Message ID | 159260629601.2218121.13958646181773576175.stgit@warthog.procyon.org.uk |
---|---|
State | Accepted |
Delegated to: | David Miller |
Headers | show |
Series | [net] rxrpc: Fix notification call on completion of discarded calls | expand |
From: David Howells <dhowells@redhat.com> Date: Fri, 19 Jun 2020 23:38:16 +0100 > When preallocated service calls are being discarded, they're passed to > ->discard_new_call() to have the caller clean up any attached higher-layer > preallocated pieces before being marked completed. However, the act of > marking them completed now invokes the call's notification function - which > causes a problem because that function might assume that the previously > freed pieces of memory are still there. > > Fix this by setting a dummy notification function on the socket after > calling ->discard_new_call(). > > This results in the following kasan message when the kafs module is > removed. ... > Reported-by: syzbot+d3eccef36ddbd02713e9@syzkaller.appspotmail.com > Fixes: 5ac0d62226a0 ("rxrpc: Fix missing notification") > Signed-off-by: David Howells <dhowells@redhat.com> Applied, thanks David.
diff --git a/net/rxrpc/call_accept.c b/net/rxrpc/call_accept.c index b7611cc159e5..032ed76c0166 100644 --- a/net/rxrpc/call_accept.c +++ b/net/rxrpc/call_accept.c @@ -22,6 +22,11 @@ #include <net/ip.h> #include "ar-internal.h" +static void rxrpc_dummy_notify(struct sock *sk, struct rxrpc_call *call, + unsigned long user_call_ID) +{ +} + /* * Preallocate a single service call, connection and peer and, if possible, * give them a user ID and attach the user's side of the ID to them. @@ -228,6 +233,8 @@ void rxrpc_discard_prealloc(struct rxrpc_sock *rx) if (rx->discard_new_call) { _debug("discard %lx", call->user_call_ID); rx->discard_new_call(call, call->user_call_ID); + if (call->notify_rx) + call->notify_rx = rxrpc_dummy_notify; rxrpc_put_call(call, rxrpc_call_put_kernel); } rxrpc_call_completed(call);