Patch "rxrpc: Fix uninitialised variable in rxrpc_send_data()" has been added to the 6.11-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 12 Oct 2024 22:49:27 -0400

This is a note to let you know that I've just added the patch titled

    rxrpc: Fix uninitialised variable in rxrpc_send_data()

to the 6.11-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     rxrpc-fix-uninitialised-variable-in-rxrpc_send_data.patch
and it can be found in the queue-6.11 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit c0ef72a09d18bfa69987460a82e3073fca8d144e
Author: David Howells <dhowells@xxxxxxxxxx>
Date:   Tue Oct 1 14:26:59 2024 +0100

    rxrpc: Fix uninitialised variable in rxrpc_send_data()
    
    [ Upstream commit 7a310f8d7dfe2d92a1f31ddb5357bfdd97eed273 ]
    
    Fix the uninitialised txb variable in rxrpc_send_data() by moving the code
    that loads it above all the jumps to maybe_error, txb being stored back
    into call->tx_pending right before the normal return.
    
    Fixes: b0f571ecd794 ("rxrpc: Fix locking in rxrpc's sendmsg")
    Reported-by: Dan Carpenter <dan.carpenter@xxxxxxxxxx>
    Closes: https://lists.infradead.org/pipermail/linux-afs/2024-October/008896.html
    Signed-off-by: David Howells <dhowells@xxxxxxxxxx>
    cc: Marc Dionne <marc.dionne@xxxxxxxxxxxx>
    cc: linux-afs@xxxxxxxxxxxxxxxxxxx
    Link: https://patch.msgid.link/20241001132702.3122709-3-dhowells@xxxxxxxxxx
    Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/rxrpc/sendmsg.c b/net/rxrpc/sendmsg.c
index 894b8fa68e5e9..23d18fe5de9f0 100644
--- a/net/rxrpc/sendmsg.c
+++ b/net/rxrpc/sendmsg.c
@@ -303,6 +303,11 @@ static int rxrpc_send_data(struct rxrpc_sock *rx,
 	sk_clear_bit(SOCKWQ_ASYNC_NOSPACE, sk);
 
 reload:
+	txb = call->tx_pending;
+	call->tx_pending = NULL;
+	if (txb)
+		rxrpc_see_txbuf(txb, rxrpc_txbuf_see_send_more);
+
 	ret = -EPIPE;
 	if (sk->sk_shutdown & SEND_SHUTDOWN)
 		goto maybe_error;
@@ -329,11 +334,6 @@ static int rxrpc_send_data(struct rxrpc_sock *rx,
 			goto maybe_error;
 	}
 
-	txb = call->tx_pending;
-	call->tx_pending = NULL;
-	if (txb)
-		rxrpc_see_txbuf(txb, rxrpc_txbuf_see_send_more);
-
 	do {
 		if (!txb) {
 			size_t remain;







