Patch "SUNRPC: Fix call completion races with call_decode()" has been added to the 5.19-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sun, 18 Sep 2022 19:20:45 -0400

This is a note to let you know that I've just added the patch titled

    SUNRPC: Fix call completion races with call_decode()

to the 5.19-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     sunrpc-fix-call-completion-races-with-call_decode.patch
and it can be found in the queue-5.19 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 771541e4cc6fe10a738572a23cc55c4a50827dea
Author: Trond Myklebust <trond.myklebust@xxxxxxxxxxxxxxx>
Date:   Wed Aug 31 17:28:13 2022 -0400

    SUNRPC: Fix call completion races with call_decode()
    
    [ Upstream commit 17814819ac9829a437e06fbb5c7056a1f4f893da ]
    
    We need to make sure that the req->rq_private_buf is completely up to
    date before we make req->rq_reply_bytes_recvd visible to the
    call_decode() routine in order to avoid triggering the WARN_ON().
    
    Reported-by: Benjamin Coddington <bcodding@xxxxxxxxxx>
    Fixes: 72691a269f0b ("SUNRPC: Don't reuse bvec on retransmission of the request")
    Tested-by: Benjamin Coddington <bcodding@xxxxxxxxxx>
    Signed-off-by: Trond Myklebust <trond.myklebust@xxxxxxxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/sunrpc/xprt.c b/net/sunrpc/xprt.c
index 53b024cea3b3..5ecafffe7ce5 100644
--- a/net/sunrpc/xprt.c
+++ b/net/sunrpc/xprt.c
@@ -1179,11 +1179,8 @@ xprt_request_dequeue_receive_locked(struct rpc_task *task)
 {
 	struct rpc_rqst *req = task->tk_rqstp;
 
-	if (test_and_clear_bit(RPC_TASK_NEED_RECV, &task->tk_runstate)) {
+	if (test_and_clear_bit(RPC_TASK_NEED_RECV, &task->tk_runstate))
 		xprt_request_rb_remove(req->rq_xprt, req);
-		xdr_free_bvec(&req->rq_rcv_buf);
-		req->rq_private_buf.bvec = NULL;
-	}
 }
 
 /**
@@ -1221,6 +1218,8 @@ void xprt_complete_rqst(struct rpc_task *task, int copied)
 
 	xprt->stat.recvs++;
 
+	xdr_free_bvec(&req->rq_rcv_buf);
+	req->rq_private_buf.bvec = NULL;
 	req->rq_private_buf.len = copied;
 	/* Ensure all writes are done before we update */
 	/* req->rq_reply_bytes_recvd */
@@ -1453,6 +1452,7 @@ xprt_request_dequeue_xprt(struct rpc_task *task)
 		xprt_request_dequeue_transmit_locked(task);
 		xprt_request_dequeue_receive_locked(task);
 		spin_unlock(&xprt->queue_lock);
+		xdr_free_bvec(&req->rq_rcv_buf);
 	}
 }
 






