tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
1
fork

Configure Feed

Select the types of activity you want to include in your feed.

afs: Remote abort can cause BUG in rxrpc code

When writing files to afs I sometimes hit a BUG:

kernel BUG at fs/afs/rxrpc.c:179!

With a backtrace of:

afs_free_call
afs_make_call
afs_fs_store_data
afs_vnode_store_data
afs_write_back_from_locked_page
afs_writepages_region
afs_writepages

The cause is:

ASSERT(skb_queue_empty(&call->rx_queue));

Looking at a tcpdump of the session the abort happens because we
are exceeding our disk quota:

rx abort fs reply store-data error diskquota exceeded (32)

So the abort error is valid. We hit the BUG because we haven't
freed all the resources for the call.

By freeing any skbs in call->rx_queue before calling afs_free_call
we avoid hitting leaking memory and avoid hitting the BUG.

Signed-off-by: Anton Blanchard <anton@samba.org>
Signed-off-by: David Howells <dhowells@redhat.com>
Cc: <stable@kernel.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>

authored by

Anton Blanchard and committed by
Linus Torvalds c0173863 2c724fb9

+3
+3
fs/afs/rxrpc.c
··· 314 314 struct msghdr msg; 315 315 struct kvec iov[1]; 316 316 int ret; 317 + struct sk_buff *skb; 317 318 318 319 _enter("%x,{%d},", addr->s_addr, ntohs(call->port)); 319 320 ··· 381 380 382 381 error_do_abort: 383 382 rxrpc_kernel_abort_call(rxcall, RX_USER_ABORT); 383 + while ((skb = skb_dequeue(&call->rx_queue))) 384 + afs_free_skb(skb); 384 385 rxrpc_kernel_end_call(rxcall); 385 386 call->rxcall = NULL; 386 387 error_kill_call: