diff options
author | David Howells <dhowells@redhat.com> | 2018-03-30 23:05:23 +0300 |
---|---|---|
committer | David Howells <dhowells@redhat.com> | 2018-03-30 23:05:23 +0300 |
commit | d3be4d244330f7ef53242d8dc1b7f77d105e767f (patch) | |
tree | 794c9aeba90ac11e8d6a3109df89ad966adc73f6 /net/rxrpc/net_ns.c | |
parent | 88f2a8257c9aa7df957b1a79a104f348d60d8027 (diff) | |
download | linux-d3be4d244330f7ef53242d8dc1b7f77d105e767f.tar.xz |
rxrpc: Fix potential call vs socket/net destruction race
rxrpc_call structs don't pin sockets or network namespaces, but may attempt
to access both after their refcount reaches 0 so that they can detach
themselves from the network namespace. However, there's no guarantee that
the socket still exists at this point (so sock_net(&call->socket->sk) may
be invalid) and the namespace may have gone away if the call isn't pinning
a peer.
Fix this by (a) carrying a net pointer in the rxrpc_call struct and (b)
waiting for all calls to be destroyed when the network namespace goes away.
This was detected by checker:
net/rxrpc/call_object.c:634:57: warning: incorrect type in argument 1 (different address spaces)
net/rxrpc/call_object.c:634:57: expected struct sock const *sk
net/rxrpc/call_object.c:634:57: got struct sock [noderef] <asn:4>*<noident>
Fixes: 2baec2c3f854 ("rxrpc: Support network namespacing")
Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to 'net/rxrpc/net_ns.c')
-rw-r--r-- | net/rxrpc/net_ns.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/net/rxrpc/net_ns.c b/net/rxrpc/net_ns.c index 66baf2b80b6c..101019b0be34 100644 --- a/net/rxrpc/net_ns.c +++ b/net/rxrpc/net_ns.c @@ -55,6 +55,7 @@ static __net_init int rxrpc_init_net(struct net *net) INIT_LIST_HEAD(&rxnet->calls); rwlock_init(&rxnet->call_lock); + atomic_set(&rxnet->nr_calls, 1); INIT_LIST_HEAD(&rxnet->conn_proc_list); INIT_LIST_HEAD(&rxnet->service_conns); |