• David Howells's avatar
    rxrpc: Fix missing active use pinning of rxrpc_local object · 04d36d74
    David Howells authored
    The introduction of a split between the reference count on rxrpc_local
    objects and the usage count didn't quite go far enough.  A number of kernel
    work items need to make use of the socket to perform transmission.  These
    also need to get an active count on the local object to prevent the socket
    from being closed.
    
    Fix this by getting the active count in those places.
    
    Also split out the raw active count get/put functions as these places tend
    to hold refs on the rxrpc_local object already, so getting and putting an
    extra object ref is just a waste of time.
    
    The problem can lead to symptoms like:
    
        BUG: kernel NULL pointer dereference, address: 0000000000000018
        ..
        CPU: 2 PID: 818 Comm: kworker/u9:0 Not tainted 5.5.0-fscache+ #51
        ...
        RIP: 0010:selinux_socket_sendmsg+0x5/0x13
        ...
        Call Trace:
         security_socket_sendmsg+0x2c/0x3e
         sock_sendmsg+0x1a/0x46
         rxrpc_send_keepalive+0x131/0x1ae
         rxrpc_peer_keepalive_worker+0x219/0x34b
         process_one_work+0x18e/0x271
         worker_thread+0x1a3/0x247
         kthread+0xe6/0xeb
         ret_from_fork+0x1f/0x30
    
    Fixes: 730c5fd4 ("rxrpc: Fix local endpoint refcounting")
    Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
    04d36d74
conn_event.c 12.4 KB