diff mbox series

drbd: Fix a use after free in get_initial_state

Message ID 20210401115753.3684-1-lyl2019@mail.ustc.edu.cn (mailing list archive)
State New, archived
Headers show
Series drbd: Fix a use after free in get_initial_state | expand

Commit Message

Lv Yunlong April 1, 2021, 11:57 a.m. UTC 
In get_initial_state, it calls notify_initial_state_done(skb,..) if
cb->args[5]==1. I see that if genlmsg_put() failed in
notify_initial_state_done(), the skb will be freed by nlmsg_free(skb).
Then get_initial_state will goto out and the freed skb will be used by
return value skb->len.

My patch lets skb_len = skb->len and return the skb_len to avoid the uaf.

Fixes: a29728463b254 ("drbd: Backport the "events2" command")
Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
---
 drivers/block/drbd/drbd_nl.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

Comments

Christoph Böhmwalder April 1, 2021, 1:01 p.m. UTC | #1 
On 4/1/21 1:57 PM, Lv Yunlong wrote:
> In get_initial_state, it calls notify_initial_state_done(skb,..) if
> cb->args[5]==1. I see that if genlmsg_put() failed in
> notify_initial_state_done(), the skb will be freed by nlmsg_free(skb).
> Then get_initial_state will goto out and the freed skb will be used by
> return value skb->len.
> 
> My patch lets skb_len = skb->len and return the skb_len to avoid the uaf.
> 
> Fixes: a29728463b254 ("drbd: Backport the "events2" command")
> Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
> ---
>   drivers/block/drbd/drbd_nl.c | 3 ++-
>   1 file changed, 2 insertions(+), 1 deletion(-)
> 
> diff --git a/drivers/block/drbd/drbd_nl.c b/drivers/block/drbd/drbd_nl.c
> index bf7de4c7b96c..474f84675d0a 100644
> --- a/drivers/block/drbd/drbd_nl.c
> +++ b/drivers/block/drbd/drbd_nl.c
> @@ -4905,6 +4905,7 @@ static int get_initial_state(struct sk_buff *skb, struct netlink_callback *cb)
>   	struct drbd_state_change *state_change = (struct drbd_state_change *)cb->args[0];
>   	unsigned int seq = cb->args[2];
>   	unsigned int n;
> +	unsigned int skb_len = skb->len;
>   	enum drbd_notification_type flags = 0;
>   
>   	/* There is no need for taking notification_mutex here: it doesn't
> @@ -4915,7 +4916,7 @@ static int get_initial_state(struct sk_buff *skb, struct netlink_callback *cb)
>   	cb->args[5]--;
>   	if (cb->args[5] == 1) {
>   		notify_initial_state_done(skb, seq);
> -		goto out;
> +		return skb_len;
>   	}
>   	n = cb->args[4]++;
>   	if (cb->args[4] < cb->args[3])
> 

Thanks for the patch!

I think the problem goes even further: skb can also be freed in the 
notify_*_state_change -> notify_*_state calls below.

Also, at the point where we save skb->len into skb_len, skb is not 
initialized yet. Maybe it makes more sense to not return a length in the 
first place here, but an error code instead.
Lv Yunlong April 1, 2021, 3:13 p.m. UTC | #2 
> -----原始邮件-----
> 发件人: "Christoph Böhmwalder" <christoph.boehmwalder@linbit.com>
> 发送时间: 2021-04-01 21:01:20 (星期四)
> 收件人: "Lv Yunlong" <lyl2019@mail.ustc.edu.cn>
> 抄送: philipp.reisner@linbit.com, lars.ellenberg@linbit.com, axboe@kernel.dk, linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, drbd-dev@lists.linbit.com
> 主题: Re: [Drbd-dev] [PATCH] drbd: Fix a use after free in get_initial_state
> 
> On 4/1/21 1:57 PM, Lv Yunlong wrote:
> > In get_initial_state, it calls notify_initial_state_done(skb,..) if
> > cb->args[5]==1. I see that if genlmsg_put() failed in
> > notify_initial_state_done(), the skb will be freed by nlmsg_free(skb).
> > Then get_initial_state will goto out and the freed skb will be used by
> > return value skb->len.
> > 
> > My patch lets skb_len = skb->len and return the skb_len to avoid the uaf.
> > 
> > Fixes: a29728463b254 ("drbd: Backport the "events2" command")
> > Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
> > ---
> >   drivers/block/drbd/drbd_nl.c | 3 ++-
> >   1 file changed, 2 insertions(+), 1 deletion(-)
> > 
> > diff --git a/drivers/block/drbd/drbd_nl.c b/drivers/block/drbd/drbd_nl.c
> > index bf7de4c7b96c..474f84675d0a 100644
> > --- a/drivers/block/drbd/drbd_nl.c
> > +++ b/drivers/block/drbd/drbd_nl.c
> > @@ -4905,6 +4905,7 @@ static int get_initial_state(struct sk_buff *skb, struct netlink_callback *cb)
> >   	struct drbd_state_change *state_change = (struct drbd_state_change *)cb->args[0];
> >   	unsigned int seq = cb->args[2];
> >   	unsigned int n;
> > +	unsigned int skb_len = skb->len;
> >   	enum drbd_notification_type flags = 0;
> >   
> >   	/* There is no need for taking notification_mutex here: it doesn't
> > @@ -4915,7 +4916,7 @@ static int get_initial_state(struct sk_buff *skb, struct netlink_callback *cb)
> >   	cb->args[5]--;
> >   	if (cb->args[5] == 1) {
> >   		notify_initial_state_done(skb, seq);
> > -		goto out;
> > +		return skb_len;
> >   	}
> >   	n = cb->args[4]++;
> >   	if (cb->args[4] < cb->args[3])
> > 
> 
> Thanks for the patch!
> 
> I think the problem goes even further: skb can also be freed in the 
> notify_*_state_change -> notify_*_state calls below.
> 
> Also, at the point where we save skb->len into skb_len, skb is not 
> initialized yet. Maybe it makes more sense to not return a length in the 
> first place here, but an error code instead.
> 
> -- 
> Christoph Böhmwalder
> LINBIT | Keeping the Digital World Running
> DRBD HA —  Disaster Recovery — Software defined Storage

Ok, I see.
I found that drbd_adm_get_initial_state() has called the get_initial_state(),
and return -ENOMEM if it calls remember_old_state() failed.

So, i think that means if get_initial_state() failed on the notify_initial_state_done(),
it should return -ENOMEM too.

I will submit the PATCH v2 to fix the first place. The fixes of the further problem is 
hard for me.

Thanks.
Lv Yunlong April 1, 2021, 3:17 p.m. UTC | #3 
> -----原始邮件-----
> 发件人: lyl2019@mail.ustc.edu.cn
> 发送时间: 2021-04-01 23:13:58 (星期四)
> 收件人: "Christoph Böhmwalder" <christoph.boehmwalder@linbit.com>
> 抄送: philipp.reisner@linbit.com, lars.ellenberg@linbit.com, axboe@kernel.dk, linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, drbd-dev@lists.linbit.com
> 主题: Re: Re: [Drbd-dev] [PATCH] drbd: Fix a use after free in get_initial_state
> 
> 
> 
> 
> > -----原始邮件-----
> > 发件人: "Christoph Böhmwalder" <christoph.boehmwalder@linbit.com>
> > 发送时间: 2021-04-01 21:01:20 (星期四)
> > 收件人: "Lv Yunlong" <lyl2019@mail.ustc.edu.cn>
> > 抄送: philipp.reisner@linbit.com, lars.ellenberg@linbit.com, axboe@kernel.dk, linux-block@vger.kernel.org, linux-kernel@vger.kernel.org, drbd-dev@lists.linbit.com
> > 主题: Re: [Drbd-dev] [PATCH] drbd: Fix a use after free in get_initial_state
> > 
> > On 4/1/21 1:57 PM, Lv Yunlong wrote:
> > > In get_initial_state, it calls notify_initial_state_done(skb,..) if
> > > cb->args[5]==1. I see that if genlmsg_put() failed in
> > > notify_initial_state_done(), the skb will be freed by nlmsg_free(skb).
> > > Then get_initial_state will goto out and the freed skb will be used by
> > > return value skb->len.
> > > 
> > > My patch lets skb_len = skb->len and return the skb_len to avoid the uaf.
> > > 
> > > Fixes: a29728463b254 ("drbd: Backport the "events2" command")
> > > Signed-off-by: Lv Yunlong <lyl2019@mail.ustc.edu.cn>
> > > ---
> > >   drivers/block/drbd/drbd_nl.c | 3 ++-
> > >   1 file changed, 2 insertions(+), 1 deletion(-)
> > > 
> > > diff --git a/drivers/block/drbd/drbd_nl.c b/drivers/block/drbd/drbd_nl.c
> > > index bf7de4c7b96c..474f84675d0a 100644
> > > --- a/drivers/block/drbd/drbd_nl.c
> > > +++ b/drivers/block/drbd/drbd_nl.c
> > > @@ -4905,6 +4905,7 @@ static int get_initial_state(struct sk_buff *skb, struct netlink_callback *cb)
> > >   	struct drbd_state_change *state_change = (struct drbd_state_change *)cb->args[0];
> > >   	unsigned int seq = cb->args[2];
> > >   	unsigned int n;
> > > +	unsigned int skb_len = skb->len;
> > >   	enum drbd_notification_type flags = 0;
> > >   
> > >   	/* There is no need for taking notification_mutex here: it doesn't
> > > @@ -4915,7 +4916,7 @@ static int get_initial_state(struct sk_buff *skb, struct netlink_callback *cb)
> > >   	cb->args[5]--;
> > >   	if (cb->args[5] == 1) {
> > >   		notify_initial_state_done(skb, seq);
> > > -		goto out;
> > > +		return skb_len;
> > >   	}
> > >   	n = cb->args[4]++;
> > >   	if (cb->args[4] < cb->args[3])
> > > 
> > 
> > Thanks for the patch!
> > 
> > I think the problem goes even further: skb can also be freed in the 
> > notify_*_state_change -> notify_*_state calls below.
> > 
> > Also, at the point where we save skb->len into skb_len, skb is not 
> > initialized yet. Maybe it makes more sense to not return a length in the 
> > first place here, but an error code instead.
> > 
> > -- 
> > Christoph Böhmwalder
> > LINBIT | Keeping the Digital World Running
> > DRBD HA —  Disaster Recovery — Software defined Storage
> 
> Ok, I see.
> I found that drbd_adm_get_initial_state() has called the get_initial_state(),
> and return -ENOMEM if it calls remember_old_state() failed.
> 
> So, i think that means if get_initial_state() failed on the notify_initial_state_done(),
> it should return -ENOMEM too.
> 
> I will submit the PATCH v2 to fix the first place. The fixes of the further problem is 
> hard for me.
> 
> Thanks.

I found that notify_initial_state_done() uses err = -EMSGSIZE, so the first place should
return -EMSGSIZE not -ENOMEM. Sorry.
Chen, Rong A April 2, 2021, 5:09 a.m. UTC | #4 
Hi Lv,

Thank you for the patch! Perhaps something to improve:

[auto build test WARNING on block/for-next]
[also build test WARNING on linux/master linus/master v5.12-rc5 next-20210401]
[If your patch is applied to the wrong git tree, kindly drop us a note.
And when submitting patch, we suggest to use '--base' as documented in
https://git-scm.com/docs/git-format-patch]

url:    https://github.com/0day-ci/linux/commits/Lv-Yunlong/drbd-Fix-a-use-after-free-in-get_initial_state/20210402-015401
base:   https://git.kernel.org/pub/scm/linux/kernel/git/axboe/linux-block.git for-next
config: x86_64-randconfig-s021-20210401 (attached as .config)
compiler: gcc-9 (Debian 9.3.0-22) 9.3.0
reproduce:
        # apt-get install sparse
        # sparse version: v0.6.3-279-g6d5d9b42-dirty
        # https://github.com/0day-ci/linux/commit/af3f55d6c8730c5c1ce31fda165712091584adb0
        git remote add linux-review https://github.com/0day-ci/linux
        git fetch --no-tags linux-review Lv-Yunlong/drbd-Fix-a-use-after-free-in-get_initial_state/20210402-015401
        git checkout af3f55d6c8730c5c1ce31fda165712091584adb0
        # save the attached .config to linux build tree
        make W=1 C=1 CF='-fdiagnostic-prefix -D__CHECK_ENDIAN__' ARCH=x86_64 

If you fix the issue, kindly add following tag as appropriate
Reported-by: kernel test robot <lkp@intel.com>


sparse warnings: (new ones prefixed by >>)
>> drivers/block/drbd/drbd_nl.c:4957:1: sparse: sparse: unused label 'out'
   drivers/block/drbd/drbd_nl.c: note: in included file:
   include/linux/genl_magic_func.h:212:12: sparse: sparse: symbol 'drbd_genl_cmd_to_str' was not declared. Should it be static?
   drivers/block/drbd/drbd_nl.c:454:33: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:454:33: sparse:    struct disk_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:454:33: sparse:    struct disk_conf *
   drivers/block/drbd/drbd_nl.c:691:38: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:691:38: sparse:    struct net_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:691:38: sparse:    struct net_conf *
   drivers/block/drbd/drbd_nl.c:793:40: sparse: sparse: mixing different enum types:
   drivers/block/drbd/drbd_nl.c:793:40: sparse:    int enum drbd_state_rv
   drivers/block/drbd/drbd_nl.c:793:40: sparse:    unsigned int enum drbd_ret_code
   drivers/block/drbd/drbd_nl.c:795:40: sparse: sparse: mixing different enum types:
   drivers/block/drbd/drbd_nl.c:795:40: sparse:    int enum drbd_state_rv
   drivers/block/drbd/drbd_nl.c:795:40: sparse:    unsigned int enum drbd_ret_code
   drivers/block/drbd/drbd_nl.c:980:18: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:980:18: sparse:    struct disk_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:980:18: sparse:    struct disk_conf *
   drivers/block/drbd/drbd_nl.c:1287:41: sparse: sparse: cast to restricted __be32
   drivers/block/drbd/drbd_nl.c:1287:41: sparse: sparse: cast to restricted __be32
   drivers/block/drbd/drbd_nl.c:1287:41: sparse: sparse: cast to restricted __be32
   drivers/block/drbd/drbd_nl.c:1287:41: sparse: sparse: cast to restricted __be32
   drivers/block/drbd/drbd_nl.c:1287:41: sparse: sparse: cast to restricted __be32
   drivers/block/drbd/drbd_nl.c:1287:41: sparse: sparse: cast to restricted __be32
   drivers/block/drbd/drbd_nl.c:1347:22: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:1347:22: sparse:    struct disk_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:1347:22: sparse:    struct disk_conf *
   drivers/block/drbd/drbd_nl.c:1639:17: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:1639:17: sparse:    struct disk_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:1639:17: sparse:    struct disk_conf *
   drivers/block/drbd/drbd_nl.c:1649:17: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:1649:17: sparse:    struct fifo_buffer [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:1649:17: sparse:    struct fifo_buffer *
   drivers/block/drbd/drbd_nl.c:1872:14: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:1872:14: sparse:    struct net_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:1872:14: sparse:    struct net_conf *
   drivers/block/drbd/drbd_nl.c:2130:39: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:2130:39: sparse:    struct disk_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:2130:39: sparse:    struct disk_conf *
   drivers/block/drbd/drbd_nl.c:2138:13: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:2138:13: sparse:    struct disk_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:2138:13: sparse:    struct disk_conf *
   drivers/block/drbd/drbd_nl.c:2320:50: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:2320:50: sparse:    struct disk_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:2320:50: sparse:    struct disk_conf *
   drivers/block/drbd/drbd_nl.c:2343:45: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:2343:45: sparse:    struct net_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:2343:45: sparse:    struct net_conf *
   drivers/block/drbd/drbd_nl.c:2488:9: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:2488:9: sparse:    struct net_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:2488:9: sparse:    struct net_conf *
   drivers/block/drbd/drbd_nl.c:2651:9: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:2651:9: sparse:    struct net_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:2651:9: sparse:    struct net_conf *
   drivers/block/drbd/drbd_nl.c:2803:27: sparse: sparse: mixing different enum types:
   drivers/block/drbd/drbd_nl.c:2883:18: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:2883:18: sparse:    struct disk_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:2883:18: sparse:    struct disk_conf *
   drivers/block/drbd/drbd_nl.c:2923:17: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:2923:17: sparse:    struct disk_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:2923:17: sparse:    struct disk_conf *
   drivers/block/drbd/drbd_nl.c:3461:33: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:3461:33: sparse:    struct disk_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:3461:33: sparse:    struct disk_conf *
   drivers/block/drbd/drbd_nl.c:3586:28: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:3586:28: sparse:    struct net_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:3586:28: sparse:    struct net_conf *
   drivers/block/drbd/drbd_nl.c:3799:29: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:3799:29: sparse:    struct disk_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:3799:29: sparse:    struct disk_conf *
   drivers/block/drbd/drbd_nl.c:3805:22: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:3805:22: sparse:    struct net_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:3805:22: sparse:    struct net_conf *
   drivers/block/drbd/drbd_nl.c:3995:38: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_nl.c:3995:38: sparse:    struct net_conf [noderef] __rcu *
   drivers/block/drbd/drbd_nl.c:3995:38: sparse:    struct net_conf *
   drivers/block/drbd/drbd_nl.c:450:9: sparse: sparse: context imbalance in 'highest_fencing_policy' - different lock contexts for basic block
   drivers/block/drbd/drbd_nl.c:2185:9: sparse: sparse: context imbalance in 'drbd_adm_attach' - different lock contexts for basic block
   drivers/block/drbd/drbd_nl.c: note: in included file:
   drivers/block/drbd/drbd_int.h:2141:14: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_int.h:2141:14: sparse:    struct net_conf [noderef] __rcu *
   drivers/block/drbd/drbd_int.h:2141:14: sparse:    struct net_conf *
   drivers/block/drbd/drbd_int.h:780:24: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_int.h:780:24: sparse:    struct net_conf [noderef] __rcu *
   drivers/block/drbd/drbd_int.h:780:24: sparse:    struct net_conf *
   drivers/block/drbd/drbd_int.h:780:24: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_int.h:780:24: sparse:    struct net_conf [noderef] __rcu *
   drivers/block/drbd/drbd_int.h:780:24: sparse:    struct net_conf *
   drivers/block/drbd/drbd_int.h:780:24: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_int.h:780:24: sparse:    struct net_conf [noderef] __rcu *
   drivers/block/drbd/drbd_int.h:780:24: sparse:    struct net_conf *
   drivers/block/drbd/drbd_int.h:780:24: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_int.h:780:24: sparse:    struct net_conf [noderef] __rcu *
   drivers/block/drbd/drbd_int.h:780:24: sparse:    struct net_conf *
   drivers/block/drbd/drbd_int.h:780:24: sparse: sparse: incompatible types in comparison expression (different address spaces):
   drivers/block/drbd/drbd_int.h:780:24: sparse:    struct net_conf [noderef] __rcu *
   drivers/block/drbd/drbd_int.h:780:24: sparse:    struct net_conf *

vim +/out +4957 drivers/block/drbd/drbd_nl.c

a29728463b254c Andreas Gruenbacher 2014-07-31  4902  
a29728463b254c Andreas Gruenbacher 2014-07-31  4903  static int get_initial_state(struct sk_buff *skb, struct netlink_callback *cb)
a29728463b254c Andreas Gruenbacher 2014-07-31  4904  {
a29728463b254c Andreas Gruenbacher 2014-07-31  4905  	struct drbd_state_change *state_change = (struct drbd_state_change *)cb->args[0];
a29728463b254c Andreas Gruenbacher 2014-07-31  4906  	unsigned int seq = cb->args[2];
a29728463b254c Andreas Gruenbacher 2014-07-31  4907  	unsigned int n;
af3f55d6c8730c Lv Yunlong          2021-04-01  4908  	unsigned int skb_len = skb->len;
a29728463b254c Andreas Gruenbacher 2014-07-31  4909  	enum drbd_notification_type flags = 0;
a29728463b254c Andreas Gruenbacher 2014-07-31  4910  
a29728463b254c Andreas Gruenbacher 2014-07-31  4911  	/* There is no need for taking notification_mutex here: it doesn't
a29728463b254c Andreas Gruenbacher 2014-07-31  4912  	   matter if the initial state events mix with later state chage
a29728463b254c Andreas Gruenbacher 2014-07-31  4913  	   events; we can always tell the events apart by the NOTIFY_EXISTS
a29728463b254c Andreas Gruenbacher 2014-07-31  4914  	   flag. */
a29728463b254c Andreas Gruenbacher 2014-07-31  4915  
a29728463b254c Andreas Gruenbacher 2014-07-31  4916  	cb->args[5]--;
a29728463b254c Andreas Gruenbacher 2014-07-31  4917  	if (cb->args[5] == 1) {
a29728463b254c Andreas Gruenbacher 2014-07-31  4918  		notify_initial_state_done(skb, seq);
af3f55d6c8730c Lv Yunlong          2021-04-01  4919  		return skb_len;
a29728463b254c Andreas Gruenbacher 2014-07-31  4920  	}
a29728463b254c Andreas Gruenbacher 2014-07-31  4921  	n = cb->args[4]++;
a29728463b254c Andreas Gruenbacher 2014-07-31  4922  	if (cb->args[4] < cb->args[3])
a29728463b254c Andreas Gruenbacher 2014-07-31  4923  		flags |= NOTIFY_CONTINUES;
a29728463b254c Andreas Gruenbacher 2014-07-31  4924  	if (n < 1) {
a29728463b254c Andreas Gruenbacher 2014-07-31  4925  		notify_resource_state_change(skb, seq, state_change->resource,
a29728463b254c Andreas Gruenbacher 2014-07-31  4926  					     NOTIFY_EXISTS | flags);
a29728463b254c Andreas Gruenbacher 2014-07-31  4927  		goto next;
a29728463b254c Andreas Gruenbacher 2014-07-31  4928  	}
a29728463b254c Andreas Gruenbacher 2014-07-31  4929  	n--;
a29728463b254c Andreas Gruenbacher 2014-07-31  4930  	if (n < state_change->n_connections) {
a29728463b254c Andreas Gruenbacher 2014-07-31  4931  		notify_connection_state_change(skb, seq, &state_change->connections[n],
a29728463b254c Andreas Gruenbacher 2014-07-31  4932  					       NOTIFY_EXISTS | flags);
a29728463b254c Andreas Gruenbacher 2014-07-31  4933  		goto next;
a29728463b254c Andreas Gruenbacher 2014-07-31  4934  	}
a29728463b254c Andreas Gruenbacher 2014-07-31  4935  	n -= state_change->n_connections;
a29728463b254c Andreas Gruenbacher 2014-07-31  4936  	if (n < state_change->n_devices) {
a29728463b254c Andreas Gruenbacher 2014-07-31  4937  		notify_device_state_change(skb, seq, &state_change->devices[n],
a29728463b254c Andreas Gruenbacher 2014-07-31  4938  					   NOTIFY_EXISTS | flags);
a29728463b254c Andreas Gruenbacher 2014-07-31  4939  		goto next;
a29728463b254c Andreas Gruenbacher 2014-07-31  4940  	}
a29728463b254c Andreas Gruenbacher 2014-07-31  4941  	n -= state_change->n_devices;
a29728463b254c Andreas Gruenbacher 2014-07-31  4942  	if (n < state_change->n_devices * state_change->n_connections) {
a29728463b254c Andreas Gruenbacher 2014-07-31  4943  		notify_peer_device_state_change(skb, seq, &state_change->peer_devices[n],
a29728463b254c Andreas Gruenbacher 2014-07-31  4944  						NOTIFY_EXISTS | flags);
a29728463b254c Andreas Gruenbacher 2014-07-31  4945  		goto next;
a29728463b254c Andreas Gruenbacher 2014-07-31  4946  	}
a29728463b254c Andreas Gruenbacher 2014-07-31  4947  
a29728463b254c Andreas Gruenbacher 2014-07-31  4948  next:
a29728463b254c Andreas Gruenbacher 2014-07-31  4949  	if (cb->args[4] == cb->args[3]) {
a29728463b254c Andreas Gruenbacher 2014-07-31  4950  		struct drbd_state_change *next_state_change =
a29728463b254c Andreas Gruenbacher 2014-07-31  4951  			list_entry(state_change->list.next,
a29728463b254c Andreas Gruenbacher 2014-07-31  4952  				   struct drbd_state_change, list);
a29728463b254c Andreas Gruenbacher 2014-07-31  4953  		cb->args[0] = (long)next_state_change;
a29728463b254c Andreas Gruenbacher 2014-07-31  4954  		cb->args[3] = notifications_for_state_change(next_state_change);
a29728463b254c Andreas Gruenbacher 2014-07-31  4955  		cb->args[4] = 0;
a29728463b254c Andreas Gruenbacher 2014-07-31  4956  	}
a29728463b254c Andreas Gruenbacher 2014-07-31 @4957  out:
a29728463b254c Andreas Gruenbacher 2014-07-31  4958  	return skb->len;
a29728463b254c Andreas Gruenbacher 2014-07-31  4959  }
a29728463b254c Andreas Gruenbacher 2014-07-31  4960  

---
0-DAY CI Kernel Test Service, Intel Corporation
https://lists.01.org/hyperkitty/list/kbuild-all@lists.01.org
diff mbox series

Patch

diff --git a/drivers/block/drbd/drbd_nl.c b/drivers/block/drbd/drbd_nl.c
index bf7de4c7b96c..474f84675d0a 100644
--- a/drivers/block/drbd/drbd_nl.c
+++ b/drivers/block/drbd/drbd_nl.c
@@ -4905,6 +4905,7 @@  static int get_initial_state(struct sk_buff *skb, struct netlink_callback *cb)
 	struct drbd_state_change *state_change = (struct drbd_state_change *)cb->args[0];
 	unsigned int seq = cb->args[2];
 	unsigned int n;
+	unsigned int skb_len = skb->len;
 	enum drbd_notification_type flags = 0;
 
 	/* There is no need for taking notification_mutex here: it doesn't
@@ -4915,7 +4916,7 @@  static int get_initial_state(struct sk_buff *skb, struct netlink_callback *cb)
 	cb->args[5]--;
 	if (cb->args[5] == 1) {
 		notify_initial_state_done(skb, seq);
-		goto out;
+		return skb_len;
 	}
 	n = cb->args[4]++;
 	if (cb->args[4] < cb->args[3])