From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=Xlyd=RW=vger.kernel.org=netdev-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-4.0 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS autolearn=ham autolearn_force=no
	version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id B16B3C43381
	for <netdev@archiver.kernel.org>; Tue, 19 Mar 2019 01:24:33 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 89A8820872
	for <netdev@archiver.kernel.org>; Tue, 19 Mar 2019 01:24:33 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727089AbfCSBYc (ORCPT <rfc822;netdev@archiver.kernel.org>);
        Mon, 18 Mar 2019 21:24:32 -0400
Received: from shards.monkeyblade.net ([23.128.96.9]:41400 "EHLO
        shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726326AbfCSBYc (ORCPT
        <rfc822;netdev@vger.kernel.org>); Mon, 18 Mar 2019 21:24:32 -0400
Received: from localhost (unknown [IPv6:2601:601:9f80:35cd::3d5])
        (using TLSv1 with cipher AES256-SHA (256/256 bits))
        (Client did not present a certificate)
        (Authenticated sender: davem-davemloft)
        by shards.monkeyblade.net (Postfix) with ESMTPSA id D1A361411EEF0;
        Mon, 18 Mar 2019 18:24:31 -0700 (PDT)
Date:   Mon, 18 Mar 2019 18:24:31 -0700 (PDT)
Message-Id: <20190318.182431.545997926960587440.davem@davemloft.net>
To:     lucien.xin@gmail.com
Cc:     netdev@vger.kernel.org, linux-sctp@vger.kernel.org,
        marcelo.leitner@gmail.com, nhorman@tuxdriver.com,
        syzkaller@googlegroups.com
Subject: Re: [PATCH net] sctp: not copy sctp_sock pd_lobby in
 sctp_copy_descendant
From:   David Miller <davem@davemloft.net>
In-Reply-To: <130ce0bbbc015f9fb47f97b51c650843e2ac39a3.1552910309.git.lucien.xin@gmail.com>
References: <130ce0bbbc015f9fb47f97b51c650843e2ac39a3.1552910309.git.lucien.xin@gmail.com>
X-Mailer: Mew version 6.8 on Emacs 26.1
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Mon, 18 Mar 2019 18:24:32 -0700 (PDT)
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Xin Long <lucien.xin@gmail.com>
Date: Mon, 18 Mar 2019 19:58:29 +0800

> Now sctp_copy_descendant() copies pd_lobby from old sctp scok to new
> sctp sock. If sctp_sock_migrate() returns error, it will panic when
> releasing new sock and trying to purge pd_lobby due to the incorrect
> pointers in pd_lobby.
> 
>   [  120.485116] kasan: CONFIG_KASAN_INLINE enabled
>   [  120.486270] kasan: GPF could be caused by NULL-ptr deref or user
>   [  120.509901] Call Trace:
>   [  120.510443]  sctp_ulpevent_free+0x1e8/0x490 [sctp]
>   [  120.511438]  sctp_queue_purge_ulpevents+0x97/0xe0 [sctp]
>   [  120.512535]  sctp_close+0x13a/0x700 [sctp]
>   [  120.517483]  inet_release+0xdc/0x1c0
>   [  120.518215]  __sock_release+0x1d2/0x2a0
>   [  120.519025]  sctp_do_peeloff+0x30f/0x3c0 [sctp]
> 
> We fix it by not copying sctp_sock pd_lobby in sctp_copy_descendan(),
> and skb_queue_head_init() can also be removed in sctp_sock_migrate().
> 
> Reported-by: syzbot+85e0b422ff140b03672a@syzkaller.appspotmail.com
> Fixes: 89664c623617 ("sctp: sctp_sock_migrate() returns error if sctp_bind_addr_dup() fails")
> Signed-off-by: Xin Long <lucien.xin@gmail.com>

Applied and looks to not need -stable backporting.  Let me know if you
disagree.

From mboxrd@z Thu Jan  1 00:00:00 1970
From: David Miller <davem@davemloft.net>
Date: Tue, 19 Mar 2019 01:24:31 +0000
Subject: Re: [PATCH net] sctp: not copy sctp_sock pd_lobby in sctp_copy_descendant
Message-Id: <20190318.182431.545997926960587440.davem@davemloft.net>
List-Id: <linux-sctp.vger.kernel.org>
References: <130ce0bbbc015f9fb47f97b51c650843e2ac39a3.1552910309.git.lucien.xin@gmail.com>
In-Reply-To: <130ce0bbbc015f9fb47f97b51c650843e2ac39a3.1552910309.git.lucien.xin@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: lucien.xin@gmail.com
Cc: netdev@vger.kernel.org, linux-sctp@vger.kernel.org, marcelo.leitner@gmail.com, nhorman@tuxdriver.com, syzkaller@googlegroups.com

From: Xin Long <lucien.xin@gmail.com>
Date: Mon, 18 Mar 2019 19:58:29 +0800

> Now sctp_copy_descendant() copies pd_lobby from old sctp scok to new
> sctp sock. If sctp_sock_migrate() returns error, it will panic when
> releasing new sock and trying to purge pd_lobby due to the incorrect
> pointers in pd_lobby.
> 
>   [  120.485116] kasan: CONFIG_KASAN_INLINE enabled
>   [  120.486270] kasan: GPF could be caused by NULL-ptr deref or user
>   [  120.509901] Call Trace:
>   [  120.510443]  sctp_ulpevent_free+0x1e8/0x490 [sctp]
>   [  120.511438]  sctp_queue_purge_ulpevents+0x97/0xe0 [sctp]
>   [  120.512535]  sctp_close+0x13a/0x700 [sctp]
>   [  120.517483]  inet_release+0xdc/0x1c0
>   [  120.518215]  __sock_release+0x1d2/0x2a0
>   [  120.519025]  sctp_do_peeloff+0x30f/0x3c0 [sctp]
> 
> We fix it by not copying sctp_sock pd_lobby in sctp_copy_descendan(),
> and skb_queue_head_init() can also be removed in sctp_sock_migrate().
> 
> Reported-by: syzbot+85e0b422ff140b03672a@syzkaller.appspotmail.com
> Fixes: 89664c623617 ("sctp: sctp_sock_migrate() returns error if sctp_bind_addr_dup() fails")
> Signed-off-by: Xin Long <lucien.xin@gmail.com>

Applied and looks to not need -stable backporting.  Let me know if you
disagree.