From: Vegard Nossum <vegard.nossum@xxxxxxxxxx>
Date: Fri, 12 Aug 2016 09:50:51 +0200
> sctp_transport_seq_start() does not currently clear iter->start_fail on
> success, but relies on it being zero when it is allocated (by
> seq_open_net()).
>
> This can be a problem in the following sequence:
>
> open() // allocates iter (and implicitly sets iter->start_fail = 0)
> read()
> - iter->start() // fails and sets iter->start_fail = 1
> - iter->stop() // doesn't call sctp_transport_walk_stop() (correct)
> read() again
> - iter->start() // succeeds, but doesn't change iter->start_fail
> - iter->stop() // doesn't call sctp_transport_walk_stop() (wrong)
>
> We should initialize sctp_ht_iter::start_fail to zero if ->start()
> succeeds, otherwise it's possible that we leave an old value of 1 there,
> which will cause ->stop() to not call sctp_transport_walk_stop(), which
> causes all sorts of problems like not calling rcu_read_unlock() (and
> preempt_enable()), eventually leading to more warnings like this:
...
> Notice that this is a subtly different stacktrace from the one in commit
> 5fc382d875 ("net/sctp: terminate rhashtable walk correctly").
>
> Cc: Xin Long <lucien.xin@xxxxxxxxx>
> Cc: Herbert Xu <herbert@xxxxxxxxxxxxxxxxxxx>
> Cc: Eric W. Biederman <ebiederm@xxxxxxxxxxxx>
> Cc: Marcelo Ricardo Leitner <marcelo.leitner@xxxxxxxxx>
> Signed-off-by: Vegard Nossum <vegard.nossum@xxxxxxxxxx>
Applied and queued up for -stable, thanks.
--
To unsubscribe from this list: send the line "unsubscribe stable" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html