Commit 146d4ab9 authored by David Howells's avatar David Howells Committed by Jakub Kicinski
Browse files

rxrpc: Fix call removal to use RCU safe deletion 

Fix rxrpc call removal from the rxnet->calls list to use list_del_rcu()
rather than list_del_init() to prevent stuffing up reading
/proc/net/rxrpc/calls from potentially getting into an infinite loop.

This, however, means that list_empty() no longer works on an entry that's
been deleted from the list, making it harder to detect prior deletion.  Fix
this by:

Firstly, make rxrpc_destroy_all_calls() only dump the first ten calls that
are unexpectedly still on the list.  Limiting the number of steps means
there's no need to call cond_resched() or to remove calls from the list
here, thereby eliminating the need for rxrpc_put_call() to check for that.

rxrpc_put_call() can then be fixed to unconditionally delete the call from
the list as it is the only place that the deletion occurs.

Fixes: 2baec2c3 ("rxrpc: Support network namespacing")
Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40redhat.com


Signed-off-by: default avatarDavid Howells <dhowells@redhat.com>
cc: Marc Dionne <marc.dionne@auristor.com>
cc: Jeffrey Altman <jaltman@auristor.com>
cc: Linus Torvalds <torvalds@linux-foundation.org>
cc: Simon Horman <horms@kernel.org>
cc: linux-afs@lists.infradead.org
cc: stable@kernel.org
Link: https://patch.msgid.link/20260408121252.2249051-5-dhowells@redhat.com


Signed-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent 6a59d84b

include/trace/events/rxrpc.h

+1 −1
Original line number Diff line number Diff line
@@ -347,7 +347,7 @@ 
	EM(rxrpc_call_see_release,		"SEE release ") \

	EM(rxrpc_call_see_userid_exists,	"SEE u-exists") \

	EM(rxrpc_call_see_waiting_call,		"SEE q-conn  ") \

	E_(rxrpc_call_see_zap,			"SEE zap     ")

	E_(rxrpc_call_see_still_live,		"SEE !still-l")



#define rxrpc_txqueue_traces \

	EM(rxrpc_txqueue_await_reply,		"AWR") \

net/rxrpc/call_object.c

+9 −15
Original line number Diff line number Diff line
@@ -654,11 +654,9 @@ void rxrpc_put_call(struct rxrpc_call *call, enum rxrpc_call_trace why) 
	if (dead) {

		ASSERTCMP(__rxrpc_call_state(call), ==, RXRPC_CALL_COMPLETE);



		if (!list_empty(&call->link)) {

		spin_lock(&rxnet->call_lock);

			list_del_init(&call->link);

		list_del_rcu(&call->link);

		spin_unlock(&rxnet->call_lock);

		}



		rxrpc_cleanup_call(call);

	}
@@ -730,24 +728,20 @@ void rxrpc_destroy_all_calls(struct rxrpc_net *rxnet) 
	_enter("");



	if (!list_empty(&rxnet->calls)) {

		spin_lock(&rxnet->call_lock);

		int shown = 0;



		while (!list_empty(&rxnet->calls)) {

			call = list_entry(rxnet->calls.next,

					  struct rxrpc_call, link);

			_debug("Zapping call %p", call);

		spin_lock(&rxnet->call_lock);



			rxrpc_see_call(call, rxrpc_call_see_zap);

			list_del_init(&call->link);

		list_for_each_entry(call, &rxnet->calls, link) {

			rxrpc_see_call(call, rxrpc_call_see_still_live);



			pr_err("Call %p still in use (%d,%s,%lx,%lx)!\n",

			       call, refcount_read(&call->ref),

			       rxrpc_call_states[__rxrpc_call_state(call)],

			       call->flags, call->events);



			spin_unlock(&rxnet->call_lock);

			cond_resched();

			spin_lock(&rxnet->call_lock);

			if (++shown >= 10)

				break;

		}



		spin_unlock(&rxnet->call_lock);