From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
To: Xin Long <lucien.xin@gmail.com>
Cc: network dev <netdev@vger.kernel.org>,
linux-sctp@vger.kernel.org, davem@davemloft.net,
Neil Horman <nhorman@tuxdriver.com>
Subject: Re: [PATCH net] sctp: change sctp_prot .no_autobind with true
Date: Tue, 15 Oct 2019 11:35:28 -0300 [thread overview]
Message-ID: <20191015143528.GJ3499@localhost.localdomain> (raw)
In-Reply-To: <06beb8a9ceaec9224a507b58d3477da106c5f0cd.1571124278.git.lucien.xin@gmail.com>
On Tue, Oct 15, 2019 at 03:24:38PM +0800, Xin Long wrote:
> syzbot reported a memory leak:
>
> BUG: memory leak, unreferenced object 0xffff888120b3d380 (size 64):
> backtrace:
>
> [...] slab_alloc mm/slab.c:3319 [inline]
> [...] kmem_cache_alloc+0x13f/0x2c0 mm/slab.c:3483
> [...] sctp_bucket_create net/sctp/socket.c:8523 [inline]
> [...] sctp_get_port_local+0x189/0x5a0 net/sctp/socket.c:8270
> [...] sctp_do_bind+0xcc/0x200 net/sctp/socket.c:402
> [...] sctp_bindx_add+0x4b/0xd0 net/sctp/socket.c:497
> [...] sctp_setsockopt_bindx+0x156/0x1b0 net/sctp/socket.c:1022
> [...] sctp_setsockopt net/sctp/socket.c:4641 [inline]
> [...] sctp_setsockopt+0xaea/0x2dc0 net/sctp/socket.c:4611
> [...] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3147
> [...] __sys_setsockopt+0x10f/0x220 net/socket.c:2084
> [...] __do_sys_setsockopt net/socket.c:2100 [inline]
>
> It was caused by when sending msgs without binding a port, in the path:
> inet_sendmsg() -> inet_send_prepare() -> inet_autobind() ->
> .get_port/sctp_get_port(), sp->bind_hash will be set while bp->port is
> not. Later when binding another port by sctp_setsockopt_bindx(), a new
> bucket will be created as bp->port is not set.
>
> sctp's autobind is supposed to call sctp_autobind() where it does all
> things including setting bp->port. Since sctp_autobind() is called in
> sctp_sendmsg() if the sk is not yet bound, it should have skipped the
> auto bind.
>
> THis patch is to avoid calling inet_autobind() in inet_send_prepare()
> by changing sctp_prot .no_autobind with true, also remove the unused
> .get_port.
>
> Reported-by: syzbot+d44f7bbebdea49dbc84a@syzkaller.appspotmail.com
> Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
WARNING: multiple messages have this Message-ID (diff)
From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
To: Xin Long <lucien.xin@gmail.com>
Cc: network dev <netdev@vger.kernel.org>,
linux-sctp@vger.kernel.org, davem@davemloft.net,
Neil Horman <nhorman@tuxdriver.com>
Subject: Re: [PATCH net] sctp: change sctp_prot .no_autobind with true
Date: Tue, 15 Oct 2019 14:35:28 +0000 [thread overview]
Message-ID: <20191015143528.GJ3499@localhost.localdomain> (raw)
In-Reply-To: <06beb8a9ceaec9224a507b58d3477da106c5f0cd.1571124278.git.lucien.xin@gmail.com>
On Tue, Oct 15, 2019 at 03:24:38PM +0800, Xin Long wrote:
> syzbot reported a memory leak:
>
> BUG: memory leak, unreferenced object 0xffff888120b3d380 (size 64):
> backtrace:
>
> [...] slab_alloc mm/slab.c:3319 [inline]
> [...] kmem_cache_alloc+0x13f/0x2c0 mm/slab.c:3483
> [...] sctp_bucket_create net/sctp/socket.c:8523 [inline]
> [...] sctp_get_port_local+0x189/0x5a0 net/sctp/socket.c:8270
> [...] sctp_do_bind+0xcc/0x200 net/sctp/socket.c:402
> [...] sctp_bindx_add+0x4b/0xd0 net/sctp/socket.c:497
> [...] sctp_setsockopt_bindx+0x156/0x1b0 net/sctp/socket.c:1022
> [...] sctp_setsockopt net/sctp/socket.c:4641 [inline]
> [...] sctp_setsockopt+0xaea/0x2dc0 net/sctp/socket.c:4611
> [...] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3147
> [...] __sys_setsockopt+0x10f/0x220 net/socket.c:2084
> [...] __do_sys_setsockopt net/socket.c:2100 [inline]
>
> It was caused by when sending msgs without binding a port, in the path:
> inet_sendmsg() -> inet_send_prepare() -> inet_autobind() ->
> .get_port/sctp_get_port(), sp->bind_hash will be set while bp->port is
> not. Later when binding another port by sctp_setsockopt_bindx(), a new
> bucket will be created as bp->port is not set.
>
> sctp's autobind is supposed to call sctp_autobind() where it does all
> things including setting bp->port. Since sctp_autobind() is called in
> sctp_sendmsg() if the sk is not yet bound, it should have skipped the
> auto bind.
>
> THis patch is to avoid calling inet_autobind() in inet_send_prepare()
> by changing sctp_prot .no_autobind with true, also remove the unused
> .get_port.
>
> Reported-by: syzbot+d44f7bbebdea49dbc84a@syzkaller.appspotmail.com
> Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
next prev parent reply other threads:[~2019-10-15 14:35 UTC|newest]
Thread overview: 8+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-15 7:24 [PATCH net] sctp: change sctp_prot .no_autobind with true Xin Long
2019-10-15 7:24 ` Xin Long
2019-10-15 14:35 ` Marcelo Ricardo Leitner [this message]
2019-10-15 14:35 ` Marcelo Ricardo Leitner
2019-10-16 3:39 ` David Miller
2019-10-16 3:39 ` David Miller
2019-10-16 5:26 ` Xin Long
2019-10-16 5:26 ` Xin Long
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191015143528.GJ3499@localhost.localdomain \
--to=marcelo.leitner@gmail.com \
--cc=davem@davemloft.net \
--cc=linux-sctp@vger.kernel.org \
--cc=lucien.xin@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.