Patch "rxrpc: Fix call removal to use RCU safe deletion" has been added to the 5.15-stable tree

gregkh at linuxfoundation.org gregkh at linuxfoundation.org
Thu Apr 23 04:29:16 PDT 2026 

This is a note to let you know that I've just added the patch titled

    rxrpc: Fix call removal to use RCU safe deletion

to the 5.15-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     rxrpc-fix-call-removal-to-use-rcu-safe-deletion.patch
and it can be found in the queue-5.15 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable at vger.kernel.org> know about it.


>From stable+bounces-237697-greg=kroah.com at vger.kernel.org Tue Apr 14 03:35:37 2026
From: Sasha Levin <sashal at kernel.org>
Date: Mon, 13 Apr 2026 21:35:02 -0400
Subject: rxrpc: Fix call removal to use RCU safe deletion
To: stable at vger.kernel.org
Cc: David Howells <dhowells at redhat.com>, Marc Dionne <marc.dionne at auristor.com>, Jeffrey Altman <jaltman at auristor.com>, Linus Torvalds <torvalds at linux-foundation.org>, Simon Horman <horms at kernel.org>, linux-afs at lists.infradead.org, stable at kernel.org, Jakub Kicinski <kuba at kernel.org>, Sasha Levin <sashal at kernel.org>
Message-ID: <20260414013502.3857050-1-sashal at kernel.org>

From: David Howells <dhowells at redhat.com>

[ Upstream commit 146d4ab94cf129ee06cd467cb5c71368a6b5bad6 ]

Fix rxrpc call removal from the rxnet->calls list to use list_del_rcu()
rather than list_del_init() to prevent stuffing up reading
/proc/net/rxrpc/calls from potentially getting into an infinite loop.

This, however, means that list_empty() no longer works on an entry that's
been deleted from the list, making it harder to detect prior deletion.  Fix
this by:

Firstly, make rxrpc_destroy_all_calls() only dump the first ten calls that
are unexpectedly still on the list.  Limiting the number of steps means
there's no need to call cond_resched() or to remove calls from the list
here, thereby eliminating the need for rxrpc_put_call() to check for that.

rxrpc_put_call() can then be fixed to unconditionally delete the call from
the list as it is the only place that the deletion occurs.

Fixes: 2baec2c3f854 ("rxrpc: Support network namespacing")
Closes: https://sashiko.dev/#/patchset/20260319150150.4189381-1-dhowells%40redhat.com
Signed-off-by: David Howells <dhowells at redhat.com>
cc: Marc Dionne <marc.dionne at auristor.com>
cc: Jeffrey Altman <jaltman at auristor.com>
cc: Linus Torvalds <torvalds at linux-foundation.org>
cc: Simon Horman <horms at kernel.org>
cc: linux-afs at lists.infradead.org
cc: stable at kernel.org
Link: https://patch.msgid.link/20260408121252.2249051-5-dhowells@redhat.com
Signed-off-by: Jakub Kicinski <kuba at kernel.org>
[ adapted to older API ]
Signed-off-by: Sasha Levin <sashal at kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh at linuxfoundation.org>
---
 net/rxrpc/call_object.c |   22 ++++++++--------------
 1 file changed, 8 insertions(+), 14 deletions(-)

--- a/net/rxrpc/call_object.c
+++ b/net/rxrpc/call_object.c
@@ -634,11 +634,9 @@ void rxrpc_put_call(struct rxrpc_call *c
 		_debug("call %d dead", call->debug_id);
 		ASSERTCMP(call->state, ==, RXRPC_CALL_COMPLETE);
 
-		if (!list_empty(&call->link)) {
-			spin_lock_bh(&rxnet->call_lock);
-			list_del_init(&call->link);
-			spin_unlock_bh(&rxnet->call_lock);
-		}
+		spin_lock_bh(&rxnet->call_lock);
+		list_del_rcu(&call->link);
+		spin_unlock_bh(&rxnet->call_lock);
 
 		rxrpc_cleanup_call(call);
 	}
@@ -709,24 +707,20 @@ void rxrpc_destroy_all_calls(struct rxrp
 	_enter("");
 
 	if (!list_empty(&rxnet->calls)) {
-		spin_lock_bh(&rxnet->call_lock);
+		int shown = 0;
 
-		while (!list_empty(&rxnet->calls)) {
-			call = list_entry(rxnet->calls.next,
-					  struct rxrpc_call, link);
-			_debug("Zapping call %p", call);
+		spin_lock_bh(&rxnet->call_lock);
 
+		list_for_each_entry(call, &rxnet->calls, link) {
 			rxrpc_see_call(call);
-			list_del_init(&call->link);
 
 			pr_err("Call %p still in use (%d,%s,%lx,%lx)!\n",
 			       call, refcount_read(&call->ref),
 			       rxrpc_call_states[call->state],
 			       call->flags, call->events);
 
-			spin_unlock_bh(&rxnet->call_lock);
-			cond_resched();
-			spin_lock_bh(&rxnet->call_lock);
+			if (++shown >= 10)
+				break;
 		}
 
 		spin_unlock_bh(&rxnet->call_lock);


Patches currently in stable-queue which might be from sashal at kernel.org are

queue-5.15/e1000-check-return-value-of-e1000_read_eeprom.patch
queue-5.15/netfilter-ip6t_eui64-reject-invalid-mac-header-for-a.patch
queue-5.15/fsl-mc-use-driver_set_override-instead-of-open-codin.patch
queue-5.15/wifi-wl1251-validate-packet-ids-before-indexing-tx_f.patch
queue-5.15/alsa-hda-realtek-add-mute-led-quirk-for-hp-pavilion-.patch
queue-5.15/hid-roccat-fix-use-after-free-in-roccat_report_event.patch
queue-5.15/revert-net-ixp4xx_eth-convert-to-ndo_hwtstamp_get-an.patch
queue-5.15/nf_tables-nft_dynset-fix-possible-stateful-expressio.patch
queue-5.15/asoc-stm32_sai-fix-incorrect-bclk-polarity-for-dsp_a.patch
queue-5.15/i3c-fix-uninitialized-variable-use-in-i2c-setup.patch
queue-5.15/ata-ahci-force-32-bit-dma-for-jmicron-jmb582-jmb585.patch
queue-5.15/arm64-dts-imx8mq-set-the-correct-gpu_ahb-clock-frequ.patch
queue-5.15/net-sched-act_csum-validate-nested-vlan-headers.patch
queue-5.15/net-tap-null-pointer-derefence-in-dev_parse_header_p.patch
queue-5.15/rxrpc-proc-size-address-buffers-for-pispc-output.patch
queue-5.15/revert-net-ethernet-xscale-check-for-ptp-support-pro.patch
queue-5.15/drm-vc4-fix-memory-leak-of-bo-array-in-hang-state.patch
queue-5.15/alsa-usb-audio-update-for-native-dsd-support-quirks.patch
queue-5.15/rxrpc-reject-undecryptable-rxkad-response-tickets.patch
queue-5.15/can-mcp251x-add-error-handling-for-power-enable-in-o.patch
queue-5.15/mips-mm-kmalloc-tlb_vpn-array-to-avoid-stack-overflo.patch
queue-5.15/nfc-s3fwrn5-allocate-rx-skb-before-consuming-bytes.patch
queue-5.15/alsa-usb-audio-fix-quirk-flags-for-neuraldsp-quad-co.patch
queue-5.15/ocfs2-validate-inline-data-i_size-during-inode-read.patch
queue-5.15/drm-vc4-fix-a-memory-leak-in-hang-state-error-path.patch
queue-5.15/btrfs-tracepoints-get-correct-superblock-from-dentry.patch
queue-5.15/checkpatch-add-support-for-assisted-by-tag.patch
queue-5.15/arm64-dts-imx8mq-librem5-set-the-dvs-voltages-lower.patch
queue-5.15/pci-endpoint-pci-epf-vntb-remove-duplicate-resource-.patch
queue-5.15/soc-aspeed-socinfo-mask-table-entries-for-accurate-s.patch
queue-5.15/smb-client-fix-potential-uaf-in-smb2_is_valid_oplock.patch
queue-5.15/arm64-dts-imx8mq-librem5-bump-buck1-suspend-voltage-up-to-0.85v.patch
queue-5.15/wifi-mac80211-always-free-skb-on-ieee80211_tx_prepar.patch
queue-5.15/mips-mm-allocate-tlb_vpn-array-atomically.patch
queue-5.15/l2tp-drop-large-packets-with-udp-encap.patch
queue-5.15/asoc-sof-topology-reject-invalid-vendor-array-size-i.patch
queue-5.15/mips-mm-rewrite-tlb-uniquification-for-the-hidden-bi.patch
queue-5.15/gpio-tegra-fix-irq_release_resources-calling-enable-.patch
queue-5.15/wifi-brcmfmac-validate-bsscfg-indices-in-if-events.patch
queue-5.15/xfrm_user-fix-info-leak-in-build_mapping.patch
queue-5.15/batman-adv-hold-claim-backbone-gateways-by-reference.patch
queue-5.15/fs-smb-client-fix-out-of-bounds-read-in-cifs_sanitiz.patch
queue-5.15/alsa-asihpi-avoid-write-overflow-check-warning.patch
queue-5.15/perf-x86-intel-uncore-skip-discovery-table-for-offli.patch
queue-5.15/rxrpc-fix-call-removal-to-use-rcu-safe-deletion.patch
queue-5.15/crypto-algif_aead-fix-minimum-rx-size-check-for-decr.patch
queue-5.15/ocfs2-fix-possible-deadlock-between-unlink-and-dio_end_io_write.patch
queue-5.15/asoc-soc-core-call-missing-init_list_head-for-card_a.patch
queue-5.15/net-lapbether-handle-netdev_pre_type_change.patch
queue-5.15/alsa-usb-audio-remove-validate_rates-quirk-for-focus.patch
queue-5.15/mips-mm-suppress-tlb-uniquification-on-ehinv-hardwar.patch
queue-5.15/ocfs2-add-inline-inode-consistency-check-to-ocfs2_validate_inode_block.patch
queue-5.15/ipv6-add-null-checks-for-idev-in-srv6-paths.patch
queue-5.15/rxrpc-fix-key-quota-calculation-for-multitoken-keys.patch
queue-5.15/netfilter-conntrack-add-missing-netlink-policy-valid.patch
queue-5.15/pinctrl-intel-fix-the-revision-for-new-features-1koh.patch
queue-5.15/af_unix-read-unix_diag_vfs-data-under-unix_state_loc.patch
queue-5.15/eventpoll-defer-struct-eventpoll-free-to-rcu-grace-p.patch
queue-5.15/drm-vc4-protect-madv-read-in-vc4_gem_object_mmap-wit.patch
queue-5.15/xfrm-wait-for-rcu-readers-during-policy-netns-exit.patch
queue-5.15/pci-acpi-restrict-program_hpx_type2-to-aer-bits.patch
queue-5.15/netfilter-xt_multiport-validate-range-encoding-in-ch.patch
queue-5.15/gfs2-improve-gfs2_consist_inode-usage.patch
queue-5.15/netfilter-nft_set_pipapo_avx2-don-t-return-non-match.patch
queue-5.15/xfrm-clear-trailing-padding-in-build_polexpire.patch
queue-5.15/mm-blk-cgroup-fix-use-after-free-in-cgwb_release_workfn.patch
queue-5.15/pci-hv-set-default-numa-node-to-0-for-devices-withou.patch
queue-5.15/xsk-tighten-umem-headroom-validation-to-account-for-.patch
queue-5.15/alsa-usb-audio-improve-focusrite-sample-rate-filteri.patch
queue-5.15/revert-arm64-dts-imx8mq-librem5-set-the-dvs-voltages-lower.patch
queue-5.15/gfs2-validate-i_depth-for-exhash-directories.patch
queue-5.15/netfilter-nfnetlink_log-initialize-nfgenmsg-in-nlmsg.patch
queue-5.15/mips-always-record-segbits-in-cpu_data.vmbits.patch
queue-5.15/arm64-dts-imx8mq-librem5-bump-buck1-suspend-voltage-to-0.81v.patch
queue-5.15/fs-ocfs2-fix-comments-mentioning-i_mutex.patch
queue-5.15/epoll-use-refcount-to-reduce-ep_mutex-contention.patch
queue-5.15/ocfs2-fix-out-of-bounds-write-in-ocfs2_write_end_inline.patch
queue-5.15/tracing-probe-reject-non-closed-empty-immediate-stri.patch
queue-5.15/hid-quirks-add-hid_quirk_always_poll-for-8bitdo-pro-.patch
queue-5.15/ipv4-icmp-fix-null-ptr-deref-in-icmp_build_probe.patch

More information about the linux-afs mailing list