)]}' { "commit": "2ad6691d988c0c611362ddc2aad89e0fb50e3261", "tree": "70af0d718096dff609e04878213d985284b3adbf", "parents": [ "9798278260e8f61d04415342544a8f701bc5ace7" ], "author": { "name": "David Howells", "email": "dhowells@redhat.com", "time": "Thu Jun 11 21:57:00 2020 +0100" }, "committer": { "name": "David S. Miller", "email": "davem@davemloft.net", "time": "Thu Jun 11 18:18:22 2020 -0700" }, "message": "rxrpc: Fix race between incoming ACK parser and retransmitter\n\nThere\u0027s a race between the retransmission code and the received ACK parser.\nThe problem is that the retransmission loop has to drop the lock under\nwhich it is iterating through the transmission buffer in order to transmit\na packet, but whilst the lock is dropped, the ACK parser can crank the Tx\nwindow round and discard the packets from the buffer.\n\nThe retransmission code then updated the annotations for the wrong packet\nand a later retransmission thought it had to retransmit a packet that\nwasn\u0027t there, leading to a NULL pointer dereference.\n\nFix this by:\n\n (1) Moving the annotation change to before we drop the lock prior to\n transmission. This means we can\u0027t vary the annotation depending on\n the outcome of the transmission, but that\u0027s fine - we\u0027ll retransmit\n again later if it failed now.\n\n (2) Skipping the packet if the skb pointer is NULL.\n\nThe following oops was seen:\n\n\tBUG: kernel NULL pointer dereference, address: 000000000000002d\n\tWorkqueue: krxrpcd rxrpc_process_call\n\tRIP: 0010:rxrpc_get_skb+0x14/0x8a\n\t...\n\tCall Trace:\n\t rxrpc_resend+0x331/0x41e\n\t ? get_vtime_delta+0x13/0x20\n\t rxrpc_process_call+0x3c0/0x4ac\n\t process_one_work+0x18f/0x27f\n\t worker_thread+0x1a3/0x247\n\t ? create_worker+0x17d/0x17d\n\t kthread+0xe6/0xeb\n\t ? kthread_delayed_work_timer_fn+0x83/0x83\n\t ret_from_fork+0x1f/0x30\n\nFixes: 248f219cb8bc (\"rxrpc: Rewrite the data and ack handling code\")\nSigned-off-by: David Howells \u003cdhowells@redhat.com\u003e\nSigned-off-by: David S. Miller \u003cdavem@davemloft.net\u003e\n", "tree_diff": [ { "type": "modify", "old_id": "61a51c251e1b957b22c87dcc99e8fd26e04191d0", "old_mode": 33188, "old_path": "net/rxrpc/call_event.c", "new_id": "aa1c8eee6557a19c4ee9a06c0716f1882aef2b6d", "new_mode": 33188, "new_path": "net/rxrpc/call_event.c" } ] }