* [PATCH] Free cookie before we memdup a new one
@ 2019-06-10 16:34 ` Neil Horman
0 siblings, 0 replies; 36+ messages in thread
From: Neil Horman @ 2019-06-10 16:34 UTC (permalink / raw)
To: linux-sctp
Cc: netdev, Neil Horman, Marcelo Ricardo Leitner, Xin Long, David S. Miller
Based on comments from Xin, even after fixes for our recent syzbot
report of cookie memory leaks, its possible to get a resend of an INIT
chunk which would lead to us leaking cookie memory.
To ensure that we don't leak cookie memory, free any previously
allocated cookie first.
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
CC: Xin Long <lucien.xin@gmail.com>
CC: "David S. Miller" <davem@davemloft.net>
CC: netdev@vger.kernel.org
---
net/sctp/sm_make_chunk.c | 2 ++
1 file changed, 2 insertions(+)
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index f17908f5c4f3..21f7faf032e5 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -2583,6 +2583,8 @@ static int sctp_process_param(struct sctp_association *asoc,
case SCTP_PARAM_STATE_COOKIE:
asoc->peer.cookie_len ntohs(param.p->length) - sizeof(struct sctp_paramhdr);
+ if (asoc->peer.cookie)
+ kfree(asoc->peer.cookie);
asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp);
if (!asoc->peer.cookie)
retval = 0;
--
2.20.1
^ permalink raw reply related [flat|nested] 36+ messages in thread
* Re: [PATCH] Free cookie before we memdup a new one
2019-06-10 16:34 ` Neil Horman
@ 2019-06-10 16:38 ` David Miller
-1 siblings, 0 replies; 36+ messages in thread
From: David Miller @ 2019-06-10 16:38 UTC (permalink / raw)
To: nhorman; +Cc: linux-sctp, netdev, marcelo.leitner, lucien.xin
From: Neil Horman <nhorman@tuxdriver.com>
Date: Mon, 10 Jun 2019 12:34:56 -0400
> Based on comments from Xin, even after fixes for our recent syzbot
> report of cookie memory leaks, its possible to get a resend of an INIT
> chunk which would lead to us leaking cookie memory.
>
> To ensure that we don't leak cookie memory, free any previously
> allocated cookie first.
>
> Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Please post with an appropriate subsystem prefix in the Subject.
Thank you.
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH] Free cookie before we memdup a new one
@ 2019-06-10 16:38 ` David Miller
0 siblings, 0 replies; 36+ messages in thread
From: David Miller @ 2019-06-10 16:38 UTC (permalink / raw)
To: nhorman; +Cc: linux-sctp, netdev, marcelo.leitner, lucien.xin
From: Neil Horman <nhorman@tuxdriver.com>
Date: Mon, 10 Jun 2019 12:34:56 -0400
> Based on comments from Xin, even after fixes for our recent syzbot
> report of cookie memory leaks, its possible to get a resend of an INIT
> chunk which would lead to us leaking cookie memory.
>
> To ensure that we don't leak cookie memory, free any previously
> allocated cookie first.
>
> Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Please post with an appropriate subsystem prefix in the Subject.
Thank you.
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH] Free cookie before we memdup a new one
2019-06-10 16:34 ` Neil Horman
@ 2019-06-10 16:54 ` Xin Long
-1 siblings, 0 replies; 36+ messages in thread
From: Xin Long @ 2019-06-10 16:54 UTC (permalink / raw)
To: Neil Horman
Cc: linux-sctp, network dev, Marcelo Ricardo Leitner, David S. Miller
On Tue, Jun 11, 2019 at 12:35 AM Neil Horman <nhorman@tuxdriver.com> wrote:
>
> Based on comments from Xin, even after fixes for our recent syzbot
> report of cookie memory leaks, its possible to get a resend of an INIT
> chunk which would lead to us leaking cookie memory.
>
> To ensure that we don't leak cookie memory, free any previously
> allocated cookie first.
Hi, Neil,
I think we should also do the same thing to the other 2 kmemdups in
sctp_process_param():
asoc->peer.peer_random
asoc->peer.peer_hmacs
>
> Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
> CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
> CC: Xin Long <lucien.xin@gmail.com>
> CC: "David S. Miller" <davem@davemloft.net>
> CC: netdev@vger.kernel.org
> ---
> net/sctp/sm_make_chunk.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
> index f17908f5c4f3..21f7faf032e5 100644
> --- a/net/sctp/sm_make_chunk.c
> +++ b/net/sctp/sm_make_chunk.c
> @@ -2583,6 +2583,8 @@ static int sctp_process_param(struct sctp_association *asoc,
> case SCTP_PARAM_STATE_COOKIE:
> asoc->peer.cookie_len =
> ntohs(param.p->length) - sizeof(struct sctp_paramhdr);
> + if (asoc->peer.cookie)
> + kfree(asoc->peer.cookie);
> asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp);
> if (!asoc->peer.cookie)
> retval = 0;
> --
> 2.20.1
>
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH] Free cookie before we memdup a new one
@ 2019-06-10 16:54 ` Xin Long
0 siblings, 0 replies; 36+ messages in thread
From: Xin Long @ 2019-06-10 16:54 UTC (permalink / raw)
To: Neil Horman
Cc: linux-sctp, network dev, Marcelo Ricardo Leitner, David S. Miller
On Tue, Jun 11, 2019 at 12:35 AM Neil Horman <nhorman@tuxdriver.com> wrote:
>
> Based on comments from Xin, even after fixes for our recent syzbot
> report of cookie memory leaks, its possible to get a resend of an INIT
> chunk which would lead to us leaking cookie memory.
>
> To ensure that we don't leak cookie memory, free any previously
> allocated cookie first.
Hi, Neil,
I think we should also do the same thing to the other 2 kmemdups in
sctp_process_param():
asoc->peer.peer_random
asoc->peer.peer_hmacs
>
> Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
> CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
> CC: Xin Long <lucien.xin@gmail.com>
> CC: "David S. Miller" <davem@davemloft.net>
> CC: netdev@vger.kernel.org
> ---
> net/sctp/sm_make_chunk.c | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
> index f17908f5c4f3..21f7faf032e5 100644
> --- a/net/sctp/sm_make_chunk.c
> +++ b/net/sctp/sm_make_chunk.c
> @@ -2583,6 +2583,8 @@ static int sctp_process_param(struct sctp_association *asoc,
> case SCTP_PARAM_STATE_COOKIE:
> asoc->peer.cookie_len > ntohs(param.p->length) - sizeof(struct sctp_paramhdr);
> + if (asoc->peer.cookie)
> + kfree(asoc->peer.cookie);
> asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp);
> if (!asoc->peer.cookie)
> retval = 0;
> --
> 2.20.1
>
^ permalink raw reply [flat|nested] 36+ messages in thread
* [PATCH v2] [net] Free cookie before we memdup a new one
2019-06-10 16:34 ` Neil Horman
@ 2019-06-11 11:21 ` Neil Horman
-1 siblings, 0 replies; 36+ messages in thread
From: Neil Horman @ 2019-06-11 11:21 UTC (permalink / raw)
To: linux-sctp
Cc: netdev, Neil Horman, Marcelo Ricardo Leitner, Xin Long, David S. Miller
Based on comments from Xin, even after fixes for our recent syzbot
report of cookie memory leaks, its possible to get a resend of an INIT
chunk which would lead to us leaking cookie memory.
To ensure that we don't leak cookie memory, free any previously
allocated cookie first.
---
Change notes
v1->v2
update subsystem tag in subject (davem)
repeat kfree check for peer_random and peer_hmacs (xin)
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
CC: Xin Long <lucien.xin@gmail.com>
CC: "David S. Miller" <davem@davemloft.net>
CC: netdev@vger.kernel.org
---
net/sctp/sm_make_chunk.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index f17908f5c4f3..0992ec0395f8 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -2583,6 +2583,8 @@ static int sctp_process_param(struct sctp_association *asoc,
case SCTP_PARAM_STATE_COOKIE:
asoc->peer.cookie_len =
ntohs(param.p->length) - sizeof(struct sctp_paramhdr);
+ if (asoc->peer.cookie)
+ kfree(asoc->peer.cookie);
asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp);
if (!asoc->peer.cookie)
retval = 0;
@@ -2647,6 +2649,8 @@ static int sctp_process_param(struct sctp_association *asoc,
goto fall_through;
/* Save peer's random parameter */
+ if (asoc->peer.peer_random)
+ kfree(asoc->peer.peer_random);
asoc->peer.peer_random = kmemdup(param.p,
ntohs(param.p->length), gfp);
if (!asoc->peer.peer_random) {
@@ -2660,6 +2664,8 @@ static int sctp_process_param(struct sctp_association *asoc,
goto fall_through;
/* Save peer's HMAC list */
+ if (asoc->peer.peer_hmacs)
+ kfree(asoc->peer.peer_hmacs);
asoc->peer.peer_hmacs = kmemdup(param.p,
ntohs(param.p->length), gfp);
if (!asoc->peer.peer_hmacs) {
--
2.20.1
^ permalink raw reply related [flat|nested] 36+ messages in thread* [PATCH v2] [net] Free cookie before we memdup a new one
@ 2019-06-11 11:21 ` Neil Horman
0 siblings, 0 replies; 36+ messages in thread
From: Neil Horman @ 2019-06-11 11:21 UTC (permalink / raw)
To: linux-sctp
Cc: netdev, Neil Horman, Marcelo Ricardo Leitner, Xin Long, David S. Miller
Based on comments from Xin, even after fixes for our recent syzbot
report of cookie memory leaks, its possible to get a resend of an INIT
chunk which would lead to us leaking cookie memory.
To ensure that we don't leak cookie memory, free any previously
allocated cookie first.
---
Change notes
v1->v2
update subsystem tag in subject (davem)
repeat kfree check for peer_random and peer_hmacs (xin)
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
CC: Xin Long <lucien.xin@gmail.com>
CC: "David S. Miller" <davem@davemloft.net>
CC: netdev@vger.kernel.org
---
net/sctp/sm_make_chunk.c | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index f17908f5c4f3..0992ec0395f8 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -2583,6 +2583,8 @@ static int sctp_process_param(struct sctp_association *asoc,
case SCTP_PARAM_STATE_COOKIE:
asoc->peer.cookie_len ntohs(param.p->length) - sizeof(struct sctp_paramhdr);
+ if (asoc->peer.cookie)
+ kfree(asoc->peer.cookie);
asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp);
if (!asoc->peer.cookie)
retval = 0;
@@ -2647,6 +2649,8 @@ static int sctp_process_param(struct sctp_association *asoc,
goto fall_through;
/* Save peer's random parameter */
+ if (asoc->peer.peer_random)
+ kfree(asoc->peer.peer_random);
asoc->peer.peer_random = kmemdup(param.p,
ntohs(param.p->length), gfp);
if (!asoc->peer.peer_random) {
@@ -2660,6 +2664,8 @@ static int sctp_process_param(struct sctp_association *asoc,
goto fall_through;
/* Save peer's HMAC list */
+ if (asoc->peer.peer_hmacs)
+ kfree(asoc->peer.peer_hmacs);
asoc->peer.peer_hmacs = kmemdup(param.p,
ntohs(param.p->length), gfp);
if (!asoc->peer.peer_hmacs) {
--
2.20.1
^ permalink raw reply related [flat|nested] 36+ messages in thread* Re: [PATCH v2] [net] Free cookie before we memdup a new one
2019-06-11 11:21 ` Neil Horman
@ 2019-06-11 11:44 ` Marcelo Ricardo Leitner
-1 siblings, 0 replies; 36+ messages in thread
From: Marcelo Ricardo Leitner @ 2019-06-11 11:44 UTC (permalink / raw)
To: Neil Horman; +Cc: linux-sctp, netdev, Xin Long, David S. Miller
On Tue, Jun 11, 2019 at 07:21:28AM -0400, Neil Horman wrote:
> Based on comments from Xin, even after fixes for our recent syzbot
> report of cookie memory leaks, its possible to get a resend of an INIT
> chunk which would lead to us leaking cookie memory.
>
> To ensure that we don't leak cookie memory, free any previously
> allocated cookie first.
>
> ---
> Change notes
> v1->v2
> update subsystem tag in subject (davem)
> repeat kfree check for peer_random and peer_hmacs (xin)
They are actually 4 vars. The 4th one being peer_chunks.
And a syzkaller Fixes tag would be welcomed as well, so that if
someone backports the fix for it will have a hint to backport this
patch also.
>
> Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
> CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
> CC: Xin Long <lucien.xin@gmail.com>
> CC: "David S. Miller" <davem@davemloft.net>
> CC: netdev@vger.kernel.org
> ---
> net/sctp/sm_make_chunk.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
> index f17908f5c4f3..0992ec0395f8 100644
> --- a/net/sctp/sm_make_chunk.c
> +++ b/net/sctp/sm_make_chunk.c
> @@ -2583,6 +2583,8 @@ static int sctp_process_param(struct sctp_association *asoc,
> case SCTP_PARAM_STATE_COOKIE:
> asoc->peer.cookie_len =
> ntohs(param.p->length) - sizeof(struct sctp_paramhdr);
> + if (asoc->peer.cookie)
> + kfree(asoc->peer.cookie);
> asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp);
> if (!asoc->peer.cookie)
> retval = 0;
> @@ -2647,6 +2649,8 @@ static int sctp_process_param(struct sctp_association *asoc,
> goto fall_through;
>
> /* Save peer's random parameter */
> + if (asoc->peer.peer_random)
> + kfree(asoc->peer.peer_random);
> asoc->peer.peer_random = kmemdup(param.p,
> ntohs(param.p->length), gfp);
> if (!asoc->peer.peer_random) {
> @@ -2660,6 +2664,8 @@ static int sctp_process_param(struct sctp_association *asoc,
> goto fall_through;
>
> /* Save peer's HMAC list */
> + if (asoc->peer.peer_hmacs)
> + kfree(asoc->peer.peer_hmacs);
> asoc->peer.peer_hmacs = kmemdup(param.p,
> ntohs(param.p->length), gfp);
> if (!asoc->peer.peer_hmacs) {
> --
> 2.20.1
>
^ permalink raw reply [flat|nested] 36+ messages in thread* Re: [PATCH v2] [net] Free cookie before we memdup a new one
@ 2019-06-11 11:44 ` Marcelo Ricardo Leitner
0 siblings, 0 replies; 36+ messages in thread
From: Marcelo Ricardo Leitner @ 2019-06-11 11:44 UTC (permalink / raw)
To: Neil Horman; +Cc: linux-sctp, netdev, Xin Long, David S. Miller
On Tue, Jun 11, 2019 at 07:21:28AM -0400, Neil Horman wrote:
> Based on comments from Xin, even after fixes for our recent syzbot
> report of cookie memory leaks, its possible to get a resend of an INIT
> chunk which would lead to us leaking cookie memory.
>
> To ensure that we don't leak cookie memory, free any previously
> allocated cookie first.
>
> ---
> Change notes
> v1->v2
> update subsystem tag in subject (davem)
> repeat kfree check for peer_random and peer_hmacs (xin)
They are actually 4 vars. The 4th one being peer_chunks.
And a syzkaller Fixes tag would be welcomed as well, so that if
someone backports the fix for it will have a hint to backport this
patch also.
>
> Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
> CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
> CC: Xin Long <lucien.xin@gmail.com>
> CC: "David S. Miller" <davem@davemloft.net>
> CC: netdev@vger.kernel.org
> ---
> net/sctp/sm_make_chunk.c | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
> index f17908f5c4f3..0992ec0395f8 100644
> --- a/net/sctp/sm_make_chunk.c
> +++ b/net/sctp/sm_make_chunk.c
> @@ -2583,6 +2583,8 @@ static int sctp_process_param(struct sctp_association *asoc,
> case SCTP_PARAM_STATE_COOKIE:
> asoc->peer.cookie_len > ntohs(param.p->length) - sizeof(struct sctp_paramhdr);
> + if (asoc->peer.cookie)
> + kfree(asoc->peer.cookie);
> asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp);
> if (!asoc->peer.cookie)
> retval = 0;
> @@ -2647,6 +2649,8 @@ static int sctp_process_param(struct sctp_association *asoc,
> goto fall_through;
>
> /* Save peer's random parameter */
> + if (asoc->peer.peer_random)
> + kfree(asoc->peer.peer_random);
> asoc->peer.peer_random = kmemdup(param.p,
> ntohs(param.p->length), gfp);
> if (!asoc->peer.peer_random) {
> @@ -2660,6 +2664,8 @@ static int sctp_process_param(struct sctp_association *asoc,
> goto fall_through;
>
> /* Save peer's HMAC list */
> + if (asoc->peer.peer_hmacs)
> + kfree(asoc->peer.peer_hmacs);
> asoc->peer.peer_hmacs = kmemdup(param.p,
> ntohs(param.p->length), gfp);
> if (!asoc->peer.peer_hmacs) {
> --
> 2.20.1
>
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH v2] [net] Free cookie before we memdup a new one
2019-06-11 11:21 ` Neil Horman
@ 2019-06-11 12:17 ` Marcelo Ricardo Leitner
-1 siblings, 0 replies; 36+ messages in thread
From: Marcelo Ricardo Leitner @ 2019-06-11 12:17 UTC (permalink / raw)
To: Neil Horman; +Cc: linux-sctp, netdev, Xin Long, David S. Miller
On Tue, Jun 11, 2019 at 07:21:28AM -0400, Neil Horman wrote:
Btw, I guess DaveM had meant to add "sctp: " in the subject.
Marcelo
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH v2] [net] Free cookie before we memdup a new one
2019-06-11 11:21 ` Neil Horman
@ 2019-06-11 16:06 ` David Miller
-1 siblings, 0 replies; 36+ messages in thread
From: David Miller @ 2019-06-11 16:06 UTC (permalink / raw)
To: nhorman; +Cc: linux-sctp, netdev, marcelo.leitner, lucien.xin
From: Neil Horman <nhorman@tuxdriver.com>
Date: Tue, 11 Jun 2019 07:21:28 -0400
> Based on comments from Xin, even after fixes for our recent syzbot
> report of cookie memory leaks, its possible to get a resend of an INIT
> chunk which would lead to us leaking cookie memory.
>
> To ensure that we don't leak cookie memory, free any previously
> allocated cookie first.
>
> ---
> Change notes
> v1->v2
> update subsystem tag in subject (davem)
Subsystem tag is "sctp: " which still isn't there :-)
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH v2] [net] Free cookie before we memdup a new one
@ 2019-06-11 16:06 ` David Miller
0 siblings, 0 replies; 36+ messages in thread
From: David Miller @ 2019-06-11 16:06 UTC (permalink / raw)
To: nhorman; +Cc: linux-sctp, netdev, marcelo.leitner, lucien.xin
From: Neil Horman <nhorman@tuxdriver.com>
Date: Tue, 11 Jun 2019 07:21:28 -0400
> Based on comments from Xin, even after fixes for our recent syzbot
> report of cookie memory leaks, its possible to get a resend of an INIT
> chunk which would lead to us leaking cookie memory.
>
> To ensure that we don't leak cookie memory, free any previously
> allocated cookie first.
>
> ---
> Change notes
> v1->v2
> update subsystem tag in subject (davem)
Subsystem tag is "sctp: " which still isn't there :-)
^ permalink raw reply [flat|nested] 36+ messages in thread
* [PATCH v3] [sctp] Free cookie before we memdup a new one
2019-06-10 16:34 ` Neil Horman
@ 2019-06-11 19:22 ` Neil Horman
-1 siblings, 0 replies; 36+ messages in thread
From: Neil Horman @ 2019-06-11 19:22 UTC (permalink / raw)
To: linux-sctp
Cc: netdev, Neil Horman, syzbot+f7e9153b037eac9b1df8,
Marcelo Ricardo Leitner, Xin Long, David S. Miller
Based on comments from Xin, even after fixes for our recent syzbot
report of cookie memory leaks, its possible to get a resend of an INIT
chunk which would lead to us leaking cookie memory.
To ensure that we don't leak cookie memory, free any previously
allocated cookie first.
---
Change notes
v1->v2
update subsystem tag in subject (davem)
repeat kfree check for peer_random and peer_hmacs (xin)
v2->v3
net->sctp
also free peer_chunks
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Reported-by: syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com
CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
CC: Xin Long <lucien.xin@gmail.com>
CC: "David S. Miller" <davem@davemloft.net>
CC: netdev@vger.kernel.org
---
net/sctp/sm_make_chunk.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index f17908f5c4f3..9b0e5b0d701a 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -2583,6 +2583,8 @@ static int sctp_process_param(struct sctp_association *asoc,
case SCTP_PARAM_STATE_COOKIE:
asoc->peer.cookie_len =
ntohs(param.p->length) - sizeof(struct sctp_paramhdr);
+ if (asoc->peer.cookie)
+ kfree(asoc->peer.cookie);
asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp);
if (!asoc->peer.cookie)
retval = 0;
@@ -2647,6 +2649,8 @@ static int sctp_process_param(struct sctp_association *asoc,
goto fall_through;
/* Save peer's random parameter */
+ if (asoc->peer.peer_random)
+ kfree(asoc->peer.peer_random);
asoc->peer.peer_random = kmemdup(param.p,
ntohs(param.p->length), gfp);
if (!asoc->peer.peer_random) {
@@ -2660,6 +2664,8 @@ static int sctp_process_param(struct sctp_association *asoc,
goto fall_through;
/* Save peer's HMAC list */
+ if (asoc->peer.peer_hmacs)
+ kfree(asoc->peer.peer_hmacs);
asoc->peer.peer_hmacs = kmemdup(param.p,
ntohs(param.p->length), gfp);
if (!asoc->peer.peer_hmacs) {
@@ -2675,6 +2681,8 @@ static int sctp_process_param(struct sctp_association *asoc,
if (!ep->auth_enable)
goto fall_through;
+ if (asoc->peer.peer_chunks)
+ kfree(asoc->peer.peer_chunks);
asoc->peer.peer_chunks = kmemdup(param.p,
ntohs(param.p->length), gfp);
if (!asoc->peer.peer_chunks)
--
2.20.1
^ permalink raw reply related [flat|nested] 36+ messages in thread* [PATCH v3] [sctp] Free cookie before we memdup a new one
@ 2019-06-11 19:22 ` Neil Horman
0 siblings, 0 replies; 36+ messages in thread
From: Neil Horman @ 2019-06-11 19:22 UTC (permalink / raw)
To: linux-sctp
Cc: netdev, Neil Horman, syzbot+f7e9153b037eac9b1df8,
Marcelo Ricardo Leitner, Xin Long, David S. Miller
Based on comments from Xin, even after fixes for our recent syzbot
report of cookie memory leaks, its possible to get a resend of an INIT
chunk which would lead to us leaking cookie memory.
To ensure that we don't leak cookie memory, free any previously
allocated cookie first.
---
Change notes
v1->v2
update subsystem tag in subject (davem)
repeat kfree check for peer_random and peer_hmacs (xin)
v2->v3
net->sctp
also free peer_chunks
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Reported-by: syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com
CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
CC: Xin Long <lucien.xin@gmail.com>
CC: "David S. Miller" <davem@davemloft.net>
CC: netdev@vger.kernel.org
---
net/sctp/sm_make_chunk.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index f17908f5c4f3..9b0e5b0d701a 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -2583,6 +2583,8 @@ static int sctp_process_param(struct sctp_association *asoc,
case SCTP_PARAM_STATE_COOKIE:
asoc->peer.cookie_len ntohs(param.p->length) - sizeof(struct sctp_paramhdr);
+ if (asoc->peer.cookie)
+ kfree(asoc->peer.cookie);
asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp);
if (!asoc->peer.cookie)
retval = 0;
@@ -2647,6 +2649,8 @@ static int sctp_process_param(struct sctp_association *asoc,
goto fall_through;
/* Save peer's random parameter */
+ if (asoc->peer.peer_random)
+ kfree(asoc->peer.peer_random);
asoc->peer.peer_random = kmemdup(param.p,
ntohs(param.p->length), gfp);
if (!asoc->peer.peer_random) {
@@ -2660,6 +2664,8 @@ static int sctp_process_param(struct sctp_association *asoc,
goto fall_through;
/* Save peer's HMAC list */
+ if (asoc->peer.peer_hmacs)
+ kfree(asoc->peer.peer_hmacs);
asoc->peer.peer_hmacs = kmemdup(param.p,
ntohs(param.p->length), gfp);
if (!asoc->peer.peer_hmacs) {
@@ -2675,6 +2681,8 @@ static int sctp_process_param(struct sctp_association *asoc,
if (!ep->auth_enable)
goto fall_through;
+ if (asoc->peer.peer_chunks)
+ kfree(asoc->peer.peer_chunks);
asoc->peer.peer_chunks = kmemdup(param.p,
ntohs(param.p->length), gfp);
if (!asoc->peer.peer_chunks)
--
2.20.1
^ permalink raw reply related [flat|nested] 36+ messages in thread* Re: [PATCH v3] [sctp] Free cookie before we memdup a new one
2019-06-11 19:22 ` Neil Horman
@ 2019-06-11 20:08 ` David Miller
-1 siblings, 0 replies; 36+ messages in thread
From: David Miller @ 2019-06-11 20:08 UTC (permalink / raw)
To: nhorman
Cc: linux-sctp, netdev, syzbot+f7e9153b037eac9b1df8, marcelo.leitner,
lucien.xin
From: Neil Horman <nhorman@tuxdriver.com>
Date: Tue, 11 Jun 2019 15:22:45 -0400
> v2->v3
> net->sctp
> also free peer_chunks
Neil this isn't the first time you're submitting sctp patches right? ;-)
Subject: "[PATCH v3 net] sctp: Free cookie before we memdup a new one"
It's "subsystem_prefix: " and I even stated this explicitly yesterday.
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH v3] [sctp] Free cookie before we memdup a new one
@ 2019-06-11 20:08 ` David Miller
0 siblings, 0 replies; 36+ messages in thread
From: David Miller @ 2019-06-11 20:08 UTC (permalink / raw)
To: nhorman
Cc: linux-sctp, netdev, syzbot+f7e9153b037eac9b1df8, marcelo.leitner,
lucien.xin
From: Neil Horman <nhorman@tuxdriver.com>
Date: Tue, 11 Jun 2019 15:22:45 -0400
> v2->v3
> net->sctp
> also free peer_chunks
Neil this isn't the first time you're submitting sctp patches right? ;-)
Subject: "[PATCH v3 net] sctp: Free cookie before we memdup a new one"
It's "subsystem_prefix: " and I even stated this explicitly yesterday.
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH v3] [sctp] Free cookie before we memdup a new one
2019-06-11 20:08 ` David Miller
@ 2019-06-11 20:52 ` Neil Horman
-1 siblings, 0 replies; 36+ messages in thread
From: Neil Horman @ 2019-06-11 20:52 UTC (permalink / raw)
To: David Miller
Cc: linux-sctp, netdev, syzbot+f7e9153b037eac9b1df8, marcelo.leitner,
lucien.xin
On Tue, Jun 11, 2019 at 01:08:56PM -0700, David Miller wrote:
> From: Neil Horman <nhorman@tuxdriver.com>
> Date: Tue, 11 Jun 2019 15:22:45 -0400
>
> > v2->v3
> > net->sctp
> > also free peer_chunks
>
> Neil this isn't the first time you're submitting sctp patches right? ;-)
>
> Subject: "[PATCH v3 net] sctp: Free cookie before we memdup a new one"
>
> It's "subsystem_prefix: " and I even stated this explicitly yesterday.
>
No, sorry, I'm trying to do this while I get a CI mess sorted out at the same
time, and I'm not close attention here.
If you want to take over a few dozen user space packages for me in RHEL, I'll
gladly get this right on the first try :)
Neil
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH v3] [sctp] Free cookie before we memdup a new one
@ 2019-06-11 20:52 ` Neil Horman
0 siblings, 0 replies; 36+ messages in thread
From: Neil Horman @ 2019-06-11 20:52 UTC (permalink / raw)
To: David Miller
Cc: linux-sctp, netdev, syzbot+f7e9153b037eac9b1df8, marcelo.leitner,
lucien.xin
On Tue, Jun 11, 2019 at 01:08:56PM -0700, David Miller wrote:
> From: Neil Horman <nhorman@tuxdriver.com>
> Date: Tue, 11 Jun 2019 15:22:45 -0400
>
> > v2->v3
> > net->sctp
> > also free peer_chunks
>
> Neil this isn't the first time you're submitting sctp patches right? ;-)
>
> Subject: "[PATCH v3 net] sctp: Free cookie before we memdup a new one"
>
> It's "subsystem_prefix: " and I even stated this explicitly yesterday.
>
No, sorry, I'm trying to do this while I get a CI mess sorted out at the same
time, and I'm not close attention here.
If you want to take over a few dozen user space packages for me in RHEL, I'll
gladly get this right on the first try :)
Neil
^ permalink raw reply [flat|nested] 36+ messages in thread
* [PATCH v4 net] sctp: Free cookie before we memdup a new one
2019-06-10 16:34 ` Neil Horman
@ 2019-06-12 0:38 ` Neil Horman
-1 siblings, 0 replies; 36+ messages in thread
From: Neil Horman @ 2019-06-12 0:38 UTC (permalink / raw)
To: linux-sctp
Cc: netdev, Neil Horman, syzbot+f7e9153b037eac9b1df8,
Marcelo Ricardo Leitner, Xin Long, David S. Miller
Based on comments from Xin, even after fixes for our recent syzbot
report of cookie memory leaks, its possible to get a resend of an INIT
chunk which would lead to us leaking cookie memory.
To ensure that we don't leak cookie memory, free any previously
allocated cookie first.
---
Change notes
v1->v2
update subsystem tag in subject (davem)
repeat kfree check for peer_random and peer_hmacs (xin)
v2->v3
net->sctp
also free peer_chunks
v3->v4
fix subject tags
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Reported-by: syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com
CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
CC: Xin Long <lucien.xin@gmail.com>
CC: "David S. Miller" <davem@davemloft.net>
CC: netdev@vger.kernel.org
---
net/sctp/sm_make_chunk.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index f17908f5c4f3..9b0e5b0d701a 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -2583,6 +2583,8 @@ static int sctp_process_param(struct sctp_association *asoc,
case SCTP_PARAM_STATE_COOKIE:
asoc->peer.cookie_len =
ntohs(param.p->length) - sizeof(struct sctp_paramhdr);
+ if (asoc->peer.cookie)
+ kfree(asoc->peer.cookie);
asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp);
if (!asoc->peer.cookie)
retval = 0;
@@ -2647,6 +2649,8 @@ static int sctp_process_param(struct sctp_association *asoc,
goto fall_through;
/* Save peer's random parameter */
+ if (asoc->peer.peer_random)
+ kfree(asoc->peer.peer_random);
asoc->peer.peer_random = kmemdup(param.p,
ntohs(param.p->length), gfp);
if (!asoc->peer.peer_random) {
@@ -2660,6 +2664,8 @@ static int sctp_process_param(struct sctp_association *asoc,
goto fall_through;
/* Save peer's HMAC list */
+ if (asoc->peer.peer_hmacs)
+ kfree(asoc->peer.peer_hmacs);
asoc->peer.peer_hmacs = kmemdup(param.p,
ntohs(param.p->length), gfp);
if (!asoc->peer.peer_hmacs) {
@@ -2675,6 +2681,8 @@ static int sctp_process_param(struct sctp_association *asoc,
if (!ep->auth_enable)
goto fall_through;
+ if (asoc->peer.peer_chunks)
+ kfree(asoc->peer.peer_chunks);
asoc->peer.peer_chunks = kmemdup(param.p,
ntohs(param.p->length), gfp);
if (!asoc->peer.peer_chunks)
--
2.20.1
^ permalink raw reply related [flat|nested] 36+ messages in thread* [PATCH v4 net] sctp: Free cookie before we memdup a new one
@ 2019-06-12 0:38 ` Neil Horman
0 siblings, 0 replies; 36+ messages in thread
From: Neil Horman @ 2019-06-12 0:38 UTC (permalink / raw)
To: linux-sctp
Cc: netdev, Neil Horman, syzbot+f7e9153b037eac9b1df8,
Marcelo Ricardo Leitner, Xin Long, David S. Miller
Based on comments from Xin, even after fixes for our recent syzbot
report of cookie memory leaks, its possible to get a resend of an INIT
chunk which would lead to us leaking cookie memory.
To ensure that we don't leak cookie memory, free any previously
allocated cookie first.
---
Change notes
v1->v2
update subsystem tag in subject (davem)
repeat kfree check for peer_random and peer_hmacs (xin)
v2->v3
net->sctp
also free peer_chunks
v3->v4
fix subject tags
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Reported-by: syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com
CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
CC: Xin Long <lucien.xin@gmail.com>
CC: "David S. Miller" <davem@davemloft.net>
CC: netdev@vger.kernel.org
---
net/sctp/sm_make_chunk.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index f17908f5c4f3..9b0e5b0d701a 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -2583,6 +2583,8 @@ static int sctp_process_param(struct sctp_association *asoc,
case SCTP_PARAM_STATE_COOKIE:
asoc->peer.cookie_len ntohs(param.p->length) - sizeof(struct sctp_paramhdr);
+ if (asoc->peer.cookie)
+ kfree(asoc->peer.cookie);
asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp);
if (!asoc->peer.cookie)
retval = 0;
@@ -2647,6 +2649,8 @@ static int sctp_process_param(struct sctp_association *asoc,
goto fall_through;
/* Save peer's random parameter */
+ if (asoc->peer.peer_random)
+ kfree(asoc->peer.peer_random);
asoc->peer.peer_random = kmemdup(param.p,
ntohs(param.p->length), gfp);
if (!asoc->peer.peer_random) {
@@ -2660,6 +2664,8 @@ static int sctp_process_param(struct sctp_association *asoc,
goto fall_through;
/* Save peer's HMAC list */
+ if (asoc->peer.peer_hmacs)
+ kfree(asoc->peer.peer_hmacs);
asoc->peer.peer_hmacs = kmemdup(param.p,
ntohs(param.p->length), gfp);
if (!asoc->peer.peer_hmacs) {
@@ -2675,6 +2681,8 @@ static int sctp_process_param(struct sctp_association *asoc,
if (!ep->auth_enable)
goto fall_through;
+ if (asoc->peer.peer_chunks)
+ kfree(asoc->peer.peer_chunks);
asoc->peer.peer_chunks = kmemdup(param.p,
ntohs(param.p->length), gfp);
if (!asoc->peer.peer_chunks)
--
2.20.1
^ permalink raw reply related [flat|nested] 36+ messages in thread* Re: [PATCH v4 net] sctp: Free cookie before we memdup a new one
2019-06-12 0:38 ` Neil Horman
@ 2019-06-12 17:58 ` Xin Long
-1 siblings, 0 replies; 36+ messages in thread
From: Xin Long @ 2019-06-12 17:58 UTC (permalink / raw)
To: Neil Horman
Cc: linux-sctp, network dev, syzbot+f7e9153b037eac9b1df8,
Marcelo Ricardo Leitner, David S. Miller
On Wed, Jun 12, 2019 at 8:38 AM Neil Horman <nhorman@tuxdriver.com> wrote:
>
> Based on comments from Xin, even after fixes for our recent syzbot
> report of cookie memory leaks, its possible to get a resend of an INIT
> chunk which would lead to us leaking cookie memory.
>
> To ensure that we don't leak cookie memory, free any previously
> allocated cookie first.
>
> ---
> Change notes
> v1->v2
> update subsystem tag in subject (davem)
> repeat kfree check for peer_random and peer_hmacs (xin)
>
> v2->v3
> net->sctp
> also free peer_chunks
>
> v3->v4
> fix subject tags
>
> Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
> Reported-by: syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com
> CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
> CC: Xin Long <lucien.xin@gmail.com>
> CC: "David S. Miller" <davem@davemloft.net>
> CC: netdev@vger.kernel.org
> ---
> net/sctp/sm_make_chunk.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
> index f17908f5c4f3..9b0e5b0d701a 100644
> --- a/net/sctp/sm_make_chunk.c
> +++ b/net/sctp/sm_make_chunk.c
> @@ -2583,6 +2583,8 @@ static int sctp_process_param(struct sctp_association *asoc,
> case SCTP_PARAM_STATE_COOKIE:
> asoc->peer.cookie_len =
> ntohs(param.p->length) - sizeof(struct sctp_paramhdr);
> + if (asoc->peer.cookie)
> + kfree(asoc->peer.cookie);
> asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp);
> if (!asoc->peer.cookie)
> retval = 0;
> @@ -2647,6 +2649,8 @@ static int sctp_process_param(struct sctp_association *asoc,
> goto fall_through;
>
> /* Save peer's random parameter */
> + if (asoc->peer.peer_random)
> + kfree(asoc->peer.peer_random);
> asoc->peer.peer_random = kmemdup(param.p,
> ntohs(param.p->length), gfp);
> if (!asoc->peer.peer_random) {
> @@ -2660,6 +2664,8 @@ static int sctp_process_param(struct sctp_association *asoc,
> goto fall_through;
>
> /* Save peer's HMAC list */
> + if (asoc->peer.peer_hmacs)
> + kfree(asoc->peer.peer_hmacs);
> asoc->peer.peer_hmacs = kmemdup(param.p,
> ntohs(param.p->length), gfp);
> if (!asoc->peer.peer_hmacs) {
> @@ -2675,6 +2681,8 @@ static int sctp_process_param(struct sctp_association *asoc,
> if (!ep->auth_enable)
> goto fall_through;
>
> + if (asoc->peer.peer_chunks)
> + kfree(asoc->peer.peer_chunks);
> asoc->peer.peer_chunks = kmemdup(param.p,
> ntohs(param.p->length), gfp);
> if (!asoc->peer.peer_chunks)
> --
> 2.20.1
>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
^ permalink raw reply [flat|nested] 36+ messages in thread* Re: [PATCH v4 net] sctp: Free cookie before we memdup a new one
@ 2019-06-12 17:58 ` Xin Long
0 siblings, 0 replies; 36+ messages in thread
From: Xin Long @ 2019-06-12 17:58 UTC (permalink / raw)
To: Neil Horman
Cc: linux-sctp, network dev, syzbot+f7e9153b037eac9b1df8,
Marcelo Ricardo Leitner, David S. Miller
On Wed, Jun 12, 2019 at 8:38 AM Neil Horman <nhorman@tuxdriver.com> wrote:
>
> Based on comments from Xin, even after fixes for our recent syzbot
> report of cookie memory leaks, its possible to get a resend of an INIT
> chunk which would lead to us leaking cookie memory.
>
> To ensure that we don't leak cookie memory, free any previously
> allocated cookie first.
>
> ---
> Change notes
> v1->v2
> update subsystem tag in subject (davem)
> repeat kfree check for peer_random and peer_hmacs (xin)
>
> v2->v3
> net->sctp
> also free peer_chunks
>
> v3->v4
> fix subject tags
>
> Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
> Reported-by: syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com
> CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
> CC: Xin Long <lucien.xin@gmail.com>
> CC: "David S. Miller" <davem@davemloft.net>
> CC: netdev@vger.kernel.org
> ---
> net/sctp/sm_make_chunk.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
> index f17908f5c4f3..9b0e5b0d701a 100644
> --- a/net/sctp/sm_make_chunk.c
> +++ b/net/sctp/sm_make_chunk.c
> @@ -2583,6 +2583,8 @@ static int sctp_process_param(struct sctp_association *asoc,
> case SCTP_PARAM_STATE_COOKIE:
> asoc->peer.cookie_len > ntohs(param.p->length) - sizeof(struct sctp_paramhdr);
> + if (asoc->peer.cookie)
> + kfree(asoc->peer.cookie);
> asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp);
> if (!asoc->peer.cookie)
> retval = 0;
> @@ -2647,6 +2649,8 @@ static int sctp_process_param(struct sctp_association *asoc,
> goto fall_through;
>
> /* Save peer's random parameter */
> + if (asoc->peer.peer_random)
> + kfree(asoc->peer.peer_random);
> asoc->peer.peer_random = kmemdup(param.p,
> ntohs(param.p->length), gfp);
> if (!asoc->peer.peer_random) {
> @@ -2660,6 +2664,8 @@ static int sctp_process_param(struct sctp_association *asoc,
> goto fall_through;
>
> /* Save peer's HMAC list */
> + if (asoc->peer.peer_hmacs)
> + kfree(asoc->peer.peer_hmacs);
> asoc->peer.peer_hmacs = kmemdup(param.p,
> ntohs(param.p->length), gfp);
> if (!asoc->peer.peer_hmacs) {
> @@ -2675,6 +2681,8 @@ static int sctp_process_param(struct sctp_association *asoc,
> if (!ep->auth_enable)
> goto fall_through;
>
> + if (asoc->peer.peer_chunks)
> + kfree(asoc->peer.peer_chunks);
> asoc->peer.peer_chunks = kmemdup(param.p,
> ntohs(param.p->length), gfp);
> if (!asoc->peer.peer_chunks)
> --
> 2.20.1
>
Reviewed-by: Xin Long <lucien.xin@gmail.com>
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH v4 net] sctp: Free cookie before we memdup a new one
2019-06-12 0:38 ` Neil Horman
@ 2019-06-12 18:07 ` Marcelo Ricardo Leitner
-1 siblings, 0 replies; 36+ messages in thread
From: Marcelo Ricardo Leitner @ 2019-06-12 18:07 UTC (permalink / raw)
To: Neil Horman
Cc: linux-sctp, netdev, syzbot+f7e9153b037eac9b1df8, Xin Long,
David S. Miller
On Tue, Jun 11, 2019 at 08:38:14PM -0400, Neil Horman wrote:
> Based on comments from Xin, even after fixes for our recent syzbot
> report of cookie memory leaks, its possible to get a resend of an INIT
> chunk which would lead to us leaking cookie memory.
>
> To ensure that we don't leak cookie memory, free any previously
> allocated cookie first.
>
> ---
This marker can't be here, as it causes git to loose everything below.
> Change notes
> v1->v2
> update subsystem tag in subject (davem)
> repeat kfree check for peer_random and peer_hmacs (xin)
>
> v2->v3
> net->sctp
> also free peer_chunks
>
> v3->v4
> fix subject tags
>
> Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
> Reported-by: syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com
> CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
> CC: Xin Long <lucien.xin@gmail.com>
> CC: "David S. Miller" <davem@davemloft.net>
> CC: netdev@vger.kernel.org
Anyhow, LGTM and reproducer didn't give any hits in 2 runs of 50mins.
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH v4 net] sctp: Free cookie before we memdup a new one
@ 2019-06-12 18:07 ` Marcelo Ricardo Leitner
0 siblings, 0 replies; 36+ messages in thread
From: Marcelo Ricardo Leitner @ 2019-06-12 18:07 UTC (permalink / raw)
To: Neil Horman
Cc: linux-sctp, netdev, syzbot+f7e9153b037eac9b1df8, Xin Long,
David S. Miller
On Tue, Jun 11, 2019 at 08:38:14PM -0400, Neil Horman wrote:
> Based on comments from Xin, even after fixes for our recent syzbot
> report of cookie memory leaks, its possible to get a resend of an INIT
> chunk which would lead to us leaking cookie memory.
>
> To ensure that we don't leak cookie memory, free any previously
> allocated cookie first.
>
> ---
This marker can't be here, as it causes git to loose everything below.
> Change notes
> v1->v2
> update subsystem tag in subject (davem)
> repeat kfree check for peer_random and peer_hmacs (xin)
>
> v2->v3
> net->sctp
> also free peer_chunks
>
> v3->v4
> fix subject tags
>
> Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
> Reported-by: syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com
> CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
> CC: Xin Long <lucien.xin@gmail.com>
> CC: "David S. Miller" <davem@davemloft.net>
> CC: netdev@vger.kernel.org
Anyhow, LGTM and reproducer didn't give any hits in 2 runs of 50mins.
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH v4 net] sctp: Free cookie before we memdup a new one
2019-06-12 18:07 ` Marcelo Ricardo Leitner
@ 2019-06-12 20:32 ` Neil Horman
-1 siblings, 0 replies; 36+ messages in thread
From: Neil Horman @ 2019-06-12 20:32 UTC (permalink / raw)
To: Marcelo Ricardo Leitner
Cc: linux-sctp, netdev, syzbot+f7e9153b037eac9b1df8, Xin Long,
David S. Miller
On Wed, Jun 12, 2019 at 03:07:15PM -0300, Marcelo Ricardo Leitner wrote:
> On Tue, Jun 11, 2019 at 08:38:14PM -0400, Neil Horman wrote:
> > Based on comments from Xin, even after fixes for our recent syzbot
> > report of cookie memory leaks, its possible to get a resend of an INIT
> > chunk which would lead to us leaking cookie memory.
> >
> > To ensure that we don't leak cookie memory, free any previously
> > allocated cookie first.
> >
> > ---
>
> This marker can't be here, as it causes git to loose everything below.
>
thats intentional so that, when Dave commits it, the change notes arent carried
into the changelog (I.e. the change notes are useful for email review, but not
especially useful in the permanent commit history).
Neil
> > Change notes
> > v1->v2
> > update subsystem tag in subject (davem)
> > repeat kfree check for peer_random and peer_hmacs (xin)
> >
> > v2->v3
> > net->sctp
> > also free peer_chunks
> >
> > v3->v4
> > fix subject tags
> >
> > Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
> > Reported-by: syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com
> > CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
> > CC: Xin Long <lucien.xin@gmail.com>
> > CC: "David S. Miller" <davem@davemloft.net>
> > CC: netdev@vger.kernel.org
>
> Anyhow, LGTM and reproducer didn't give any hits in 2 runs of 50mins.
> Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
>
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH v4 net] sctp: Free cookie before we memdup a new one
@ 2019-06-12 20:32 ` Neil Horman
0 siblings, 0 replies; 36+ messages in thread
From: Neil Horman @ 2019-06-12 20:32 UTC (permalink / raw)
To: Marcelo Ricardo Leitner
Cc: linux-sctp, netdev, syzbot+f7e9153b037eac9b1df8, Xin Long,
David S. Miller
On Wed, Jun 12, 2019 at 03:07:15PM -0300, Marcelo Ricardo Leitner wrote:
> On Tue, Jun 11, 2019 at 08:38:14PM -0400, Neil Horman wrote:
> > Based on comments from Xin, even after fixes for our recent syzbot
> > report of cookie memory leaks, its possible to get a resend of an INIT
> > chunk which would lead to us leaking cookie memory.
> >
> > To ensure that we don't leak cookie memory, free any previously
> > allocated cookie first.
> >
> > ---
>
> This marker can't be here, as it causes git to loose everything below.
>
thats intentional so that, when Dave commits it, the change notes arent carried
into the changelog (I.e. the change notes are useful for email review, but not
especially useful in the permanent commit history).
Neil
> > Change notes
> > v1->v2
> > update subsystem tag in subject (davem)
> > repeat kfree check for peer_random and peer_hmacs (xin)
> >
> > v2->v3
> > net->sctp
> > also free peer_chunks
> >
> > v3->v4
> > fix subject tags
> >
> > Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
> > Reported-by: syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com
> > CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
> > CC: Xin Long <lucien.xin@gmail.com>
> > CC: "David S. Miller" <davem@davemloft.net>
> > CC: netdev@vger.kernel.org
>
> Anyhow, LGTM and reproducer didn't give any hits in 2 runs of 50mins.
> Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
>
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH v4 net] sctp: Free cookie before we memdup a new one
2019-06-12 20:32 ` Neil Horman
@ 2019-06-12 20:41 ` David Miller
-1 siblings, 0 replies; 36+ messages in thread
From: David Miller @ 2019-06-12 20:41 UTC (permalink / raw)
To: nhorman
Cc: marcelo.leitner, linux-sctp, netdev, syzbot+f7e9153b037eac9b1df8,
lucien.xin
From: Neil Horman <nhorman@tuxdriver.com>
Date: Wed, 12 Jun 2019 16:32:30 -0400
> On Wed, Jun 12, 2019 at 03:07:15PM -0300, Marcelo Ricardo Leitner wrote:
>> On Tue, Jun 11, 2019 at 08:38:14PM -0400, Neil Horman wrote:
>> > Based on comments from Xin, even after fixes for our recent syzbot
>> > report of cookie memory leaks, its possible to get a resend of an INIT
>> > chunk which would lead to us leaking cookie memory.
>> >
>> > To ensure that we don't leak cookie memory, free any previously
>> > allocated cookie first.
>> >
>> > ---
>>
>> This marker can't be here, as it causes git to loose everything below.
>>
> thats intentional so that, when Dave commits it, the change notes arent carried
> into the changelog (I.e. the change notes are useful for email review, but not
> especially useful in the permanent commit history).
1) I like the changelog notes to be included
2) Your signoff etc. was in that area too so would have been lost as well
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH v4 net] sctp: Free cookie before we memdup a new one
@ 2019-06-12 20:41 ` David Miller
0 siblings, 0 replies; 36+ messages in thread
From: David Miller @ 2019-06-12 20:41 UTC (permalink / raw)
To: nhorman
Cc: marcelo.leitner, linux-sctp, netdev, syzbot+f7e9153b037eac9b1df8,
lucien.xin
From: Neil Horman <nhorman@tuxdriver.com>
Date: Wed, 12 Jun 2019 16:32:30 -0400
> On Wed, Jun 12, 2019 at 03:07:15PM -0300, Marcelo Ricardo Leitner wrote:
>> On Tue, Jun 11, 2019 at 08:38:14PM -0400, Neil Horman wrote:
>> > Based on comments from Xin, even after fixes for our recent syzbot
>> > report of cookie memory leaks, its possible to get a resend of an INIT
>> > chunk which would lead to us leaking cookie memory.
>> >
>> > To ensure that we don't leak cookie memory, free any previously
>> > allocated cookie first.
>> >
>> > ---
>>
>> This marker can't be here, as it causes git to loose everything below.
>>
> thats intentional so that, when Dave commits it, the change notes arent carried
> into the changelog (I.e. the change notes are useful for email review, but not
> especially useful in the permanent commit history).
1) I like the changelog notes to be included
2) Your signoff etc. was in that area too so would have been lost as well
^ permalink raw reply [flat|nested] 36+ messages in thread
* [PATCH v5 net] sctp: Free cookie before we memdup a new one
2019-06-10 16:34 ` Neil Horman
@ 2019-06-13 10:35 ` Neil Horman
-1 siblings, 0 replies; 36+ messages in thread
From: Neil Horman @ 2019-06-13 10:35 UTC (permalink / raw)
To: linux-sctp
Cc: netdev, Neil Horman, syzbot+f7e9153b037eac9b1df8,
Marcelo Ricardo Leitner, Xin Long, David S. Miller
Based on comments from Xin, even after fixes for our recent syzbot
report of cookie memory leaks, its possible to get a resend of an INIT
chunk which would lead to us leaking cookie memory.
To ensure that we don't leak cookie memory, free any previously
allocated cookie first.
Change notes
v1->v2
update subsystem tag in subject (davem)
repeat kfree check for peer_random and peer_hmacs (xin)
v2->v3
net->sctp
also free peer_chunks
v3->v4
fix subject tags
v4->v5
remove cut line
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Reported-by: syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com
CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
CC: Xin Long <lucien.xin@gmail.com>
CC: "David S. Miller" <davem@davemloft.net>
CC: netdev@vger.kernel.org
---
net/sctp/sm_make_chunk.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index f17908f5c4f3..9b0e5b0d701a 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -2583,6 +2583,8 @@ static int sctp_process_param(struct sctp_association *asoc,
case SCTP_PARAM_STATE_COOKIE:
asoc->peer.cookie_len =
ntohs(param.p->length) - sizeof(struct sctp_paramhdr);
+ if (asoc->peer.cookie)
+ kfree(asoc->peer.cookie);
asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp);
if (!asoc->peer.cookie)
retval = 0;
@@ -2647,6 +2649,8 @@ static int sctp_process_param(struct sctp_association *asoc,
goto fall_through;
/* Save peer's random parameter */
+ if (asoc->peer.peer_random)
+ kfree(asoc->peer.peer_random);
asoc->peer.peer_random = kmemdup(param.p,
ntohs(param.p->length), gfp);
if (!asoc->peer.peer_random) {
@@ -2660,6 +2664,8 @@ static int sctp_process_param(struct sctp_association *asoc,
goto fall_through;
/* Save peer's HMAC list */
+ if (asoc->peer.peer_hmacs)
+ kfree(asoc->peer.peer_hmacs);
asoc->peer.peer_hmacs = kmemdup(param.p,
ntohs(param.p->length), gfp);
if (!asoc->peer.peer_hmacs) {
@@ -2675,6 +2681,8 @@ static int sctp_process_param(struct sctp_association *asoc,
if (!ep->auth_enable)
goto fall_through;
+ if (asoc->peer.peer_chunks)
+ kfree(asoc->peer.peer_chunks);
asoc->peer.peer_chunks = kmemdup(param.p,
ntohs(param.p->length), gfp);
if (!asoc->peer.peer_chunks)
--
2.20.1
^ permalink raw reply related [flat|nested] 36+ messages in thread* [PATCH v5 net] sctp: Free cookie before we memdup a new one
@ 2019-06-13 10:35 ` Neil Horman
0 siblings, 0 replies; 36+ messages in thread
From: Neil Horman @ 2019-06-13 10:35 UTC (permalink / raw)
To: linux-sctp
Cc: netdev, Neil Horman, syzbot+f7e9153b037eac9b1df8,
Marcelo Ricardo Leitner, Xin Long, David S. Miller
Based on comments from Xin, even after fixes for our recent syzbot
report of cookie memory leaks, its possible to get a resend of an INIT
chunk which would lead to us leaking cookie memory.
To ensure that we don't leak cookie memory, free any previously
allocated cookie first.
Change notes
v1->v2
update subsystem tag in subject (davem)
repeat kfree check for peer_random and peer_hmacs (xin)
v2->v3
net->sctp
also free peer_chunks
v3->v4
fix subject tags
v4->v5
remove cut line
Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
Reported-by: syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com
CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
CC: Xin Long <lucien.xin@gmail.com>
CC: "David S. Miller" <davem@davemloft.net>
CC: netdev@vger.kernel.org
---
net/sctp/sm_make_chunk.c | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
index f17908f5c4f3..9b0e5b0d701a 100644
--- a/net/sctp/sm_make_chunk.c
+++ b/net/sctp/sm_make_chunk.c
@@ -2583,6 +2583,8 @@ static int sctp_process_param(struct sctp_association *asoc,
case SCTP_PARAM_STATE_COOKIE:
asoc->peer.cookie_len ntohs(param.p->length) - sizeof(struct sctp_paramhdr);
+ if (asoc->peer.cookie)
+ kfree(asoc->peer.cookie);
asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp);
if (!asoc->peer.cookie)
retval = 0;
@@ -2647,6 +2649,8 @@ static int sctp_process_param(struct sctp_association *asoc,
goto fall_through;
/* Save peer's random parameter */
+ if (asoc->peer.peer_random)
+ kfree(asoc->peer.peer_random);
asoc->peer.peer_random = kmemdup(param.p,
ntohs(param.p->length), gfp);
if (!asoc->peer.peer_random) {
@@ -2660,6 +2664,8 @@ static int sctp_process_param(struct sctp_association *asoc,
goto fall_through;
/* Save peer's HMAC list */
+ if (asoc->peer.peer_hmacs)
+ kfree(asoc->peer.peer_hmacs);
asoc->peer.peer_hmacs = kmemdup(param.p,
ntohs(param.p->length), gfp);
if (!asoc->peer.peer_hmacs) {
@@ -2675,6 +2681,8 @@ static int sctp_process_param(struct sctp_association *asoc,
if (!ep->auth_enable)
goto fall_through;
+ if (asoc->peer.peer_chunks)
+ kfree(asoc->peer.peer_chunks);
asoc->peer.peer_chunks = kmemdup(param.p,
ntohs(param.p->length), gfp);
if (!asoc->peer.peer_chunks)
--
2.20.1
^ permalink raw reply related [flat|nested] 36+ messages in thread* Re: [PATCH v5 net] sctp: Free cookie before we memdup a new one
2019-06-13 10:35 ` Neil Horman
@ 2019-06-13 16:51 ` Marcelo Ricardo Leitner
-1 siblings, 0 replies; 36+ messages in thread
From: Marcelo Ricardo Leitner @ 2019-06-13 16:51 UTC (permalink / raw)
To: Neil Horman
Cc: linux-sctp, netdev, syzbot+f7e9153b037eac9b1df8, Xin Long,
David S. Miller
On Thu, Jun 13, 2019 at 06:35:59AM -0400, Neil Horman wrote:
> Based on comments from Xin, even after fixes for our recent syzbot
> report of cookie memory leaks, its possible to get a resend of an INIT
> chunk which would lead to us leaking cookie memory.
>
> To ensure that we don't leak cookie memory, free any previously
> allocated cookie first.
>
> Change notes
> v1->v2
> update subsystem tag in subject (davem)
> repeat kfree check for peer_random and peer_hmacs (xin)
>
> v2->v3
> net->sctp
> also free peer_chunks
>
> v3->v4
> fix subject tags
>
> v4->v5
> remove cut line
>
> Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
> Reported-by: syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com
> CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
> CC: Xin Long <lucien.xin@gmail.com>
> CC: "David S. Miller" <davem@davemloft.net>
> CC: netdev@vger.kernel.org
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
> ---
> net/sctp/sm_make_chunk.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
> index f17908f5c4f3..9b0e5b0d701a 100644
> --- a/net/sctp/sm_make_chunk.c
> +++ b/net/sctp/sm_make_chunk.c
> @@ -2583,6 +2583,8 @@ static int sctp_process_param(struct sctp_association *asoc,
> case SCTP_PARAM_STATE_COOKIE:
> asoc->peer.cookie_len =
> ntohs(param.p->length) - sizeof(struct sctp_paramhdr);
> + if (asoc->peer.cookie)
> + kfree(asoc->peer.cookie);
> asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp);
> if (!asoc->peer.cookie)
> retval = 0;
> @@ -2647,6 +2649,8 @@ static int sctp_process_param(struct sctp_association *asoc,
> goto fall_through;
>
> /* Save peer's random parameter */
> + if (asoc->peer.peer_random)
> + kfree(asoc->peer.peer_random);
> asoc->peer.peer_random = kmemdup(param.p,
> ntohs(param.p->length), gfp);
> if (!asoc->peer.peer_random) {
> @@ -2660,6 +2664,8 @@ static int sctp_process_param(struct sctp_association *asoc,
> goto fall_through;
>
> /* Save peer's HMAC list */
> + if (asoc->peer.peer_hmacs)
> + kfree(asoc->peer.peer_hmacs);
> asoc->peer.peer_hmacs = kmemdup(param.p,
> ntohs(param.p->length), gfp);
> if (!asoc->peer.peer_hmacs) {
> @@ -2675,6 +2681,8 @@ static int sctp_process_param(struct sctp_association *asoc,
> if (!ep->auth_enable)
> goto fall_through;
>
> + if (asoc->peer.peer_chunks)
> + kfree(asoc->peer.peer_chunks);
> asoc->peer.peer_chunks = kmemdup(param.p,
> ntohs(param.p->length), gfp);
> if (!asoc->peer.peer_chunks)
> --
> 2.20.1
>
^ permalink raw reply [flat|nested] 36+ messages in thread* Re: [PATCH v5 net] sctp: Free cookie before we memdup a new one
@ 2019-06-13 16:51 ` Marcelo Ricardo Leitner
0 siblings, 0 replies; 36+ messages in thread
From: Marcelo Ricardo Leitner @ 2019-06-13 16:51 UTC (permalink / raw)
To: Neil Horman
Cc: linux-sctp, netdev, syzbot+f7e9153b037eac9b1df8, Xin Long,
David S. Miller
On Thu, Jun 13, 2019 at 06:35:59AM -0400, Neil Horman wrote:
> Based on comments from Xin, even after fixes for our recent syzbot
> report of cookie memory leaks, its possible to get a resend of an INIT
> chunk which would lead to us leaking cookie memory.
>
> To ensure that we don't leak cookie memory, free any previously
> allocated cookie first.
>
> Change notes
> v1->v2
> update subsystem tag in subject (davem)
> repeat kfree check for peer_random and peer_hmacs (xin)
>
> v2->v3
> net->sctp
> also free peer_chunks
>
> v3->v4
> fix subject tags
>
> v4->v5
> remove cut line
>
> Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
> Reported-by: syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com
> CC: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
> CC: Xin Long <lucien.xin@gmail.com>
> CC: "David S. Miller" <davem@davemloft.net>
> CC: netdev@vger.kernel.org
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
> ---
> net/sctp/sm_make_chunk.c | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c
> index f17908f5c4f3..9b0e5b0d701a 100644
> --- a/net/sctp/sm_make_chunk.c
> +++ b/net/sctp/sm_make_chunk.c
> @@ -2583,6 +2583,8 @@ static int sctp_process_param(struct sctp_association *asoc,
> case SCTP_PARAM_STATE_COOKIE:
> asoc->peer.cookie_len > ntohs(param.p->length) - sizeof(struct sctp_paramhdr);
> + if (asoc->peer.cookie)
> + kfree(asoc->peer.cookie);
> asoc->peer.cookie = kmemdup(param.cookie->body, asoc->peer.cookie_len, gfp);
> if (!asoc->peer.cookie)
> retval = 0;
> @@ -2647,6 +2649,8 @@ static int sctp_process_param(struct sctp_association *asoc,
> goto fall_through;
>
> /* Save peer's random parameter */
> + if (asoc->peer.peer_random)
> + kfree(asoc->peer.peer_random);
> asoc->peer.peer_random = kmemdup(param.p,
> ntohs(param.p->length), gfp);
> if (!asoc->peer.peer_random) {
> @@ -2660,6 +2664,8 @@ static int sctp_process_param(struct sctp_association *asoc,
> goto fall_through;
>
> /* Save peer's HMAC list */
> + if (asoc->peer.peer_hmacs)
> + kfree(asoc->peer.peer_hmacs);
> asoc->peer.peer_hmacs = kmemdup(param.p,
> ntohs(param.p->length), gfp);
> if (!asoc->peer.peer_hmacs) {
> @@ -2675,6 +2681,8 @@ static int sctp_process_param(struct sctp_association *asoc,
> if (!ep->auth_enable)
> goto fall_through;
>
> + if (asoc->peer.peer_chunks)
> + kfree(asoc->peer.peer_chunks);
> asoc->peer.peer_chunks = kmemdup(param.p,
> ntohs(param.p->length), gfp);
> if (!asoc->peer.peer_chunks)
> --
> 2.20.1
>
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH v5 net] sctp: Free cookie before we memdup a new one
2019-06-13 10:35 ` Neil Horman
@ 2019-06-15 2:27 ` David Miller
-1 siblings, 0 replies; 36+ messages in thread
From: David Miller @ 2019-06-15 2:27 UTC (permalink / raw)
To: nhorman
Cc: linux-sctp, netdev, syzbot+f7e9153b037eac9b1df8, marcelo.leitner,
lucien.xin
From: Neil Horman <nhorman@tuxdriver.com>
Date: Thu, 13 Jun 2019 06:35:59 -0400
> Based on comments from Xin, even after fixes for our recent syzbot
> report of cookie memory leaks, its possible to get a resend of an INIT
> chunk which would lead to us leaking cookie memory.
>
> To ensure that we don't leak cookie memory, free any previously
> allocated cookie first.
>
> Change notes
> v1->v2
> update subsystem tag in subject (davem)
> repeat kfree check for peer_random and peer_hmacs (xin)
>
> v2->v3
> net->sctp
> also free peer_chunks
>
> v3->v4
> fix subject tags
>
> v4->v5
> remove cut line
>
> Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
> Reported-by: syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com
Applied, thanks.
^ permalink raw reply [flat|nested] 36+ messages in thread
* Re: [PATCH v5 net] sctp: Free cookie before we memdup a new one
@ 2019-06-15 2:27 ` David Miller
0 siblings, 0 replies; 36+ messages in thread
From: David Miller @ 2019-06-15 2:27 UTC (permalink / raw)
To: nhorman
Cc: linux-sctp, netdev, syzbot+f7e9153b037eac9b1df8, marcelo.leitner,
lucien.xin
From: Neil Horman <nhorman@tuxdriver.com>
Date: Thu, 13 Jun 2019 06:35:59 -0400
> Based on comments from Xin, even after fixes for our recent syzbot
> report of cookie memory leaks, its possible to get a resend of an INIT
> chunk which would lead to us leaking cookie memory.
>
> To ensure that we don't leak cookie memory, free any previously
> allocated cookie first.
>
> Change notes
> v1->v2
> update subsystem tag in subject (davem)
> repeat kfree check for peer_random and peer_hmacs (xin)
>
> v2->v3
> net->sctp
> also free peer_chunks
>
> v3->v4
> fix subject tags
>
> v4->v5
> remove cut line
>
> Signed-off-by: Neil Horman <nhorman@tuxdriver.com>
> Reported-by: syzbot+f7e9153b037eac9b1df8@syzkaller.appspotmail.com
Applied, thanks.
^ permalink raw reply [flat|nested] 36+ messages in thread