On Wed, Jan 20, 2016 at 02:35:59PM +0000, Wan, Kaike wrote: > >From the code (netlink_dump() in net/netlink/af_netlink.c), it shows that a > >skb is allocated without initializing the skb->cb[] field, which will cause > >oops if netlink_capable() is called with the duplicate skb. This will happen > >if the netlink_dump_start() path is followed (in ibnl_rcv_msg() in > >drivers/infiniband/core/netlink.c). However, for the IB netlink local > >service, we handle only request RDMA_NL_LS_OP_SET_TIMEOUT and response to > >RDMA_NL_LS_OP_RESOLVE, which directly call the registered dump function > >(ib_nl_handle_resolve_resp() and ib_nl_handle_resolve_resp()). See the > >following snippet:
You'll find a reproducer in the original email: http://lkml.iu.edu/hypermail/linux/kernel/1601.1/06505.html Cheers, -- Email: Herbert Xu <herb...@gondor.apana.org.au> Home Page: http://gondor.apana.org.au/~herbert/ PGP Key: http://gondor.apana.org.au/~herbert/pubkey.txt
