network namespace pointer in rxrpc_local	2023-01-06 09:43:31 +00:00
proc.c	rxrpc: De-atomic call->ackr_window and call->ackr_nr_unacked	2023-01-31 16:38:26 +00:00
protocol.h	rxrpc: Replace fake flex-array with flexible-array member	2023-04-23 13:36:05 +01:00
recvmsg.c	rxrpc: Fix overproduction of wakeups to recvmsg()	2023-02-20 08:33:25 +01:00
rtt.c	rxrpc: Fix _usecs_to_jiffies() by using usecs_to_jiffies()	2021-09-24 14:18:34 +01:00
rxkad.c	rxrpc: Move client call connection to the I/O thread	2023-01-06 09:43:33 +00:00
rxperf.c	rxrpc: Fix potential race in error handling in afs_make_call()	2023-04-22 15:16:39 +01:00
security.c	rxrpc: Fix incoming call setup race	2023-01-07 09:30:26 +00:00
sendmsg.c	rxrpc: Fix potential data race in rxrpc_wait_to_be_connected()	2023-04-27 09:17:41 +02:00
server_key.c	rxrpc: Implement an in-kernel rxperf server for testing purposes	2022-12-01 13:36:37 +00:00
skbuff.c	rxrpc: Use consume_skb() rather than kfree_skb_reason()	2023-02-07 23:11:20 +00:00
sysctl.c	rxrpc: Allow a delay to be injected into packet reception	2023-01-31 16:38:09 +00:00
txbuf.c	rxrpc: Don't lock call->tx_lock to access call->tx_buffer	2023-01-31 16:38:35 +00:00
utils.c	treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 36	2019-05-24 17:27:11 +02:00