tipc: call start and done ops directly in __tipc_nl_compat_dumpit()

BugLink: https://bugs.launchpad.net/bugs/1836426
commit 8f5c5fcf353302374b36232d6885c1a3b579e5ca upstream.

__tipc_nl_compat_dumpit() uses a netlink_callback on stack,
so the only way to align it with other ->dumpit() call path
is calling tipc_dump_start() and tipc_dump_done() directly
inside it. Otherwise ->dumpit() would always get NULL from
cb->args[].

But tipc_dump_start() uses sock_net(cb->skb->sk) to retrieve
net pointer, the cb->skb here doesn't set skb->sk, the net pointer
is saved in msg->net instead, so introduce a helper function
__tipc_dump_start() to pass in msg->net.

Ying pointed out cb->args[0...3] are already used by other
callbacks on this call path, so we can't use cb->args[0] any
more, use cb->args[4] instead.

Fixes: 9a07efa9aea2 ("tipc: switch to rhashtable iterator")
Reported-and-tested-by: syzbot+e93a2c41f91b8e2c7d9b@syzkaller.appspotmail.com
Cc: Jon Maloy <jon.maloy@ericsson.com>
Cc: Ying Xue <ying.xue@windriver.com>
Signed-off-by: Cong Wang <xiyou.wangcong@gmail.com>
Acked-by: Ying Xue <ying.xue@windriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Signed-off-by: Kamal Mostafa <kamal@canonical.com>
Signed-off-by: Kleber Sacilotto de Souza <kleber.souza@canonical.com>

diff --git a/net/tipc/netlink_compat.c b/net/tipc/netlink_compat.c
index e48f0b2c01b962dfa2b3516f9ec2f0c3b461db95..907e9e344a9b2e84d7e2989cebc4b32907625974 100644 (file)
--- a/net/tipc/netlink_compat.c
+++ b/net/tipc/netlink_compat.c
@@ -185,6 +185,7 @@ static int __tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd,
                return -ENOMEM;
 
        buf->sk = msg->dst_sk;
+       __tipc_dump_start(&cb, msg->net);
 
        do {
                int rem;
@@ -216,6 +217,7 @@ static int __tipc_nl_compat_dumpit(struct tipc_nl_compat_cmd_dump *cmd,
        err = 0;
 
 err_out:
+       tipc_dump_done(&cb);
        kfree_skb(buf);
 
        if (err == -EMSGSIZE) {

diff --git a/net/tipc/socket.c b/net/tipc/socket.c
index f07aa289150b4844f0177454323388b572b61242..be298130fa21ab8390c04f378eefe2368e857693 100644 (file)
--- a/net/tipc/socket.c
+++ b/net/tipc/socket.c
@@ -3192,8 +3192,14 @@ msg_cancel:
 
 int tipc_dump_start(struct netlink_callback *cb)
 {
-       struct rhashtable_iter *iter = (void *)cb->args[0];
-       struct net *net = sock_net(cb->skb->sk);
+       return __tipc_dump_start(cb, sock_net(cb->skb->sk));
+}
+EXPORT_SYMBOL(tipc_dump_start);
+
+int __tipc_dump_start(struct netlink_callback *cb, struct net *net)
+{
+       /* tipc_nl_name_table_dump() uses cb->args[0...3]. */
+       struct rhashtable_iter *iter = (void *)cb->args[4];
        struct tipc_net *tn = tipc_net(net);
 
        if (!iter) {
@@ -3201,17 +3207,16 @@ int tipc_dump_start(struct netlink_callback *cb)
                if (!iter)
                        return -ENOMEM;
 
-               cb->args[0] = (long)iter;
+               cb->args[4] = (long)iter;
        }
 
        rhashtable_walk_enter(&tn->sk_rht, iter);
        return 0;
 }
-EXPORT_SYMBOL(tipc_dump_start);
 
 int tipc_dump_done(struct netlink_callback *cb)
 {
-       struct rhashtable_iter *hti = (void *)cb->args[0];
+       struct rhashtable_iter *hti = (void *)cb->args[4];
 
        rhashtable_walk_exit(hti);
        kfree(hti);

diff --git a/net/tipc/socket.h b/net/tipc/socket.h
index f01ee3def2d2bb9c02c2da4635128306177a8c0e..2adf87fb9b4219455cd9e16d02e99ecd286a6c86 100644 (file)
--- a/net/tipc/socket.h
+++ b/net/tipc/socket.h
@@ -61,5 +61,6 @@ int tipc_nl_sk_dump(struct sk_buff *skb, struct netlink_callback *cb);
 int tipc_nl_publ_dump(struct sk_buff *skb, struct netlink_callback *cb);
 
 int tipc_dump_start(struct netlink_callback *cb);
+int __tipc_dump_start(struct netlink_callback *cb, struct net *net);
 int tipc_dump_done(struct netlink_callback *cb);
 #endif