afs_make_call() calls rxrpc_kernel_begin_call() to begin a call (which may
get stalled in the background waiting for a connection to become
available); it then calls rxrpc_kernel_set_max_life() to set the timeouts -
but that starts the call timer so the call timer might then expire before
we get a connection assigned - leading to the following oops if the call
stalled:
	BUG: kernel NULL pointer dereference, address: 
0000000000000000
	...
	CPU: 1 PID: 5111 Comm: krxrpcio/0 Not tainted 6.3.0-rc7-build3+ #701
	RIP: 0010:rxrpc_alloc_txbuf+0xc0/0x157
	...
	Call Trace:
	 <TASK>
	 rxrpc_send_ACK+0x50/0x13b
	 rxrpc_input_call_event+0x16a/0x67d
	 rxrpc_io_thread+0x1b6/0x45f
	 ? _raw_spin_unlock_irqrestore+0x1f/0x35
	 ? rxrpc_input_packet+0x519/0x519
	 kthread+0xe7/0xef
	 ? kthread_complete_and_exit+0x1b/0x1b
	 ret_from_fork+0x22/0x30
Fix this by noting the timeouts in struct rxrpc_call when the call is
created.  The timer will be started when the first packet is transmitted.
It shouldn't be possible to trigger this directly from userspace through
AF_RXRPC as sendmsg() will return EBUSY if the call is in the
waiting-for-conn state if it dropped out of the wait due to a signal.
Fixes: 9d35d880e0e4 ("rxrpc: Move client call connection to the I/O thread")
Reported-by: Marc Dionne <marc.dionne@auristor.com>
Signed-off-by: David Howells <dhowells@redhat.com>
cc: "David S. Miller" <davem@davemloft.net>
cc: Eric Dumazet <edumazet@google.com>
cc: Jakub Kicinski <kuba@kernel.org>
cc: Paolo Abeni <pabeni@redhat.com>
cc: linux-afs@lists.infradead.org
cc: netdev@vger.kernel.org
cc: linux-kernel@vger.kernel.org
Signed-off-by: David S. Miller <davem@davemloft.net>
 #define AFSPATHMAX             1024    /* Maximum length of a pathname plus NUL */
 #define AFSOPAQUEMAX           1024    /* Maximum length of an opaque field */
 
-#define AFS_VL_MAX_LIFESPAN    (120 * HZ)
-#define AFS_PROBE_MAX_LIFESPAN (30 * HZ)
+#define AFS_VL_MAX_LIFESPAN    120
+#define AFS_PROBE_MAX_LIFESPAN 30
 
 typedef u64                    afs_volid_t;
 typedef u64                    afs_vnodeid_t;
 
        spinlock_t              state_lock;
        int                     error;          /* error code */
        u32                     abort_code;     /* Remote abort ID or 0 */
-       unsigned int            max_lifespan;   /* Maximum lifespan to set if not 0 */
+       unsigned int            max_lifespan;   /* Maximum lifespan in secs to set if not 0 */
        unsigned                request_size;   /* size of request data */
        unsigned                reply_max;      /* maximum size of reply */
        unsigned                count2;         /* count used in unmarshalling */
 
        /* create a call */
        rxcall = rxrpc_kernel_begin_call(call->net->socket, srx, call->key,
                                         (unsigned long)call,
-                                        tx_total_len, gfp,
+                                        tx_total_len,
+                                        call->max_lifespan,
+                                        gfp,
                                         (call->async ?
                                          afs_wake_up_async_call :
                                          afs_wake_up_call_waiter),
        }
 
        call->rxcall = rxcall;
-
-       if (call->max_lifespan)
-               rxrpc_kernel_set_max_life(call->net->socket, rxcall,
-                                         call->max_lifespan);
        call->issue_time = ktime_get_real();
 
        /* send the request */
 
 void rxrpc_kernel_new_call_notification(struct socket *,
                                        rxrpc_notify_new_call_t,
                                        rxrpc_discard_new_call_t);
-struct rxrpc_call *rxrpc_kernel_begin_call(struct socket *,
-                                          struct sockaddr_rxrpc *,
-                                          struct key *,
-                                          unsigned long,
-                                          s64,
-                                          gfp_t,
-                                          rxrpc_notify_rx_t,
-                                          bool,
-                                          enum rxrpc_interruptibility,
-                                          unsigned int);
+struct rxrpc_call *rxrpc_kernel_begin_call(struct socket *sock,
+                                          struct sockaddr_rxrpc *srx,
+                                          struct key *key,
+                                          unsigned long user_call_ID,
+                                          s64 tx_total_len,
+                                          u32 hard_timeout,
+                                          gfp_t gfp,
+                                          rxrpc_notify_rx_t notify_rx,
+                                          bool upgrade,
+                                          enum rxrpc_interruptibility interruptibility,
+                                          unsigned int debug_id);
 int rxrpc_kernel_send_data(struct socket *, struct rxrpc_call *,
                           struct msghdr *, size_t,
                           rxrpc_notify_end_tx_t);
 
  * @key: The security context to use (defaults to socket setting)
  * @user_call_ID: The ID to use
  * @tx_total_len: Total length of data to transmit during the call (or -1)
+ * @hard_timeout: The maximum lifespan of the call in sec
  * @gfp: The allocation constraints
  * @notify_rx: Where to send notifications instead of socket queue
  * @upgrade: Request service upgrade for call
                                           struct key *key,
                                           unsigned long user_call_ID,
                                           s64 tx_total_len,
+                                          u32 hard_timeout,
                                           gfp_t gfp,
                                           rxrpc_notify_rx_t notify_rx,
                                           bool upgrade,
        p.tx_total_len          = tx_total_len;
        p.interruptibility      = interruptibility;
        p.kernel                = true;
+       p.timeouts.hard         = hard_timeout;
 
        memset(&cp, 0, sizeof(cp));
        cp.local                = rx->local;
 
        unsigned long           expect_term_by; /* When we expect call termination by */
        u32                     next_rx_timo;   /* Timeout for next Rx packet (jif) */
        u32                     next_req_timo;  /* Timeout for next Rx request packet (jif) */
+       u32                     hard_timo;      /* Maximum lifetime or 0 (jif) */
        struct timer_list       timer;          /* Combined event timer */
        struct work_struct      destroyer;      /* In-process-context destroyer */
        rxrpc_notify_rx_t       notify_rx;      /* kernel service Rx notification function */
 
        if (cp->exclusive)
                __set_bit(RXRPC_CALL_EXCLUSIVE, &call->flags);
 
+       if (p->timeouts.normal)
+               call->next_rx_timo = min(msecs_to_jiffies(p->timeouts.normal), 1UL);
+       if (p->timeouts.idle)
+               call->next_req_timo = min(msecs_to_jiffies(p->timeouts.idle), 1UL);
+       if (p->timeouts.hard)
+               call->hard_timo = p->timeouts.hard * HZ;
+
        ret = rxrpc_init_client_call_security(call);
        if (ret < 0) {
                rxrpc_prefail_call(call, RXRPC_CALL_LOCAL_ERROR, ret);
        call->keepalive_at = j;
        call->expect_rx_by = j;
        call->expect_req_by = j;
-       call->expect_term_by = j;
+       call->expect_term_by = j + call->hard_timo;
        call->timer.expires = now;
 }
 
 
                if (IS_ERR(call))
                        return PTR_ERR(call);
                /* ... and we have the call lock. */
+               p.call.nr_timeouts = 0;
                ret = 0;
                if (rxrpc_call_is_complete(call))
                        goto out_put_unlock;