[net-next] sctp: reset ret in again path in sctp_for_each_transport

Commit 97a6ec4ac021 ("rhashtable: Change rhashtable_walk_start to
return void") only initialized ret for the first time, when going
to again path, the next tsp could be NULL. Without resetting ret,
cb_done would be called with tsp as NULL.

A kernel crash was caused by this when running sctpdiag testcase
in sctp-tests.

Note that this issue doesn't affect net.git yet.

Fixes: 97a6ec4ac021 ("rhashtable: Change rhashtable_walk_start to return void")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
---
 net/sctp/socket.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

On Tue, Jan 23, 2018 at 06:22:25PM +0800, Xin Long wrote:
> Commit 97a6ec4ac021 ("rhashtable: Change rhashtable_walk_start to
> return void") only initialized ret for the first time, when going
> to again path, the next tsp could be NULL. Without resetting ret,
> cb_done would be called with tsp as NULL.
> 
> A kernel crash was caused by this when running sctpdiag testcase
> in sctp-tests.
> 
> Note that this issue doesn't affect net.git yet.
> 
> Fixes: 97a6ec4ac021 ("rhashtable: Change rhashtable_walk_start to return void")
> Signed-off-by: Xin Long <lucien.xin@gmail.com>

Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>

> ---
>  net/sctp/socket.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/net/sctp/socket.c b/net/sctp/socket.c
> index 7ff444e..a40fa53 100644
> --- a/net/sctp/socket.c
> +++ b/net/sctp/socket.c
> @@ -4860,9 +4860,10 @@ int sctp_for_each_transport(int (*cb)(struct sctp_transport *, void *),
>  			    struct net *net, int *pos, void *p) {
>  	struct rhashtable_iter hti;
>  	struct sctp_transport *tsp;
> -	int ret = 0;
> +	int ret;
>  
>  again:
> +	ret = 0;
>  	sctp_transport_walk_start(&hti);
>  
>  	tsp = sctp_transport_get_idx(net, &hti, *pos + 1);
> -- 
> 2.1.0
> 
> --
> To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
> the body of a message to majordomo@vger.kernel.org
> More majordomo info at  http://vger.kernel.org/majordomo-info.html
>

On Tue, Jan 23, 2018 at 06:22:25PM +0800, Xin Long wrote:
> Commit 97a6ec4ac021 ("rhashtable: Change rhashtable_walk_start to
> return void") only initialized ret for the first time, when going
> to again path, the next tsp could be NULL. Without resetting ret,
> cb_done would be called with tsp as NULL.
> 
> A kernel crash was caused by this when running sctpdiag testcase
> in sctp-tests.
> 
> Note that this issue doesn't affect net.git yet.
> 
> Fixes: 97a6ec4ac021 ("rhashtable: Change rhashtable_walk_start to return void")
> Signed-off-by: Xin Long <lucien.xin@gmail.com>
> ---
>  net/sctp/socket.c | 3 ++-
>  1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/net/sctp/socket.c b/net/sctp/socket.c
> index 7ff444e..a40fa53 100644
> --- a/net/sctp/socket.c
> +++ b/net/sctp/socket.c
> @@ -4860,9 +4860,10 @@ int sctp_for_each_transport(int (*cb)(struct sctp_transport *, void *),
>  			    struct net *net, int *pos, void *p) {
>  	struct rhashtable_iter hti;
>  	struct sctp_transport *tsp;
> -	int ret = 0;
> +	int ret;
>  
>  again:
> +	ret = 0;
>  	sctp_transport_walk_start(&hti);
>  
>  	tsp = sctp_transport_get_idx(net, &hti, *pos + 1);
> -- 
> 2.1.0
> 
> 
Acked-by: Neil Horman <nhorman@tuxdriver.com>

From: Xin Long <lucien.xin@gmail.com>
Date: Tue, 23 Jan 2018 18:22:25 +0800

> Commit 97a6ec4ac021 ("rhashtable: Change rhashtable_walk_start to
> return void") only initialized ret for the first time, when going
> to again path, the next tsp could be NULL. Without resetting ret,
> cb_done would be called with tsp as NULL.
> 
> A kernel crash was caused by this when running sctpdiag testcase
> in sctp-tests.
> 
> Note that this issue doesn't affect net.git yet.
> 
> Fixes: 97a6ec4ac021 ("rhashtable: Change rhashtable_walk_start to return void")
> Signed-off-by: Xin Long <lucien.xin@gmail.com>

Applied, thanks.