From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=Xlyd=RW=vger.kernel.org=netdev-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-8.5 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS,
	INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_PASS,URIBL_BLOCKED,
	USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id BC8F1C43381
	for <netdev@archiver.kernel.org>; Tue, 19 Mar 2019 11:13:38 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 966502085A
	for <netdev@archiver.kernel.org>; Tue, 19 Mar 2019 11:13:38 +0000 (UTC)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727636AbfCSLNh (ORCPT <rfc822;netdev@archiver.kernel.org>);
        Tue, 19 Mar 2019 07:13:37 -0400
Received: from charlotte.tuxdriver.com ([70.61.120.58]:37399 "EHLO
        smtp.tuxdriver.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1725934AbfCSLNf (ORCPT
        <rfc822;netdev@vger.kernel.org>); Tue, 19 Mar 2019 07:13:35 -0400
Received: from cpe-2606-a000-111b-405a-9816-2c85-c514-8f7a.dyn6.twc.com ([2606:a000:111b:405a:9816:2c85:c514:8f7a] helo=localhost)
        by smtp.tuxdriver.com with esmtpsa (TLSv1:AES256-SHA:256)
        (Exim 4.63)
        (envelope-from <nhorman@tuxdriver.com>)
        id 1h6CgR-0007TO-Ml; Tue, 19 Mar 2019 07:13:32 -0400
Date:   Tue, 19 Mar 2019 07:13:00 -0400
From:   Neil Horman <nhorman@tuxdriver.com>
To:     Xin Long <lucien.xin@gmail.com>
Cc:     network dev <netdev@vger.kernel.org>, linux-sctp@vger.kernel.org,
        davem@davemloft.net,
        Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
        syzkaller@googlegroups.com
Subject: Re: [PATCH net] sctp: not copy sctp_sock pd_lobby in
 sctp_copy_descendant
Message-ID: <20190319111300.GB3722@hmswarspite.think-freely.org>
References: <130ce0bbbc015f9fb47f97b51c650843e2ac39a3.1552910309.git.lucien.xin@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <130ce0bbbc015f9fb47f97b51c650843e2ac39a3.1552910309.git.lucien.xin@gmail.com>
User-Agent: Mutt/1.11.3 (2019-02-01)
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

On Mon, Mar 18, 2019 at 07:58:29PM +0800, Xin Long wrote:
> Now sctp_copy_descendant() copies pd_lobby from old sctp scok to new
> sctp sock. If sctp_sock_migrate() returns error, it will panic when
> releasing new sock and trying to purge pd_lobby due to the incorrect
> pointers in pd_lobby.
> 
>   [  120.485116] kasan: CONFIG_KASAN_INLINE enabled
>   [  120.486270] kasan: GPF could be caused by NULL-ptr deref or user
>   [  120.509901] Call Trace:
>   [  120.510443]  sctp_ulpevent_free+0x1e8/0x490 [sctp]
>   [  120.511438]  sctp_queue_purge_ulpevents+0x97/0xe0 [sctp]
>   [  120.512535]  sctp_close+0x13a/0x700 [sctp]
>   [  120.517483]  inet_release+0xdc/0x1c0
>   [  120.518215]  __sock_release+0x1d2/0x2a0
>   [  120.519025]  sctp_do_peeloff+0x30f/0x3c0 [sctp]
> 
> We fix it by not copying sctp_sock pd_lobby in sctp_copy_descendan(),
> and skb_queue_head_init() can also be removed in sctp_sock_migrate().
> 
> Reported-by: syzbot+85e0b422ff140b03672a@syzkaller.appspotmail.com
> Fixes: 89664c623617 ("sctp: sctp_sock_migrate() returns error if sctp_bind_addr_dup() fails")
> Signed-off-by: Xin Long <lucien.xin@gmail.com>
> ---
>  net/sctp/socket.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/net/sctp/socket.c b/net/sctp/socket.c
> index 6140471..65b5386 100644
> --- a/net/sctp/socket.c
> +++ b/net/sctp/socket.c
> @@ -9169,7 +9169,7 @@ static inline void sctp_copy_descendant(struct sock *sk_to,
>  {
>  	int ancestor_size = sizeof(struct inet_sock) +
>  			    sizeof(struct sctp_sock) -
> -			    offsetof(struct sctp_sock, auto_asconf_list);
> +			    offsetof(struct sctp_sock, pd_lobby);
>  
>  	if (sk_from->sk_family == PF_INET6)
>  		ancestor_size += sizeof(struct ipv6_pinfo);
> @@ -9253,7 +9253,6 @@ static int sctp_sock_migrate(struct sock *oldsk, struct sock *newsk,
>  	 * 2) Peeling off partial delivery; keep pd_lobby in new pd_lobby.
>  	 * 3) Peeling off non-partial delivery; move pd_lobby to receive_queue.
>  	 */
> -	skb_queue_head_init(&newsp->pd_lobby);
>  	atomic_set(&sctp_sk(newsk)->pd_mode, assoc->ulpq.pd_mode);
>  
>  	if (atomic_read(&sctp_sk(oldsk)->pd_mode)) {
> -- 
> 2.1.0
> 
> 
Acked-by: Neil Horman <nhorman@tuxdriver.com>

From mboxrd@z Thu Jan  1 00:00:00 1970
From: Neil Horman <nhorman@tuxdriver.com>
Date: Tue, 19 Mar 2019 11:13:00 +0000
Subject: Re: [PATCH net] sctp: not copy sctp_sock pd_lobby in sctp_copy_descendant
Message-Id: <20190319111300.GB3722@hmswarspite.think-freely.org>
List-Id: <linux-sctp.vger.kernel.org>
References: <130ce0bbbc015f9fb47f97b51c650843e2ac39a3.1552910309.git.lucien.xin@gmail.com>
In-Reply-To: <130ce0bbbc015f9fb47f97b51c650843e2ac39a3.1552910309.git.lucien.xin@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
To: Xin Long <lucien.xin@gmail.com>
Cc: network dev <netdev@vger.kernel.org>, linux-sctp@vger.kernel.org, davem@davemloft.net, Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>, syzkaller@googlegroups.com

On Mon, Mar 18, 2019 at 07:58:29PM +0800, Xin Long wrote:
> Now sctp_copy_descendant() copies pd_lobby from old sctp scok to new
> sctp sock. If sctp_sock_migrate() returns error, it will panic when
> releasing new sock and trying to purge pd_lobby due to the incorrect
> pointers in pd_lobby.
> 
>   [  120.485116] kasan: CONFIG_KASAN_INLINE enabled
>   [  120.486270] kasan: GPF could be caused by NULL-ptr deref or user
>   [  120.509901] Call Trace:
>   [  120.510443]  sctp_ulpevent_free+0x1e8/0x490 [sctp]
>   [  120.511438]  sctp_queue_purge_ulpevents+0x97/0xe0 [sctp]
>   [  120.512535]  sctp_close+0x13a/0x700 [sctp]
>   [  120.517483]  inet_release+0xdc/0x1c0
>   [  120.518215]  __sock_release+0x1d2/0x2a0
>   [  120.519025]  sctp_do_peeloff+0x30f/0x3c0 [sctp]
> 
> We fix it by not copying sctp_sock pd_lobby in sctp_copy_descendan(),
> and skb_queue_head_init() can also be removed in sctp_sock_migrate().
> 
> Reported-by: syzbot+85e0b422ff140b03672a@syzkaller.appspotmail.com
> Fixes: 89664c623617 ("sctp: sctp_sock_migrate() returns error if sctp_bind_addr_dup() fails")
> Signed-off-by: Xin Long <lucien.xin@gmail.com>
> ---
>  net/sctp/socket.c | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/net/sctp/socket.c b/net/sctp/socket.c
> index 6140471..65b5386 100644
> --- a/net/sctp/socket.c
> +++ b/net/sctp/socket.c
> @@ -9169,7 +9169,7 @@ static inline void sctp_copy_descendant(struct sock *sk_to,
>  {
>  	int ancestor_size = sizeof(struct inet_sock) +
>  			    sizeof(struct sctp_sock) -
> -			    offsetof(struct sctp_sock, auto_asconf_list);
> +			    offsetof(struct sctp_sock, pd_lobby);
>  
>  	if (sk_from->sk_family = PF_INET6)
>  		ancestor_size += sizeof(struct ipv6_pinfo);
> @@ -9253,7 +9253,6 @@ static int sctp_sock_migrate(struct sock *oldsk, struct sock *newsk,
>  	 * 2) Peeling off partial delivery; keep pd_lobby in new pd_lobby.
>  	 * 3) Peeling off non-partial delivery; move pd_lobby to receive_queue.
>  	 */
> -	skb_queue_head_init(&newsp->pd_lobby);
>  	atomic_set(&sctp_sk(newsk)->pd_mode, assoc->ulpq.pd_mode);
>  
>  	if (atomic_read(&sctp_sk(oldsk)->pd_mode)) {
> -- 
> 2.1.0
> 
> 
Acked-by: Neil Horman <nhorman@tuxdriver.com>