From: David Howells <dhowe...@redhat.com>
Date: Wed, 29 Jul 2020 00:03:56 +0100
> There's a race between rxrpc_sendmsg setting up a call, but then failing to
> send anything on it due to an error, and recvmsg() seeing the call
> completion occur and trying to return the state to the user.
>
> An assertion fails in rxrpc_recvmsg() because the call has already been
> released from the socket and is about to be released again as recvmsg deals
> with it. (The recvmsg_q queue on the socket holds a ref, so there's no
> problem with use-after-free.)
>
> We also have to be careful not to end up reporting an error twice, in such
> a way that both returns indicate to userspace that the user ID supplied
> with the call is no longer in use - which could cause the client to
> malfunction if it recycles the user ID fast enough.
>
> Fix this by the following means:
...
> An oops like the following is produced:
...
> Fixes: 357f5ef64628 ("rxrpc: Call rxrpc_release_call() on error in
> rxrpc_new_client_call()")
> Reported-by: syzbot+b54969381df354936...@syzkaller.appspotmail.com
> Signed-off-by: David Howells <dhowe...@redhat.com>
> Reviewed-by: Marc Dionne <marc.dio...@auristor.com>
Applied and queued up for -stable, thanks David.
