From: Vlad Yasevich <vyasevich@gmail.com>
To: Neil Horman <nhorman@tuxdriver.com>, Dmitry Vyukov <dvyukov@google.com>
Cc: linux-sctp@vger.kernel.org, netdev <netdev@vger.kernel.org>,
syzkaller <syzkaller@googlegroups.com>,
"Kostya Serebryany" <kcc@google.com>,
"Alexander Potapenko" <glider@google.com>,
"Sasha Levin" <sasha.levin@oracle.com>,
"Eric Dumazet" <edumazet@google.com>,
"Maciej Żenczykowski" <maze@google.com>
Subject: Re: use-after-free in sctp_do_sm
Date: Wed, 25 Nov 2015 10:12:28 -0500 [thread overview]
Message-ID: <5655CFDC.4050206@gmail.com> (raw)
In-Reply-To: <20151124204553.GB3364@hmsreliant.think-freely.org>
On 11/24/2015 03:45 PM, Neil Horman wrote:
> On Tue, Nov 24, 2015 at 11:10:32AM +0100, Dmitry Vyukov wrote:
>> On Tue, Nov 24, 2015 at 10:31 AM, Dmitry Vyukov <dvyukov@google.com> wrote:
>>> On Tue, Nov 24, 2015 at 10:15 AM, Dmitry Vyukov <dvyukov@google.com> wrote:
>>>> Hello,
>>>>
>>>> The following program triggers use-after-free in sctp_do_sm:
>>>>
>>>> // autogenerated by syzkaller (http://github.com/google/syzkaller)
>>>> #include <syscall.h>
>>>> #include <string.h>
>>>> #include <stdint.h>
>>>>
>>>> int main()
>>>> {
>>>> long r0 = syscall(SYS_socket, 0xaul, 0x80805ul, 0x0ul, 0, 0, 0);
>>>> long r1 = syscall(SYS_mmap, 0x20000000ul, 0x10000ul, 0x3ul,
>>>> 0x32ul, 0xfffffffffffffffful, 0x0ul);
>>>> memcpy((void*)0x20002fe4,
>>>> "\x0a\x00\x33\xe7\xeb\x9d\xcf\x61\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xc5\xc8\x88\x64",
>>>> 28);
>>>> long r3 = syscall(SYS_bind, r0, 0x20002fe4ul, 0x1cul, 0, 0, 0);
>>>> memcpy((void*)0x20000faa,
>>>> "\x9b\x01\x7d\xcd\xb8\x6a\xc7\x3d\x09\x3a\x07\x00\xa7\xc4\xe9\xee\x0a\xd6\xec\xde\x26\x75\x5f\x22\xae\x4e\x33\x00\xb0\x76\x10\x70\xd6\xca\x19\xbc\x15\x83\xcf\x2e\xbc\x99\x0c\x5e\x83\x89\xc1\x44\x9c\x6e\x74\xd8\x5d\x5d\xd0\xf0\xdf\x47\xc0\x00\x71\x0b\x55\x4c\xab\xf0\xd8\x90\xd5\x92\x8c\x6e\x33\x22\x15\x5b\x19\xfb\xed\xdd\xa6\xac\xcb\x60\xcf\xe2\xde\xed\xdb\x95\x5c\xaa\x20\xa3",
>>>> 94);
>>>> memcpy((void*)0x2000033a,
>>>> "\x02\x00\x33\xe2\x7f\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
>>>> 128);
>>>> long r6 = syscall(SYS_sendto, r0, 0x20000faaul, 0x5eul,
>>>> 0x81ul, 0x2000033aul, 0x80ul);
>>>> return 0;
>>>> }
>>>>
>>>>
>>>> ==================================================================
>>>> BUG: KASAN: use-after-free in sctp_do_sm+0x42f6/0x4f60 at addr ffff880036fa80a8
>>>> Read of size 4 by task a.out/5664
>>>> =============================================================================
>>>> BUG kmalloc-4096 (Tainted: G B ): kasan: bad access detected
>>>> -----------------------------------------------------------------------------
>>>>
>>>> INFO: Allocated in sctp_association_new+0x6f/0x1ea0 age=8 cpu=1 pid=5664
>>>> [< none >] kmem_cache_alloc_trace+0x1cf/0x220 ./mm/slab.c:3707
>>>> [< none >] sctp_association_new+0x6f/0x1ea0
>>>> [< none >] sctp_sendmsg+0x1954/0x28e0
>>>> [< none >] inet_sendmsg+0x316/0x4f0 ./net/ipv4/af_inet.c:802
>>>> [< inline >] __sock_sendmsg_nosec ./net/socket.c:641
>>>> [< inline >] __sock_sendmsg ./net/socket.c:651
>>>> [< none >] sock_sendmsg+0xca/0x110 ./net/socket.c:662
>>>> [< none >] SYSC_sendto+0x208/0x350 ./net/socket.c:1841
>>>> [< none >] SyS_sendto+0x40/0x50 ./net/socket.c:1862
>>>> [< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
>>>>
>>>> INFO: Freed in sctp_association_put+0x150/0x250 age=14 cpu=1 pid=5664
>>>> [< none >] kfree+0x199/0x1b0 ./mm/slab.c:1211
>>>> [< none >] sctp_association_put+0x150/0x250
>>>> [< none >] sctp_association_free+0x498/0x630
>>>> [< none >] sctp_do_sm+0xd8b/0x4f60
>>>> [< none >] sctp_primitive_SHUTDOWN+0xa9/0xd0
>>>> [< none >] sctp_close+0x616/0x790
>>>> [< none >] inet_release+0xed/0x1c0 ./net/ipv4/af_inet.c:471
>>>> [< none >] inet6_release+0x50/0x70 ./net/ipv6/af_inet6.c:416
>>>> [< inline >] constant_test_bit ././arch/x86/include/asm/bitops.h:321
>>>> [< none >] sock_release+0x8d/0x200 ./net/socket.c:601
>>>> [< none >] sock_close+0x16/0x20 ./net/socket.c:1188
>>>> [< none >] __fput+0x21d/0x6e0 ./fs/file_table.c:265
>>>> [< none >] ____fput+0x15/0x20 ./fs/file_table.c:84
>>>> [< none >] task_work_run+0x163/0x1f0 ./include/trace/events/rcu.h:20
>>>> [< inline >] __list_add ./include/linux/list.h:42
>>>> [< inline >] list_add_tail ./include/linux/list.h:76
>>>> [< inline >] list_move_tail ./include/linux/list.h:168
>>>> [< inline >] reparent_leader ./kernel/exit.c:618
>>>> [< inline >] forget_original_parent ./kernel/exit.c:669
>>>> [< inline >] exit_notify ./kernel/exit.c:697
>>>> [< none >] do_exit+0x809/0x2b90 ./kernel/exit.c:878
>>>> [< none >] do_group_exit+0x108/0x320 ./kernel/exit.c:985
>>>>
>>>> INFO: Slab 0xffffea0000dbea00 objects=7 used=1 fp=0xffff880036fa8000
>>>> flags=0x100000000004080
>>>> INFO: Object 0xffff880036fa8000 @offset=0 fp=0xffff880036fad668
>>>> CPU: 1 PID: 5664 Comm: a.out Tainted: G B 4.4.0-rc1+ #81
>>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>>>> 00000000ffffffff ffff880061d6f700 ffffffff825d3336 ffff88003e806d00
>>>> ffff880036fa8000 ffff880036fa8000 ffff880061d6f730 ffffffff81618784
>>>> ffff88003e806d00 ffffea0000dbea00 ffff880036fa8000 0000000000000000
>>>>
>>>> Call Trace:
>>>> [<ffffffff8162131e>] __asan_report_load4_noabort+0x3e/0x40
>>>> [<ffffffff8475ac76>] sctp_do_sm+0x42f6/0x4f60
>>>> [<ffffffff847b50e9>] sctp_primitive_SHUTDOWN+0xa9/0xd0
>>>> [<ffffffff847a1426>] sctp_close+0x616/0x790
>>>> [<ffffffff8409bb0d>] inet_release+0xed/0x1c0 ./net/ipv4/af_inet.c:471
>>>> [<ffffffff84192cc0>] inet6_release+0x50/0x70 ./net/ipv6/af_inet6.c:416
>>>> [< inline >] constant_test_bit ././arch/x86/include/asm/bitops.h:321
>>>> [<ffffffff83dc78cd>] sock_release+0x8d/0x200 ./net/socket.c:601
>>>> [<ffffffff83dc7a56>] sock_close+0x16/0x20 ./net/socket.c:1188
>>>> [<ffffffff81662f5d>] __fput+0x21d/0x6e0 ./fs/file_table.c:265
>>>> [<ffffffff816634a5>] ____fput+0x15/0x20 ./fs/file_table.c:84
>>>> [<ffffffff812a33d3>] task_work_run+0x163/0x1f0 ./include/trace/events/rcu.h:20
>>>> [< inline >] __list_add ./include/linux/list.h:42
>>>> [< inline >] list_add_tail ./include/linux/list.h:76
>>>> [< inline >] list_move_tail ./include/linux/list.h:168
>>>> [< inline >] reparent_leader ./kernel/exit.c:618
>>>> [< inline >] forget_original_parent ./kernel/exit.c:669
>>>> [< inline >] exit_notify ./kernel/exit.c:697
>>>> [<ffffffff812505d9>] do_exit+0x809/0x2b90 ./kernel/exit.c:878
>>>> [<ffffffff81252ad8>] do_group_exit+0x108/0x320 ./kernel/exit.c:985
>>>> [<ffffffff81252d0d>] SyS_exit_group+0x1d/0x20 ./kernel/exit.c:1002
>>>> [<ffffffff84bf0c36>] entry_SYSCALL_64_fastpath+0x16/0x7a
>>>> ==================================================================
>>>>
>>>>
>>>> I am on commit 90b55590c43258a157a2a143748455dcc50fbb53 of net-next (Nov 22).
>>
>> The right commit is:
>>
>> commit 7d267278a9ece963d77eefec61630223fce08c6c
>> Author: Rainer Weikusat
>> Date: Fri Nov 20 22:07:23 2015 +0000
>> unix: avoid use-after-free in ep_remove_wait_queue
> This commit doesn't seem to exist
I don't think this matters... I think what's happening is that a close is happening on a
socket still in connection initialization phase and we've never handled that particularly
well...
Net-next kernel with mem debugging hangs on boot for me with a ton of printks suppressed.
Will try the net kernel to see if that's better
-vlad
>
> Neil
>
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>
WARNING: multiple messages have this Message-ID (diff)
From: Vlad Yasevich <vyasevich@gmail.com>
To: Neil Horman <nhorman@tuxdriver.com>, Dmitry Vyukov <dvyukov@google.com>
Cc: linux-sctp@vger.kernel.org, netdev <netdev@vger.kernel.org>,
syzkaller <syzkaller@googlegroups.com>,
"Kostya Serebryany" <kcc@google.com>,
"Alexander Potapenko" <glider@google.com>,
"Sasha Levin" <sasha.levin@oracle.com>,
"Eric Dumazet" <edumazet@google.com>,
"Maciej Żenczykowski" <maze@google.com>
Subject: Re: use-after-free in sctp_do_sm
Date: Wed, 25 Nov 2015 15:12:28 +0000 [thread overview]
Message-ID: <5655CFDC.4050206@gmail.com> (raw)
In-Reply-To: <20151124204553.GB3364@hmsreliant.think-freely.org>
On 11/24/2015 03:45 PM, Neil Horman wrote:
> On Tue, Nov 24, 2015 at 11:10:32AM +0100, Dmitry Vyukov wrote:
>> On Tue, Nov 24, 2015 at 10:31 AM, Dmitry Vyukov <dvyukov@google.com> wrote:
>>> On Tue, Nov 24, 2015 at 10:15 AM, Dmitry Vyukov <dvyukov@google.com> wrote:
>>>> Hello,
>>>>
>>>> The following program triggers use-after-free in sctp_do_sm:
>>>>
>>>> // autogenerated by syzkaller (http://github.com/google/syzkaller)
>>>> #include <syscall.h>
>>>> #include <string.h>
>>>> #include <stdint.h>
>>>>
>>>> int main()
>>>> {
>>>> long r0 = syscall(SYS_socket, 0xaul, 0x80805ul, 0x0ul, 0, 0, 0);
>>>> long r1 = syscall(SYS_mmap, 0x20000000ul, 0x10000ul, 0x3ul,
>>>> 0x32ul, 0xfffffffffffffffful, 0x0ul);
>>>> memcpy((void*)0x20002fe4,
>>>> "\x0a\x00\x33\xe7\xeb\x9d\xcf\x61\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xc5\xc8\x88\x64",
>>>> 28);
>>>> long r3 = syscall(SYS_bind, r0, 0x20002fe4ul, 0x1cul, 0, 0, 0);
>>>> memcpy((void*)0x20000faa,
>>>> "\x9b\x01\x7d\xcd\xb8\x6a\xc7\x3d\x09\x3a\x07\x00\xa7\xc4\xe9\xee\x0a\xd6\xec\xde\x26\x75\x5f\x22\xae\x4e\x33\x00\xb0\x76\x10\x70\xd6\xca\x19\xbc\x15\x83\xcf\x2e\xbc\x99\x0c\x5e\x83\x89\xc1\x44\x9c\x6e\x74\xd8\x5d\x5d\xd0\xf0\xdf\x47\xc0\x00\x71\x0b\x55\x4c\xab\xf0\xd8\x90\xd5\x92\x8c\x6e\x33\x22\x15\x5b\x19\xfb\xed\xdd\xa6\xac\xcb\x60\xcf\xe2\xde\xed\xdb\x95\x5c\xaa\x20\xa3",
>>>> 94);
>>>> memcpy((void*)0x2000033a,
>>>> "\x02\x00\x33\xe2\x7f\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00",
>>>> 128);
>>>> long r6 = syscall(SYS_sendto, r0, 0x20000faaul, 0x5eul,
>>>> 0x81ul, 0x2000033aul, 0x80ul);
>>>> return 0;
>>>> }
>>>>
>>>>
>>>> =================================
>>>> BUG: KASAN: use-after-free in sctp_do_sm+0x42f6/0x4f60 at addr ffff880036fa80a8
>>>> Read of size 4 by task a.out/5664
>>>> ======================================>>>> BUG kmalloc-4096 (Tainted: G B ): kasan: bad access detected
>>>> -----------------------------------------------------------------------------
>>>>
>>>> INFO: Allocated in sctp_association_new+0x6f/0x1ea0 age=8 cpu=1 pidV64
>>>> [< none >] kmem_cache_alloc_trace+0x1cf/0x220 ./mm/slab.c:3707
>>>> [< none >] sctp_association_new+0x6f/0x1ea0
>>>> [< none >] sctp_sendmsg+0x1954/0x28e0
>>>> [< none >] inet_sendmsg+0x316/0x4f0 ./net/ipv4/af_inet.c:802
>>>> [< inline >] __sock_sendmsg_nosec ./net/socket.c:641
>>>> [< inline >] __sock_sendmsg ./net/socket.c:651
>>>> [< none >] sock_sendmsg+0xca/0x110 ./net/socket.c:662
>>>> [< none >] SYSC_sendto+0x208/0x350 ./net/socket.c:1841
>>>> [< none >] SyS_sendto+0x40/0x50 ./net/socket.c:1862
>>>> [< none >] entry_SYSCALL_64_fastpath+0x16/0x7a
>>>>
>>>> INFO: Freed in sctp_association_put+0x150/0x250 age\x14 cpu=1 pidV64
>>>> [< none >] kfree+0x199/0x1b0 ./mm/slab.c:1211
>>>> [< none >] sctp_association_put+0x150/0x250
>>>> [< none >] sctp_association_free+0x498/0x630
>>>> [< none >] sctp_do_sm+0xd8b/0x4f60
>>>> [< none >] sctp_primitive_SHUTDOWN+0xa9/0xd0
>>>> [< none >] sctp_close+0x616/0x790
>>>> [< none >] inet_release+0xed/0x1c0 ./net/ipv4/af_inet.c:471
>>>> [< none >] inet6_release+0x50/0x70 ./net/ipv6/af_inet6.c:416
>>>> [< inline >] constant_test_bit ././arch/x86/include/asm/bitops.h:321
>>>> [< none >] sock_release+0x8d/0x200 ./net/socket.c:601
>>>> [< none >] sock_close+0x16/0x20 ./net/socket.c:1188
>>>> [< none >] __fput+0x21d/0x6e0 ./fs/file_table.c:265
>>>> [< none >] ____fput+0x15/0x20 ./fs/file_table.c:84
>>>> [< none >] task_work_run+0x163/0x1f0 ./include/trace/events/rcu.h:20
>>>> [< inline >] __list_add ./include/linux/list.h:42
>>>> [< inline >] list_add_tail ./include/linux/list.h:76
>>>> [< inline >] list_move_tail ./include/linux/list.h:168
>>>> [< inline >] reparent_leader ./kernel/exit.c:618
>>>> [< inline >] forget_original_parent ./kernel/exit.c:669
>>>> [< inline >] exit_notify ./kernel/exit.c:697
>>>> [< none >] do_exit+0x809/0x2b90 ./kernel/exit.c:878
>>>> [< none >] do_group_exit+0x108/0x320 ./kernel/exit.c:985
>>>>
>>>> INFO: Slab 0xffffea0000dbea00 objects=7 used=1 fp=0xffff880036fa8000
>>>> flags=0x100000000004080
>>>> INFO: Object 0xffff880036fa8000 @offset=0 fp=0xffff880036fad668
>>>> CPU: 1 PID: 5664 Comm: a.out Tainted: G B 4.4.0-rc1+ #81
>>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011
>>>> 00000000ffffffff ffff880061d6f700 ffffffff825d3336 ffff88003e806d00
>>>> ffff880036fa8000 ffff880036fa8000 ffff880061d6f730 ffffffff81618784
>>>> ffff88003e806d00 ffffea0000dbea00 ffff880036fa8000 0000000000000000
>>>>
>>>> Call Trace:
>>>> [<ffffffff8162131e>] __asan_report_load4_noabort+0x3e/0x40
>>>> [<ffffffff8475ac76>] sctp_do_sm+0x42f6/0x4f60
>>>> [<ffffffff847b50e9>] sctp_primitive_SHUTDOWN+0xa9/0xd0
>>>> [<ffffffff847a1426>] sctp_close+0x616/0x790
>>>> [<ffffffff8409bb0d>] inet_release+0xed/0x1c0 ./net/ipv4/af_inet.c:471
>>>> [<ffffffff84192cc0>] inet6_release+0x50/0x70 ./net/ipv6/af_inet6.c:416
>>>> [< inline >] constant_test_bit ././arch/x86/include/asm/bitops.h:321
>>>> [<ffffffff83dc78cd>] sock_release+0x8d/0x200 ./net/socket.c:601
>>>> [<ffffffff83dc7a56>] sock_close+0x16/0x20 ./net/socket.c:1188
>>>> [<ffffffff81662f5d>] __fput+0x21d/0x6e0 ./fs/file_table.c:265
>>>> [<ffffffff816634a5>] ____fput+0x15/0x20 ./fs/file_table.c:84
>>>> [<ffffffff812a33d3>] task_work_run+0x163/0x1f0 ./include/trace/events/rcu.h:20
>>>> [< inline >] __list_add ./include/linux/list.h:42
>>>> [< inline >] list_add_tail ./include/linux/list.h:76
>>>> [< inline >] list_move_tail ./include/linux/list.h:168
>>>> [< inline >] reparent_leader ./kernel/exit.c:618
>>>> [< inline >] forget_original_parent ./kernel/exit.c:669
>>>> [< inline >] exit_notify ./kernel/exit.c:697
>>>> [<ffffffff812505d9>] do_exit+0x809/0x2b90 ./kernel/exit.c:878
>>>> [<ffffffff81252ad8>] do_group_exit+0x108/0x320 ./kernel/exit.c:985
>>>> [<ffffffff81252d0d>] SyS_exit_group+0x1d/0x20 ./kernel/exit.c:1002
>>>> [<ffffffff84bf0c36>] entry_SYSCALL_64_fastpath+0x16/0x7a
>>>> =================================
>>>>
>>>>
>>>> I am on commit 90b55590c43258a157a2a143748455dcc50fbb53 of net-next (Nov 22).
>>
>> The right commit is:
>>
>> commit 7d267278a9ece963d77eefec61630223fce08c6c
>> Author: Rainer Weikusat
>> Date: Fri Nov 20 22:07:23 2015 +0000
>> unix: avoid use-after-free in ep_remove_wait_queue
> This commit doesn't seem to exist
I don't think this matters... I think what's happening is that a close is happening on a
socket still in connection initialization phase and we've never handled that particularly
well...
Net-next kernel with mem debugging hangs on boot for me with a ton of printks suppressed.
Will try the net kernel to see if that's better
-vlad
>
> Neil
>
>> --
>> To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
>> the body of a message to majordomo@vger.kernel.org
>> More majordomo info at http://vger.kernel.org/majordomo-info.html
>>
next prev parent reply other threads:[~2015-11-25 15:12 UTC|newest]
Thread overview: 153+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-24 9:15 use-after-free in sctp_do_sm Dmitry Vyukov
2015-11-24 9:15 ` Dmitry Vyukov
2015-11-24 9:31 ` Dmitry Vyukov
2015-11-24 9:31 ` Dmitry Vyukov
2015-11-24 10:10 ` Dmitry Vyukov
2015-11-24 10:10 ` Dmitry Vyukov
2015-11-24 20:45 ` Neil Horman
2015-11-24 20:45 ` Neil Horman
2015-11-24 21:08 ` Eric Dumazet
2015-11-24 21:08 ` Eric Dumazet
2015-11-24 21:12 ` David Miller
2015-11-24 21:12 ` David Miller
2015-11-25 15:12 ` Vlad Yasevich [this message]
2015-11-25 15:12 ` Vlad Yasevich
2015-11-28 15:50 ` Dmitry Vyukov
2015-11-28 15:50 ` Dmitry Vyukov
2015-12-03 16:51 ` Marcelo Ricardo Leitner
2015-12-03 16:51 ` Marcelo Ricardo Leitner
2015-12-03 17:43 ` Marcelo Ricardo Leitner
2015-12-03 17:43 ` Marcelo Ricardo Leitner
2015-12-03 17:59 ` Eric Dumazet
2015-12-03 17:59 ` Eric Dumazet
2015-12-03 18:06 ` Marcelo
2015-12-03 18:06 ` Marcelo
2015-12-03 18:35 ` Vlad Yasevich
2015-12-03 18:35 ` Vlad Yasevich
2015-12-03 18:43 ` Marcelo
2015-12-03 18:43 ` Marcelo
2015-12-04 17:14 ` [PATCH net 0/3] sctp: packet timestamp fixes Marcelo Ricardo Leitner
2015-12-04 17:14 ` Marcelo Ricardo Leitner
2015-12-04 17:14 ` [PATCH net 1/3] sctp: use the same clock as if sock source timestamps were on Marcelo Ricardo Leitner
2015-12-04 17:14 ` Marcelo Ricardo Leitner
2015-12-04 20:31 ` Vlad Yasevich
2015-12-04 20:31 ` Vlad Yasevich
2015-12-04 17:14 ` [PATCH net 2/3] sctp: update the netstamp_needed counter when copying sockets Marcelo Ricardo Leitner
2015-12-04 17:14 ` Marcelo Ricardo Leitner
2015-12-04 20:33 ` Vlad Yasevich
2015-12-04 20:33 ` Vlad Yasevich
2015-12-04 17:14 ` [PATCH net 3/3] sctp: also copy sk_tsflags when copying the socket Marcelo Ricardo Leitner
2015-12-04 17:14 ` Marcelo Ricardo Leitner
2015-12-04 20:33 ` Vlad Yasevich
2015-12-04 20:33 ` Vlad Yasevich
2015-12-06 3:24 ` [PATCH net 0/3] sctp: packet timestamp fixes David Miller
2015-12-06 3:24 ` David Miller
2015-12-03 13:05 ` use-after-free in sctp_do_sm Marcelo Ricardo Leitner
2015-12-03 13:05 ` Marcelo Ricardo Leitner
2015-12-03 13:45 ` Dmitry Vyukov
2015-12-03 13:45 ` Dmitry Vyukov
2015-12-03 14:48 ` Eric Dumazet
2015-12-03 14:48 ` Eric Dumazet
2015-12-03 15:55 ` Dmitry Vyukov
2015-12-03 15:55 ` Dmitry Vyukov
2015-12-03 16:15 ` Marcelo Ricardo Leitner
2015-12-03 16:15 ` Marcelo Ricardo Leitner
2015-12-03 17:02 ` Eric Dumazet
2015-12-03 17:02 ` Eric Dumazet
2015-12-03 17:12 ` Dmitry Vyukov
2015-12-03 17:12 ` Dmitry Vyukov
2015-12-03 18:52 ` Aaron Conole
2015-12-03 18:52 ` Aaron Conole
2015-12-03 19:06 ` Joe Perches
2015-12-03 19:06 ` Joe Perches
2015-12-03 19:32 ` Jason Baron
2015-12-03 19:32 ` Jason Baron
2015-12-03 20:03 ` Joe Perches
2015-12-03 20:03 ` Joe Perches
2015-12-03 20:10 ` Jason Baron
2015-12-03 20:10 ` Jason Baron
2015-12-03 20:24 ` Joe Perches
2015-12-03 20:24 ` Joe Perches
2015-12-03 20:42 ` Jason Baron
2015-12-03 20:42 ` Jason Baron
2015-12-03 20:51 ` Joe Perches
2015-12-03 20:51 ` Joe Perches
2015-12-04 10:40 ` Dmitry Vyukov
2015-12-04 10:40 ` Dmitry Vyukov
2015-12-04 12:55 ` Marcelo Ricardo Leitner
2015-12-04 12:55 ` Marcelo Ricardo Leitner
2015-12-04 15:37 ` Vlad Yasevich
2015-12-04 15:37 ` Vlad Yasevich
2015-12-04 15:51 ` Aaron Conole
2015-12-04 15:51 ` Aaron Conole
2015-12-04 16:12 ` Dmitry Vyukov
2015-12-04 16:12 ` Dmitry Vyukov
2015-12-04 16:47 ` Jason Baron
2015-12-04 16:47 ` Jason Baron
2015-12-04 17:03 ` Joe Perches
2015-12-04 17:03 ` Joe Perches
2015-12-04 17:11 ` Jason Baron
2015-12-04 17:11 ` Jason Baron
2015-12-04 10:41 ` Dmitry Vyukov
2015-12-04 10:41 ` Dmitry Vyukov
2015-12-04 17:48 ` Marcelo Ricardo Leitner
2015-12-04 17:48 ` Marcelo Ricardo Leitner
2015-12-04 20:25 ` Dmitry Vyukov
2015-12-04 20:25 ` Dmitry Vyukov
2015-12-04 21:34 ` Marcelo Ricardo Leitner
2015-12-04 21:34 ` Marcelo Ricardo Leitner
2015-12-04 21:38 ` Dmitry Vyukov
2015-12-04 21:38 ` Dmitry Vyukov
2015-12-05 16:39 ` Vlad Yasevich
2015-12-05 16:39 ` Vlad Yasevich
2015-12-07 11:26 ` Dmitry Vyukov
2015-12-07 11:26 ` Dmitry Vyukov
2015-12-07 13:15 ` Marcelo Ricardo Leitner
2015-12-07 13:15 ` Marcelo Ricardo Leitner
2015-12-07 13:20 ` Dmitry Vyukov
2015-12-07 13:20 ` Dmitry Vyukov
2015-12-07 18:52 ` Marcelo Ricardo Leitner
2015-12-07 18:52 ` Marcelo Ricardo Leitner
2015-12-07 19:33 ` Vlad Yasevich
2015-12-07 19:33 ` Vlad Yasevich
2015-12-07 19:50 ` Marcelo Ricardo Leitner
2015-12-07 19:50 ` Marcelo Ricardo Leitner
2015-12-07 20:37 ` Vlad Yasevich
2015-12-07 20:37 ` Vlad Yasevich
2015-12-07 20:52 ` Marcelo Ricardo Leitner
2015-12-07 20:52 ` Marcelo Ricardo Leitner
2015-12-08 17:30 ` Dmitry Vyukov
2015-12-08 17:30 ` Dmitry Vyukov
2015-12-08 17:40 ` Marcelo Ricardo Leitner
2015-12-08 17:40 ` Marcelo Ricardo Leitner
2015-12-08 19:22 ` Dmitry Vyukov
2015-12-08 19:22 ` Dmitry Vyukov
2015-12-09 14:41 ` Dmitry Vyukov
2015-12-09 14:41 ` Dmitry Vyukov
2015-12-09 15:03 ` Marcelo Ricardo Leitner
2015-12-09 15:03 ` Marcelo Ricardo Leitner
2015-12-09 16:41 ` Marcelo Ricardo Leitner
2015-12-09 16:41 ` Marcelo Ricardo Leitner
2015-12-11 13:35 ` Dmitry Vyukov
2015-12-11 13:35 ` Dmitry Vyukov
2015-12-11 13:51 ` Marcelo Ricardo Leitner
2015-12-11 13:51 ` Marcelo Ricardo Leitner
2015-12-11 14:03 ` Marcelo Ricardo Leitner
2015-12-11 14:03 ` Marcelo Ricardo Leitner
2015-12-11 14:30 ` Dmitry Vyukov
2015-12-11 14:30 ` Dmitry Vyukov
2015-12-11 15:55 ` Marcelo Ricardo Leitner
2015-12-11 15:55 ` Marcelo Ricardo Leitner
2016-01-08 13:00 ` [PATCH] sctp: fix use-after-free in pr_debug statement Marcelo Ricardo Leitner
2016-01-08 13:00 ` Marcelo Ricardo Leitner
2016-01-11 17:00 ` Vlad Yasevich
2016-01-11 17:00 ` Vlad Yasevich
2016-01-11 22:13 ` David Miller
2016-01-11 22:13 ` David Miller
2016-01-12 8:41 ` Dmitry Vyukov
2016-01-12 8:41 ` Dmitry Vyukov
2015-12-11 18:37 ` use-after-free in sctp_do_sm Vlad Yasevich
2015-12-11 18:37 ` Vlad Yasevich
2015-12-14 9:50 ` David Laight
2015-12-14 14:25 ` Vlad Yasevich
2015-12-14 14:25 ` Vlad Yasevich
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=5655CFDC.4050206@gmail.com \
--to=vyasevich@gmail.com \
--cc=dvyukov@google.com \
--cc=edumazet@google.com \
--cc=glider@google.com \
--cc=kcc@google.com \
--cc=linux-sctp@vger.kernel.org \
--cc=maze@google.com \
--cc=netdev@vger.kernel.org \
--cc=nhorman@tuxdriver.com \
--cc=sasha.levin@oracle.com \
--cc=syzkaller@googlegroups.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.