CVE-2023-54195

In the Linux kernel, the following vulnerability has been resolved:

rxrpc: Fix timeout of a call that hasn't yet been granted a channel

afsmakecall() calls rxrpckernelbegincall() to begin a call (which may get stalled in the background waiting for a connection to become available); it then calls rxrpckernelsetmax_life() to set the timeouts - but that starts the call timer so the call timer might then expire before we get a connection assigned - leading to the following oops if the call stalled:

BUG: kernel NULL pointer dereference, address: 0000000000000000
...
CPU: 1 PID: 5111 Comm: krxrpcio/0 Not tainted 6.3.0-rc7-build3+ #701
RIP: 0010:rxrpc_alloc_txbuf+0xc0/0x157
...
Call Trace:
 <TASK>
 rxrpc_send_ACK+0x50/0x13b
 rxrpc_input_call_event+0x16a/0x67d
 rxrpc_io_thread+0x1b6/0x45f
 ? _raw_spin_unlock_irqrestore+0x1f/0x35
 ? rxrpc_input_packet+0x519/0x519
 kthread+0xe7/0xef
 ? kthread_complete_and_exit+0x1b/0x1b
 ret_from_fork+0x22/0x30

Fix this by noting the timeouts in struct rxrpc_call when the call is created. The timer will be started when the first packet is transmitted.

It shouldn't be possible to trigger this directly from userspace through AF_RXRPC as sendmsg() will return EBUSY if the call is in the waiting-for-conn state if it dropped out of the wait due to a signal.