From: David Howells <dhowe...@redhat.com>
Date: Fri, 08 Mar 2019 12:48:39 +0000
> rxrpc_disconnect_client_call() reads the call's connection ID protocol
> value (call->cid) as part of that function's variable declarations. This
> is bad because it's not inside the locked section and so may race with
> someone granting use of the channel to the call.
>
> This manifests as an assertion failure (see below) where the call in the
> presumed channel (0 because call->cid wasn't set when we read it) doesn't
> match the call attached to the channel we were actually granted (if 1, 2 or
> 3).
>
> Fix this by moving the read and dependent calculations inside of the
> channel_lock section. Also, only set the channel number and pointer
> variables if cid is not zero (ie. unset).
>
> This problem can be induced by injecting an occasional error in
> rxrpc_wait_for_channel() before the call to schedule().
>
> Make two further changes also:
>
> (1) Add a trace for wait failure in rxrpc_connect_call().
>
> (2) Drop channel_lock before BUG'ing in the case of the assertion failure.
>
> The failure causes a trace akin to the following:
...
> Fixes: 45025bceef17 ("rxrpc: Improve management and caching of client
> connection objects")
> Signed-off-by: David Howells <dhowe...@redhat.com>
> Reviewed-by: Marc Dionne <marc.dio...@auristor.com>
Applied, thanks David.
