On 31/01/18 16:49, Dmitry Vyukov wrote:

On Wed, Jan 31, 2018 at 3:29 PM, Nikolay Aleksandrov
[off-list ref] wrote:

quoted

When we dump the ip6mr mfc entries via proc, we initialize an iterator
with the table to dump but we don't clear the cache pointer which might
be initialized from a prior read on the same descriptor that ended. This
can result in lock imbalance (an unnecessary unlock) leading to other
crashes and hangs. Clear the cache pointer like ipmr does to fix the issue.
Thanks for the reliable reproducer.

[snip]

quoted

Reported-by: syzbot <redacted>
Signed-off-by: Nikolay Aleksandrov <redacted>
---
v2: make sure the trace doesn't ruin the patch
No fixes tag because it seems this has been there forever.

Don't we need to Cc stable 2.6 in this case or something like this. We
want it to be backported.

AFAIK Dave takes care of queueing the patches for stable backports and
maintainers get them from his stable queue.

quoted

 net/ipv6/ip6mr.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c
index a2e1a864eb46..4fc566ec7e79 100644
--- a/net/ipv6/ip6mr.c
+++ b/net/ipv6/ip6mr.c

@@ -495,6 +495,7 @@ static void *ipmr_mfc_seq_start(struct seq_file *seq, loff_t *pos)
                return ERR_PTR(-ENOENT);

        it->mrt = mrt;
+       it->cache = NULL;
        return *pos ? ipmr_mfc_seq_idx(net, seq->private, *pos - 1)
                : SEQ_START_TOKEN;
 }
--

2.1.4

--
You received this message because you are subscribed to the Google Groups "syzkaller-bugs" group.
To unsubscribe from this group and stop receiving emails from it, send an email to syzkaller-bugs+unsubscribe@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/syzkaller-bugs/1517408970-14210-1-git-send-email-nikolay%40cumulusnetworks.com.
For more options, visit https://groups.google.com/d/optout.