mirror of
https://github.com/torvalds/linux.git
synced 2026-03-14 06:46:15 +01:00
2fd895842d
When a call is released, rxrpc takes the spinlock and removes it from
->recvmsg_q in an effort to prevent racing recvmsg() invocations from
seeing the same call. Now, rxrpc_recvmsg() only takes the spinlock when
actually removing a call from the queue; it doesn't, however, take it in
the lead up to that when it checks to see if the queue is empty. It *does*
hold the socket lock, which prevents a recvmsg/recvmsg race - but this
doesn't prevent sendmsg from ending the call because sendmsg() drops the
socket lock and relies on the call->user_mutex.
Fix this by firstly removing the bit in rxrpc_release_call() that dequeues
the released call and, instead, rely on recvmsg() to simply discard
released calls (done in a preceding fix).
Secondly, rxrpc_notify_socket() is abandoned if the call is already marked
as released rather than trying to be clever by setting both pointers in
call->recvmsg_link to NULL to trick list_empty(). This isn't perfect and
can still race, resulting in a released call on the queue, but recvmsg()
will now clean that up.
Fixes:
|
||
|---|---|---|
| .. | ||
| events | ||
| misc | ||
| stages | ||
| bpf_probe.h | ||
| define_custom_trace.h | ||
| define_trace.h | ||
| perf.h | ||
| syscall.h | ||
| trace_custom_events.h | ||
| trace_events.h | ||