On 31/01/18 16:49, Dmitry Vyukov wrote: > On Wed, Jan 31, 2018 at 3:29 PM, Nikolay Aleksandrov > <niko...@cumulusnetworks.com> wrote: >> When we dump the ip6mr mfc entries via proc, we initialize an iterator >> with the table to dump but we don't clear the cache pointer which might >> be initialized from a prior read on the same descriptor that ended. This >> can result in lock imbalance (an unnecessary unlock) leading to other >> crashes and hangs. Clear the cache pointer like ipmr does to fix the issue. >> Thanks for the reliable reproducer. [snip] >> Reported-by: syzbot >> <bot+eceb3204562c41a438fa1f2335e0fe4f6886d...@syzkaller.appspotmail.com> >> Signed-off-by: Nikolay Aleksandrov <niko...@cumulusnetworks.com> >> --- >> v2: make sure the trace doesn't ruin the patch >> No fixes tag because it seems this has been there forever. > > Don't we need to Cc stable 2.6 in this case or something like this. We > want it to be backported.
AFAIK Dave takes care of queueing the patches for stable backports and maintainers get them from his stable queue. > >> >> net/ipv6/ip6mr.c | 1 + >> 1 file changed, 1 insertion(+) >> >> diff --git a/net/ipv6/ip6mr.c b/net/ipv6/ip6mr.c >> index a2e1a864eb46..4fc566ec7e79 100644 >> --- a/net/ipv6/ip6mr.c >> +++ b/net/ipv6/ip6mr.c >> @@ -495,6 +495,7 @@ static void *ipmr_mfc_seq_start(struct seq_file *seq, >> loff_t *pos) >> return ERR_PTR(-ENOENT); >> >> it->mrt = mrt; >> + it->cache = NULL; >> return *pos ? ipmr_mfc_seq_idx(net, seq->private, *pos - 1) >> : SEQ_START_TOKEN; >> } >> -- >> 2.1.4 >> >> -- >> You received this message because you are subscribed to the Google Groups >> "syzkaller-bugs" group. >> To unsubscribe from this group and stop receiving emails from it, send an >> email to syzkaller-bugs+unsubscr...@googlegroups.com. >> To view this discussion on the web visit >> https://groups.google.com/d/msgid/syzkaller-bugs/1517408970-14210-1-git-send-email-nikolay%40cumulusnetworks.com. >> For more options, visit https://groups.google.com/d/optout.