* [PATCH net] sctp: change sctp_prot .no_autobind with true
@ 2019-10-15 7:24 ` Xin Long
0 siblings, 0 replies; 8+ messages in thread
From: Xin Long @ 2019-10-15 7:24 UTC (permalink / raw)
To: network dev, linux-sctp; +Cc: davem, Marcelo Ricardo Leitner, Neil Horman
syzbot reported a memory leak:
BUG: memory leak, unreferenced object 0xffff888120b3d380 (size 64):
backtrace:
[...] slab_alloc mm/slab.c:3319 [inline]
[...] kmem_cache_alloc+0x13f/0x2c0 mm/slab.c:3483
[...] sctp_bucket_create net/sctp/socket.c:8523 [inline]
[...] sctp_get_port_local+0x189/0x5a0 net/sctp/socket.c:8270
[...] sctp_do_bind+0xcc/0x200 net/sctp/socket.c:402
[...] sctp_bindx_add+0x4b/0xd0 net/sctp/socket.c:497
[...] sctp_setsockopt_bindx+0x156/0x1b0 net/sctp/socket.c:1022
[...] sctp_setsockopt net/sctp/socket.c:4641 [inline]
[...] sctp_setsockopt+0xaea/0x2dc0 net/sctp/socket.c:4611
[...] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3147
[...] __sys_setsockopt+0x10f/0x220 net/socket.c:2084
[...] __do_sys_setsockopt net/socket.c:2100 [inline]
It was caused by when sending msgs without binding a port, in the path:
inet_sendmsg() -> inet_send_prepare() -> inet_autobind() ->
.get_port/sctp_get_port(), sp->bind_hash will be set while bp->port is
not. Later when binding another port by sctp_setsockopt_bindx(), a new
bucket will be created as bp->port is not set.
sctp's autobind is supposed to call sctp_autobind() where it does all
things including setting bp->port. Since sctp_autobind() is called in
sctp_sendmsg() if the sk is not yet bound, it should have skipped the
auto bind.
THis patch is to avoid calling inet_autobind() in inet_send_prepare()
by changing sctp_prot .no_autobind with true, also remove the unused
.get_port.
Reported-by: syzbot+d44f7bbebdea49dbc84a@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
---
net/sctp/socket.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 939b8d2..5ca0ec0 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -9500,7 +9500,7 @@ struct proto sctp_prot = {
.backlog_rcv = sctp_backlog_rcv,
.hash = sctp_hash,
.unhash = sctp_unhash,
- .get_port = sctp_get_port,
+ .no_autobind = true,
.obj_size = sizeof(struct sctp_sock),
.useroffset = offsetof(struct sctp_sock, subscribe),
.usersize = offsetof(struct sctp_sock, initmsg) -
@@ -9542,7 +9542,7 @@ struct proto sctpv6_prot = {
.backlog_rcv = sctp_backlog_rcv,
.hash = sctp_hash,
.unhash = sctp_unhash,
- .get_port = sctp_get_port,
+ .no_autobind = true,
.obj_size = sizeof(struct sctp6_sock),
.useroffset = offsetof(struct sctp6_sock, sctp.subscribe),
.usersize = offsetof(struct sctp6_sock, sctp.initmsg) -
--
2.1.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [PATCH net] sctp: change sctp_prot .no_autobind with true
@ 2019-10-15 7:24 ` Xin Long
0 siblings, 0 replies; 8+ messages in thread
From: Xin Long @ 2019-10-15 7:24 UTC (permalink / raw)
To: network dev, linux-sctp; +Cc: davem, Marcelo Ricardo Leitner, Neil Horman
syzbot reported a memory leak:
BUG: memory leak, unreferenced object 0xffff888120b3d380 (size 64):
backtrace:
[...] slab_alloc mm/slab.c:3319 [inline]
[...] kmem_cache_alloc+0x13f/0x2c0 mm/slab.c:3483
[...] sctp_bucket_create net/sctp/socket.c:8523 [inline]
[...] sctp_get_port_local+0x189/0x5a0 net/sctp/socket.c:8270
[...] sctp_do_bind+0xcc/0x200 net/sctp/socket.c:402
[...] sctp_bindx_add+0x4b/0xd0 net/sctp/socket.c:497
[...] sctp_setsockopt_bindx+0x156/0x1b0 net/sctp/socket.c:1022
[...] sctp_setsockopt net/sctp/socket.c:4641 [inline]
[...] sctp_setsockopt+0xaea/0x2dc0 net/sctp/socket.c:4611
[...] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3147
[...] __sys_setsockopt+0x10f/0x220 net/socket.c:2084
[...] __do_sys_setsockopt net/socket.c:2100 [inline]
It was caused by when sending msgs without binding a port, in the path:
inet_sendmsg() -> inet_send_prepare() -> inet_autobind() ->
.get_port/sctp_get_port(), sp->bind_hash will be set while bp->port is
not. Later when binding another port by sctp_setsockopt_bindx(), a new
bucket will be created as bp->port is not set.
sctp's autobind is supposed to call sctp_autobind() where it does all
things including setting bp->port. Since sctp_autobind() is called in
sctp_sendmsg() if the sk is not yet bound, it should have skipped the
auto bind.
THis patch is to avoid calling inet_autobind() in inet_send_prepare()
by changing sctp_prot .no_autobind with true, also remove the unused
.get_port.
Reported-by: syzbot+d44f7bbebdea49dbc84a@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
---
net/sctp/socket.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 939b8d2..5ca0ec0 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -9500,7 +9500,7 @@ struct proto sctp_prot = {
.backlog_rcv = sctp_backlog_rcv,
.hash = sctp_hash,
.unhash = sctp_unhash,
- .get_port = sctp_get_port,
+ .no_autobind = true,
.obj_size = sizeof(struct sctp_sock),
.useroffset = offsetof(struct sctp_sock, subscribe),
.usersize = offsetof(struct sctp_sock, initmsg) -
@@ -9542,7 +9542,7 @@ struct proto sctpv6_prot = {
.backlog_rcv = sctp_backlog_rcv,
.hash = sctp_hash,
.unhash = sctp_unhash,
- .get_port = sctp_get_port,
+ .no_autobind = true,
.obj_size = sizeof(struct sctp6_sock),
.useroffset = offsetof(struct sctp6_sock, sctp.subscribe),
.usersize = offsetof(struct sctp6_sock, sctp.initmsg) -
--
2.1.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* Re: [PATCH net] sctp: change sctp_prot .no_autobind with true
2019-10-15 7:24 ` Xin Long
@ 2019-10-15 14:35 ` Marcelo Ricardo Leitner
-1 siblings, 0 replies; 8+ messages in thread
From: Marcelo Ricardo Leitner @ 2019-10-15 14:35 UTC (permalink / raw)
To: Xin Long; +Cc: network dev, linux-sctp, davem, Neil Horman
On Tue, Oct 15, 2019 at 03:24:38PM +0800, Xin Long wrote:
> syzbot reported a memory leak:
>
> BUG: memory leak, unreferenced object 0xffff888120b3d380 (size 64):
> backtrace:
>
> [...] slab_alloc mm/slab.c:3319 [inline]
> [...] kmem_cache_alloc+0x13f/0x2c0 mm/slab.c:3483
> [...] sctp_bucket_create net/sctp/socket.c:8523 [inline]
> [...] sctp_get_port_local+0x189/0x5a0 net/sctp/socket.c:8270
> [...] sctp_do_bind+0xcc/0x200 net/sctp/socket.c:402
> [...] sctp_bindx_add+0x4b/0xd0 net/sctp/socket.c:497
> [...] sctp_setsockopt_bindx+0x156/0x1b0 net/sctp/socket.c:1022
> [...] sctp_setsockopt net/sctp/socket.c:4641 [inline]
> [...] sctp_setsockopt+0xaea/0x2dc0 net/sctp/socket.c:4611
> [...] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3147
> [...] __sys_setsockopt+0x10f/0x220 net/socket.c:2084
> [...] __do_sys_setsockopt net/socket.c:2100 [inline]
>
> It was caused by when sending msgs without binding a port, in the path:
> inet_sendmsg() -> inet_send_prepare() -> inet_autobind() ->
> .get_port/sctp_get_port(), sp->bind_hash will be set while bp->port is
> not. Later when binding another port by sctp_setsockopt_bindx(), a new
> bucket will be created as bp->port is not set.
>
> sctp's autobind is supposed to call sctp_autobind() where it does all
> things including setting bp->port. Since sctp_autobind() is called in
> sctp_sendmsg() if the sk is not yet bound, it should have skipped the
> auto bind.
>
> THis patch is to avoid calling inet_autobind() in inet_send_prepare()
> by changing sctp_prot .no_autobind with true, also remove the unused
> .get_port.
>
> Reported-by: syzbot+d44f7bbebdea49dbc84a@syzkaller.appspotmail.com
> Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH net] sctp: change sctp_prot .no_autobind with true
@ 2019-10-15 14:35 ` Marcelo Ricardo Leitner
0 siblings, 0 replies; 8+ messages in thread
From: Marcelo Ricardo Leitner @ 2019-10-15 14:35 UTC (permalink / raw)
To: Xin Long; +Cc: network dev, linux-sctp, davem, Neil Horman
On Tue, Oct 15, 2019 at 03:24:38PM +0800, Xin Long wrote:
> syzbot reported a memory leak:
>
> BUG: memory leak, unreferenced object 0xffff888120b3d380 (size 64):
> backtrace:
>
> [...] slab_alloc mm/slab.c:3319 [inline]
> [...] kmem_cache_alloc+0x13f/0x2c0 mm/slab.c:3483
> [...] sctp_bucket_create net/sctp/socket.c:8523 [inline]
> [...] sctp_get_port_local+0x189/0x5a0 net/sctp/socket.c:8270
> [...] sctp_do_bind+0xcc/0x200 net/sctp/socket.c:402
> [...] sctp_bindx_add+0x4b/0xd0 net/sctp/socket.c:497
> [...] sctp_setsockopt_bindx+0x156/0x1b0 net/sctp/socket.c:1022
> [...] sctp_setsockopt net/sctp/socket.c:4641 [inline]
> [...] sctp_setsockopt+0xaea/0x2dc0 net/sctp/socket.c:4611
> [...] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3147
> [...] __sys_setsockopt+0x10f/0x220 net/socket.c:2084
> [...] __do_sys_setsockopt net/socket.c:2100 [inline]
>
> It was caused by when sending msgs without binding a port, in the path:
> inet_sendmsg() -> inet_send_prepare() -> inet_autobind() ->
> .get_port/sctp_get_port(), sp->bind_hash will be set while bp->port is
> not. Later when binding another port by sctp_setsockopt_bindx(), a new
> bucket will be created as bp->port is not set.
>
> sctp's autobind is supposed to call sctp_autobind() where it does all
> things including setting bp->port. Since sctp_autobind() is called in
> sctp_sendmsg() if the sk is not yet bound, it should have skipped the
> auto bind.
>
> THis patch is to avoid calling inet_autobind() in inet_send_prepare()
> by changing sctp_prot .no_autobind with true, also remove the unused
> .get_port.
>
> Reported-by: syzbot+d44f7bbebdea49dbc84a@syzkaller.appspotmail.com
> Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH net] sctp: change sctp_prot .no_autobind with true
2019-10-15 7:24 ` Xin Long
@ 2019-10-16 3:39 ` David Miller
-1 siblings, 0 replies; 8+ messages in thread
From: David Miller @ 2019-10-16 3:39 UTC (permalink / raw)
To: lucien.xin; +Cc: netdev, linux-sctp, marcelo.leitner, nhorman
From: Xin Long <lucien.xin@gmail.com>
Date: Tue, 15 Oct 2019 15:24:38 +0800
> syzbot reported a memory leak:
>
> BUG: memory leak, unreferenced object 0xffff888120b3d380 (size 64):
> backtrace:
...
> It was caused by when sending msgs without binding a port, in the path:
> inet_sendmsg() -> inet_send_prepare() -> inet_autobind() ->
> .get_port/sctp_get_port(), sp->bind_hash will be set while bp->port is
> not. Later when binding another port by sctp_setsockopt_bindx(), a new
> bucket will be created as bp->port is not set.
>
> sctp's autobind is supposed to call sctp_autobind() where it does all
> things including setting bp->port. Since sctp_autobind() is called in
> sctp_sendmsg() if the sk is not yet bound, it should have skipped the
> auto bind.
>
> THis patch is to avoid calling inet_autobind() in inet_send_prepare()
> by changing sctp_prot .no_autobind with true, also remove the unused
> .get_port.
>
> Reported-by: syzbot+d44f7bbebdea49dbc84a@syzkaller.appspotmail.com
> Signed-off-by: Xin Long <lucien.xin@gmail.com>
Applied and queued up for -stable.
Xin, in the future please always provide a Fixes: even if it is the
initial kernel repository commit.
Thanks.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH net] sctp: change sctp_prot .no_autobind with true
@ 2019-10-16 3:39 ` David Miller
0 siblings, 0 replies; 8+ messages in thread
From: David Miller @ 2019-10-16 3:39 UTC (permalink / raw)
To: lucien.xin; +Cc: netdev, linux-sctp, marcelo.leitner, nhorman
From: Xin Long <lucien.xin@gmail.com>
Date: Tue, 15 Oct 2019 15:24:38 +0800
> syzbot reported a memory leak:
>
> BUG: memory leak, unreferenced object 0xffff888120b3d380 (size 64):
> backtrace:
...
> It was caused by when sending msgs without binding a port, in the path:
> inet_sendmsg() -> inet_send_prepare() -> inet_autobind() ->
> .get_port/sctp_get_port(), sp->bind_hash will be set while bp->port is
> not. Later when binding another port by sctp_setsockopt_bindx(), a new
> bucket will be created as bp->port is not set.
>
> sctp's autobind is supposed to call sctp_autobind() where it does all
> things including setting bp->port. Since sctp_autobind() is called in
> sctp_sendmsg() if the sk is not yet bound, it should have skipped the
> auto bind.
>
> THis patch is to avoid calling inet_autobind() in inet_send_prepare()
> by changing sctp_prot .no_autobind with true, also remove the unused
> .get_port.
>
> Reported-by: syzbot+d44f7bbebdea49dbc84a@syzkaller.appspotmail.com
> Signed-off-by: Xin Long <lucien.xin@gmail.com>
Applied and queued up for -stable.
Xin, in the future please always provide a Fixes: even if it is the
initial kernel repository commit.
Thanks.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH net] sctp: change sctp_prot .no_autobind with true
2019-10-16 3:39 ` David Miller
@ 2019-10-16 5:26 ` Xin Long
-1 siblings, 0 replies; 8+ messages in thread
From: Xin Long @ 2019-10-16 5:26 UTC (permalink / raw)
To: David Miller
Cc: network dev, linux-sctp, Marcelo Ricardo Leitner, Neil Horman
On Wed, Oct 16, 2019 at 11:39 AM David Miller <davem@davemloft.net> wrote:
>
> From: Xin Long <lucien.xin@gmail.com>
> Date: Tue, 15 Oct 2019 15:24:38 +0800
>
> > syzbot reported a memory leak:
> >
> > BUG: memory leak, unreferenced object 0xffff888120b3d380 (size 64):
> > backtrace:
> ...
> > It was caused by when sending msgs without binding a port, in the path:
> > inet_sendmsg() -> inet_send_prepare() -> inet_autobind() ->
> > .get_port/sctp_get_port(), sp->bind_hash will be set while bp->port is
> > not. Later when binding another port by sctp_setsockopt_bindx(), a new
> > bucket will be created as bp->port is not set.
> >
> > sctp's autobind is supposed to call sctp_autobind() where it does all
> > things including setting bp->port. Since sctp_autobind() is called in
> > sctp_sendmsg() if the sk is not yet bound, it should have skipped the
> > auto bind.
> >
> > THis patch is to avoid calling inet_autobind() in inet_send_prepare()
> > by changing sctp_prot .no_autobind with true, also remove the unused
> > .get_port.
> >
> > Reported-by: syzbot+d44f7bbebdea49dbc84a@syzkaller.appspotmail.com
> > Signed-off-by: Xin Long <lucien.xin@gmail.com>
>
> Applied and queued up for -stable.
>
> Xin, in the future please always provide a Fixes: even if it is the
> initial kernel repository commit.
Copy, thanks.
^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: [PATCH net] sctp: change sctp_prot .no_autobind with true
@ 2019-10-16 5:26 ` Xin Long
0 siblings, 0 replies; 8+ messages in thread
From: Xin Long @ 2019-10-16 5:26 UTC (permalink / raw)
To: David Miller
Cc: network dev, linux-sctp, Marcelo Ricardo Leitner, Neil Horman
On Wed, Oct 16, 2019 at 11:39 AM David Miller <davem@davemloft.net> wrote:
>
> From: Xin Long <lucien.xin@gmail.com>
> Date: Tue, 15 Oct 2019 15:24:38 +0800
>
> > syzbot reported a memory leak:
> >
> > BUG: memory leak, unreferenced object 0xffff888120b3d380 (size 64):
> > backtrace:
> ...
> > It was caused by when sending msgs without binding a port, in the path:
> > inet_sendmsg() -> inet_send_prepare() -> inet_autobind() ->
> > .get_port/sctp_get_port(), sp->bind_hash will be set while bp->port is
> > not. Later when binding another port by sctp_setsockopt_bindx(), a new
> > bucket will be created as bp->port is not set.
> >
> > sctp's autobind is supposed to call sctp_autobind() where it does all
> > things including setting bp->port. Since sctp_autobind() is called in
> > sctp_sendmsg() if the sk is not yet bound, it should have skipped the
> > auto bind.
> >
> > THis patch is to avoid calling inet_autobind() in inet_send_prepare()
> > by changing sctp_prot .no_autobind with true, also remove the unused
> > .get_port.
> >
> > Reported-by: syzbot+d44f7bbebdea49dbc84a@syzkaller.appspotmail.com
> > Signed-off-by: Xin Long <lucien.xin@gmail.com>
>
> Applied and queued up for -stable.
>
> Xin, in the future please always provide a Fixes: even if it is the
> initial kernel repository commit.
Copy, thanks.
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2019-10-16 5:26 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-10-15 7:24 [PATCH net] sctp: change sctp_prot .no_autobind with true Xin Long
2019-10-15 7:24 ` Xin Long
2019-10-15 14:35 ` Marcelo Ricardo Leitner
2019-10-15 14:35 ` Marcelo Ricardo Leitner
2019-10-16 3:39 ` David Miller
2019-10-16 3:39 ` David Miller
2019-10-16 5:26 ` Xin Long
2019-10-16 5:26 ` Xin Long
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.