On Mon, Sep 3, 2018 at 12:49 PM Cong Wang <xiyou.wangc...@gmail.com> wrote:
>
> __tipc_nl_compat_dumpit() uses a netlink_callback on stack,
> so the only way to align it with other ->dumpit() call path
> is calling tipc_dump_start() and tipc_dump_done() directly
> inside it. Otherwise ->dumpit() would always get NULL from
> cb->args[0].
>
> Fixes: 9a07efa9aea2 ("tipc: switch to rhashtable iterator")
> Reported-by: syzbot+e93a2c41f91b8e2c7...@syzkaller.appspotmail.com
> Cc: Jon Maloy <jon.ma...@ericsson.com>
> Cc: Ying Xue <ying....@windriver.com>
> Signed-off-by: Cong Wang <xiyou.wangc...@gmail.com>
> ---
> net/tipc/netlink_compat.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
> index a2f76743c73a..aa05934613f2 100644
> --- a/net/tipc/netlink_compat.c
> +++ b/net/tipc/netlink_compat.c
> @@ -185,6 +185,7 @@ static int __tipc_nl_compat_dumpit(struct
> tipc_nl_compat_cmd_dump *cmd,
> return -ENOMEM;
>
> buf->sk = msg->dst_sk;
> + tipc_dump_start(&cb);
Well, tipc_dump_start() uses sock_net(cb->skb->sk) which
seems not set here... I need to pass msg->dst_sk in.
I will send v2.
