diff options
author | David Howells <dhowells@redhat.com> | 2020-01-30 22:50:36 +0100 |
---|---|---|
committer | David Howells <dhowells@redhat.com> | 2020-01-30 22:50:41 +0100 |
commit | f71dbf2fb28489a79bde0dca1c8adfb9cdb20a6b (patch) | |
tree | c0756fa7c369e29f1f834e934f0068f34b996b80 /net/rxrpc | |
parent | rxrpc: Fix use-after-free in rxrpc_put_local() (diff) | |
download | linux-f71dbf2fb28489a79bde0dca1c8adfb9cdb20a6b.tar.xz linux-f71dbf2fb28489a79bde0dca1c8adfb9cdb20a6b.zip |
rxrpc: Fix insufficient receive notification generation
In rxrpc_input_data(), rxrpc_notify_socket() is called if the base sequence
number of the packet is immediately following the hard-ack point at the end
of the function. However, this isn't sufficient, since the recvmsg side
may have been advancing the window and then overrun the position in which
we're adding - at which point rx_hard_ack >= seq0 and no notification is
generated.
Fix this by always generating a notification at the end of the input
function.
Without this, a long call may stall, possibly indefinitely.
Fixes: 248f219cb8bc ("rxrpc: Rewrite the data and ack handling code")
Signed-off-by: David Howells <dhowells@redhat.com>
Diffstat (limited to 'net/rxrpc')
-rw-r--r-- | net/rxrpc/input.c | 6 |
1 files changed, 2 insertions, 4 deletions
diff --git a/net/rxrpc/input.c b/net/rxrpc/input.c index 96d54e5bf7bc..ef10fbf71b15 100644 --- a/net/rxrpc/input.c +++ b/net/rxrpc/input.c @@ -599,10 +599,8 @@ ack: false, true, rxrpc_propose_ack_input_data); - if (seq0 == READ_ONCE(call->rx_hard_ack) + 1) { - trace_rxrpc_notify_socket(call->debug_id, serial); - rxrpc_notify_socket(call); - } + trace_rxrpc_notify_socket(call->debug_id, serial); + rxrpc_notify_socket(call); unlock: spin_unlock(&call->input_lock); |