[PATCH net 0/4] rxrpc: Fixes ver #2
From: David Howells
Date: Mon Feb 03 2020 - 05:31:00 EST
Here are a number of fixes for AF_RXRPC:
(1) Fix a potential use after free in rxrpc_put_local() where it was
accessing the object just put to get tracing information.
(2) Fix insufficient notifications being generated by the function that
queues data packets on a call. This occasionally causes recvmsg() to
stall indefinitely.
(3) Fix a number of packet-transmitting work functions to hold an active
count on the local endpoint so that the UDP socket doesn't get
destroyed whilst they're calling kernel_sendmsg() on it.
(4) Fix a NULL pointer deref that stemmed from a call's connection pointer
being cleared when the call was disconnected.
Changes:
v2: Removed a couple of BUG() statements that got added.
The patches are tagged here:
git://git.kernel.org/pub/scm/linux/kernel/git/dhowells/linux-fs.git
rxrpc-fixes-20200130
and can also be found on the following branch:
http://git.kernel.org/cgit/linux/kernel/git/dhowells/linux-fs.git/log/?h=rxrpc-fixes
David
---
David Howells (4):
rxrpc: Fix use-after-free in rxrpc_put_local()
rxrpc: Fix insufficient receive notification generation
rxrpc: Fix missing active use pinning of rxrpc_local object
rxrpc: Fix NULL pointer deref due to call->conn being cleared on disconnect
net/rxrpc/af_rxrpc.c | 2 ++
net/rxrpc/ar-internal.h | 11 +++++++++++
net/rxrpc/call_object.c | 4 ++--
net/rxrpc/conn_client.c | 3 +--
net/rxrpc/conn_event.c | 30 ++++++++++++++++++++----------
net/rxrpc/conn_object.c | 4 ++--
net/rxrpc/input.c | 6 ++----
net/rxrpc/local_object.c | 23 +++++++++++------------
net/rxrpc/output.c | 27 +++++++++------------------
net/rxrpc/peer_event.c | 42 +++++++++++++++++++++++-------------------
10 files changed, 83 insertions(+), 69 deletions(-)