From: Vlad Yasevich <vyasevich@gmail.com> To: Neil Horman <nhorman@tuxdriver.com>, Dmitry Vyukov <dvyukov@google.com> Cc: linux-sctp@vger.kernel.org, netdev <netdev@vger.kernel.org>, syzkaller <syzkaller@googlegroups.com>, "Kostya Serebryany" <kcc@google.com>, "Alexander Potapenko" <glider@google.com>, "Sasha Levin" <sasha.levin@oracle.com>, "Eric Dumazet" <edumazet@google.com>, "Maciej Żenczykowski" <maze@google.com> Subject: Re: use-after-free in sctp_do_sm Date: Wed, 25 Nov 2015 10:12:28 -0500 [thread overview] Message-ID: <5655CFDC.4050206@gmail.com> (raw) In-Reply-To: <20151124204553.GB3364@hmsreliant.think-freely.org> On 11/24/2015 03:45 PM, Neil Horman wrote: > On Tue, Nov 24, 2015 at 11:10:32AM +0100, Dmitry Vyukov wrote: >> On Tue, Nov 24, 2015 at 10:31 AM, Dmitry Vyukov <dvyukov@google.com> wrote: >>> On Tue, Nov 24, 2015 at 10:15 AM, Dmitry Vyukov <dvyukov@google.com> wrote: >>>> Hello, >>>> >>>> The following program triggers use-after-free in sctp_do_sm: >>>> >>>> // autogenerated by syzkaller (http://github.com/google/syzkaller) >>>> #include <syscall.h> >>>> #include <string.h> >>>> #include <stdint.h> >>>> >>>> int main() >>>> { >>>> long r0 = syscall(SYS_socket, 0xaul, 0x80805ul, 0x0ul, 0, 0, 0); >>>> long r1 = syscall(SYS_mmap, 0x20000000ul, 0x10000ul, 0x3ul, >>>> 0x32ul, 0xfffffffffffffffful, 0x0ul); >>>> memcpy((void*)0x20002fe4, >>>> "\x0a\x00\x33\xe7\xeb\x9d\xcf\x61\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xc5\xc8\x88\x64", >>>> 28); >>>> long r3 = syscall(SYS_bind, r0, 0x20002fe4ul, 0x1cul, 0, 0, 0); >>>> memcpy((void*)0x20000faa, >>>> "\x9b\x01\x7d\xcd\xb8\x6a\xc7\x3d\x09\x3a\x07\x00\xa7\xc4\xe9\xee\x0a\xd6\xec\xde\x26\x75\x5f\x22\xae\x4e\x33\x00\xb0\x76\x10\x70\xd6\xca\x19\xbc\x15\x83\xcf\x2e\xbc\x99\x0c\x5e\x83\x89\xc1\x44\x9c\x6e\x74\xd8\x5d\x5d\xd0\xf0\xdf\x47\xc0\x00\x71\x0b\x55\x4c\xab\xf0\xd8\x90\xd5\x92\x8c\x6e\x33\x22\x15\x5b\x19\xfb\xed\xdd\xa6\xac\xcb\x60\xcf\xe2\xde\xed\xdb\x95\x5c\xaa\x20\xa3", >>>> 94); >>>> memcpy((void*)0x2000033a, >>>> "\x02\x00\x33\xe2\x7f\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", >>>> 128); >>>> long r6 = syscall(SYS_sendto, r0, 0x20000faaul, 0x5eul, >>>> 0x81ul, 0x2000033aul, 0x80ul); >>>> return 0; >>>> } >>>> >>>> >>>> ================================================================== >>>> BUG: KASAN: use-after-free in sctp_do_sm+0x42f6/0x4f60 at addr ffff880036fa80a8 >>>> Read of size 4 by task a.out/5664 >>>> ============================================================================= >>>> BUG kmalloc-4096 (Tainted: G B ): kasan: bad access detected >>>> ----------------------------------------------------------------------------- >>>> >>>> INFO: Allocated in sctp_association_new+0x6f/0x1ea0 age=8 cpu=1 pid=5664 >>>> [< none >] kmem_cache_alloc_trace+0x1cf/0x220 ./mm/slab.c:3707 >>>> [< none >] sctp_association_new+0x6f/0x1ea0 >>>> [< none >] sctp_sendmsg+0x1954/0x28e0 >>>> [< none >] inet_sendmsg+0x316/0x4f0 ./net/ipv4/af_inet.c:802 >>>> [< inline >] __sock_sendmsg_nosec ./net/socket.c:641 >>>> [< inline >] __sock_sendmsg ./net/socket.c:651 >>>> [< none >] sock_sendmsg+0xca/0x110 ./net/socket.c:662 >>>> [< none >] SYSC_sendto+0x208/0x350 ./net/socket.c:1841 >>>> [< none >] SyS_sendto+0x40/0x50 ./net/socket.c:1862 >>>> [< none >] entry_SYSCALL_64_fastpath+0x16/0x7a >>>> >>>> INFO: Freed in sctp_association_put+0x150/0x250 age=14 cpu=1 pid=5664 >>>> [< none >] kfree+0x199/0x1b0 ./mm/slab.c:1211 >>>> [< none >] sctp_association_put+0x150/0x250 >>>> [< none >] sctp_association_free+0x498/0x630 >>>> [< none >] sctp_do_sm+0xd8b/0x4f60 >>>> [< none >] sctp_primitive_SHUTDOWN+0xa9/0xd0 >>>> [< none >] sctp_close+0x616/0x790 >>>> [< none >] inet_release+0xed/0x1c0 ./net/ipv4/af_inet.c:471 >>>> [< none >] inet6_release+0x50/0x70 ./net/ipv6/af_inet6.c:416 >>>> [< inline >] constant_test_bit ././arch/x86/include/asm/bitops.h:321 >>>> [< none >] sock_release+0x8d/0x200 ./net/socket.c:601 >>>> [< none >] sock_close+0x16/0x20 ./net/socket.c:1188 >>>> [< none >] __fput+0x21d/0x6e0 ./fs/file_table.c:265 >>>> [< none >] ____fput+0x15/0x20 ./fs/file_table.c:84 >>>> [< none >] task_work_run+0x163/0x1f0 ./include/trace/events/rcu.h:20 >>>> [< inline >] __list_add ./include/linux/list.h:42 >>>> [< inline >] list_add_tail ./include/linux/list.h:76 >>>> [< inline >] list_move_tail ./include/linux/list.h:168 >>>> [< inline >] reparent_leader ./kernel/exit.c:618 >>>> [< inline >] forget_original_parent ./kernel/exit.c:669 >>>> [< inline >] exit_notify ./kernel/exit.c:697 >>>> [< none >] do_exit+0x809/0x2b90 ./kernel/exit.c:878 >>>> [< none >] do_group_exit+0x108/0x320 ./kernel/exit.c:985 >>>> >>>> INFO: Slab 0xffffea0000dbea00 objects=7 used=1 fp=0xffff880036fa8000 >>>> flags=0x100000000004080 >>>> INFO: Object 0xffff880036fa8000 @offset=0 fp=0xffff880036fad668 >>>> CPU: 1 PID: 5664 Comm: a.out Tainted: G B 4.4.0-rc1+ #81 >>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 >>>> 00000000ffffffff ffff880061d6f700 ffffffff825d3336 ffff88003e806d00 >>>> ffff880036fa8000 ffff880036fa8000 ffff880061d6f730 ffffffff81618784 >>>> ffff88003e806d00 ffffea0000dbea00 ffff880036fa8000 0000000000000000 >>>> >>>> Call Trace: >>>> [<ffffffff8162131e>] __asan_report_load4_noabort+0x3e/0x40 >>>> [<ffffffff8475ac76>] sctp_do_sm+0x42f6/0x4f60 >>>> [<ffffffff847b50e9>] sctp_primitive_SHUTDOWN+0xa9/0xd0 >>>> [<ffffffff847a1426>] sctp_close+0x616/0x790 >>>> [<ffffffff8409bb0d>] inet_release+0xed/0x1c0 ./net/ipv4/af_inet.c:471 >>>> [<ffffffff84192cc0>] inet6_release+0x50/0x70 ./net/ipv6/af_inet6.c:416 >>>> [< inline >] constant_test_bit ././arch/x86/include/asm/bitops.h:321 >>>> [<ffffffff83dc78cd>] sock_release+0x8d/0x200 ./net/socket.c:601 >>>> [<ffffffff83dc7a56>] sock_close+0x16/0x20 ./net/socket.c:1188 >>>> [<ffffffff81662f5d>] __fput+0x21d/0x6e0 ./fs/file_table.c:265 >>>> [<ffffffff816634a5>] ____fput+0x15/0x20 ./fs/file_table.c:84 >>>> [<ffffffff812a33d3>] task_work_run+0x163/0x1f0 ./include/trace/events/rcu.h:20 >>>> [< inline >] __list_add ./include/linux/list.h:42 >>>> [< inline >] list_add_tail ./include/linux/list.h:76 >>>> [< inline >] list_move_tail ./include/linux/list.h:168 >>>> [< inline >] reparent_leader ./kernel/exit.c:618 >>>> [< inline >] forget_original_parent ./kernel/exit.c:669 >>>> [< inline >] exit_notify ./kernel/exit.c:697 >>>> [<ffffffff812505d9>] do_exit+0x809/0x2b90 ./kernel/exit.c:878 >>>> [<ffffffff81252ad8>] do_group_exit+0x108/0x320 ./kernel/exit.c:985 >>>> [<ffffffff81252d0d>] SyS_exit_group+0x1d/0x20 ./kernel/exit.c:1002 >>>> [<ffffffff84bf0c36>] entry_SYSCALL_64_fastpath+0x16/0x7a >>>> ================================================================== >>>> >>>> >>>> I am on commit 90b55590c43258a157a2a143748455dcc50fbb53 of net-next (Nov 22). >> >> The right commit is: >> >> commit 7d267278a9ece963d77eefec61630223fce08c6c >> Author: Rainer Weikusat >> Date: Fri Nov 20 22:07:23 2015 +0000 >> unix: avoid use-after-free in ep_remove_wait_queue > This commit doesn't seem to exist I don't think this matters... I think what's happening is that a close is happening on a socket still in connection initialization phase and we've never handled that particularly well... Net-next kernel with mem debugging hangs on boot for me with a ton of printks suppressed. Will try the net kernel to see if that's better -vlad > > Neil > >> -- >> To unsubscribe from this list: send the line "unsubscribe linux-sctp" in >> the body of a message to majordomo@vger.kernel.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html >>
WARNING: multiple messages have this Message-ID (diff)
From: Vlad Yasevich <vyasevich@gmail.com> To: Neil Horman <nhorman@tuxdriver.com>, Dmitry Vyukov <dvyukov@google.com> Cc: linux-sctp@vger.kernel.org, netdev <netdev@vger.kernel.org>, syzkaller <syzkaller@googlegroups.com>, "Kostya Serebryany" <kcc@google.com>, "Alexander Potapenko" <glider@google.com>, "Sasha Levin" <sasha.levin@oracle.com>, "Eric Dumazet" <edumazet@google.com>, "Maciej Żenczykowski" <maze@google.com> Subject: Re: use-after-free in sctp_do_sm Date: Wed, 25 Nov 2015 15:12:28 +0000 [thread overview] Message-ID: <5655CFDC.4050206@gmail.com> (raw) In-Reply-To: <20151124204553.GB3364@hmsreliant.think-freely.org> On 11/24/2015 03:45 PM, Neil Horman wrote: > On Tue, Nov 24, 2015 at 11:10:32AM +0100, Dmitry Vyukov wrote: >> On Tue, Nov 24, 2015 at 10:31 AM, Dmitry Vyukov <dvyukov@google.com> wrote: >>> On Tue, Nov 24, 2015 at 10:15 AM, Dmitry Vyukov <dvyukov@google.com> wrote: >>>> Hello, >>>> >>>> The following program triggers use-after-free in sctp_do_sm: >>>> >>>> // autogenerated by syzkaller (http://github.com/google/syzkaller) >>>> #include <syscall.h> >>>> #include <string.h> >>>> #include <stdint.h> >>>> >>>> int main() >>>> { >>>> long r0 = syscall(SYS_socket, 0xaul, 0x80805ul, 0x0ul, 0, 0, 0); >>>> long r1 = syscall(SYS_mmap, 0x20000000ul, 0x10000ul, 0x3ul, >>>> 0x32ul, 0xfffffffffffffffful, 0x0ul); >>>> memcpy((void*)0x20002fe4, >>>> "\x0a\x00\x33\xe7\xeb\x9d\xcf\x61\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\xc5\xc8\x88\x64", >>>> 28); >>>> long r3 = syscall(SYS_bind, r0, 0x20002fe4ul, 0x1cul, 0, 0, 0); >>>> memcpy((void*)0x20000faa, >>>> "\x9b\x01\x7d\xcd\xb8\x6a\xc7\x3d\x09\x3a\x07\x00\xa7\xc4\xe9\xee\x0a\xd6\xec\xde\x26\x75\x5f\x22\xae\x4e\x33\x00\xb0\x76\x10\x70\xd6\xca\x19\xbc\x15\x83\xcf\x2e\xbc\x99\x0c\x5e\x83\x89\xc1\x44\x9c\x6e\x74\xd8\x5d\x5d\xd0\xf0\xdf\x47\xc0\x00\x71\x0b\x55\x4c\xab\xf0\xd8\x90\xd5\x92\x8c\x6e\x33\x22\x15\x5b\x19\xfb\xed\xdd\xa6\xac\xcb\x60\xcf\xe2\xde\xed\xdb\x95\x5c\xaa\x20\xa3", >>>> 94); >>>> memcpy((void*)0x2000033a, >>>> "\x02\x00\x33\xe2\x7f\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", >>>> 128); >>>> long r6 = syscall(SYS_sendto, r0, 0x20000faaul, 0x5eul, >>>> 0x81ul, 0x2000033aul, 0x80ul); >>>> return 0; >>>> } >>>> >>>> >>>> ================================= >>>> BUG: KASAN: use-after-free in sctp_do_sm+0x42f6/0x4f60 at addr ffff880036fa80a8 >>>> Read of size 4 by task a.out/5664 >>>> ======================================>>>> BUG kmalloc-4096 (Tainted: G B ): kasan: bad access detected >>>> ----------------------------------------------------------------------------- >>>> >>>> INFO: Allocated in sctp_association_new+0x6f/0x1ea0 age=8 cpu=1 pidV64 >>>> [< none >] kmem_cache_alloc_trace+0x1cf/0x220 ./mm/slab.c:3707 >>>> [< none >] sctp_association_new+0x6f/0x1ea0 >>>> [< none >] sctp_sendmsg+0x1954/0x28e0 >>>> [< none >] inet_sendmsg+0x316/0x4f0 ./net/ipv4/af_inet.c:802 >>>> [< inline >] __sock_sendmsg_nosec ./net/socket.c:641 >>>> [< inline >] __sock_sendmsg ./net/socket.c:651 >>>> [< none >] sock_sendmsg+0xca/0x110 ./net/socket.c:662 >>>> [< none >] SYSC_sendto+0x208/0x350 ./net/socket.c:1841 >>>> [< none >] SyS_sendto+0x40/0x50 ./net/socket.c:1862 >>>> [< none >] entry_SYSCALL_64_fastpath+0x16/0x7a >>>> >>>> INFO: Freed in sctp_association_put+0x150/0x250 age\x14 cpu=1 pidV64 >>>> [< none >] kfree+0x199/0x1b0 ./mm/slab.c:1211 >>>> [< none >] sctp_association_put+0x150/0x250 >>>> [< none >] sctp_association_free+0x498/0x630 >>>> [< none >] sctp_do_sm+0xd8b/0x4f60 >>>> [< none >] sctp_primitive_SHUTDOWN+0xa9/0xd0 >>>> [< none >] sctp_close+0x616/0x790 >>>> [< none >] inet_release+0xed/0x1c0 ./net/ipv4/af_inet.c:471 >>>> [< none >] inet6_release+0x50/0x70 ./net/ipv6/af_inet6.c:416 >>>> [< inline >] constant_test_bit ././arch/x86/include/asm/bitops.h:321 >>>> [< none >] sock_release+0x8d/0x200 ./net/socket.c:601 >>>> [< none >] sock_close+0x16/0x20 ./net/socket.c:1188 >>>> [< none >] __fput+0x21d/0x6e0 ./fs/file_table.c:265 >>>> [< none >] ____fput+0x15/0x20 ./fs/file_table.c:84 >>>> [< none >] task_work_run+0x163/0x1f0 ./include/trace/events/rcu.h:20 >>>> [< inline >] __list_add ./include/linux/list.h:42 >>>> [< inline >] list_add_tail ./include/linux/list.h:76 >>>> [< inline >] list_move_tail ./include/linux/list.h:168 >>>> [< inline >] reparent_leader ./kernel/exit.c:618 >>>> [< inline >] forget_original_parent ./kernel/exit.c:669 >>>> [< inline >] exit_notify ./kernel/exit.c:697 >>>> [< none >] do_exit+0x809/0x2b90 ./kernel/exit.c:878 >>>> [< none >] do_group_exit+0x108/0x320 ./kernel/exit.c:985 >>>> >>>> INFO: Slab 0xffffea0000dbea00 objects=7 used=1 fp=0xffff880036fa8000 >>>> flags=0x100000000004080 >>>> INFO: Object 0xffff880036fa8000 @offset=0 fp=0xffff880036fad668 >>>> CPU: 1 PID: 5664 Comm: a.out Tainted: G B 4.4.0-rc1+ #81 >>>> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS Bochs 01/01/2011 >>>> 00000000ffffffff ffff880061d6f700 ffffffff825d3336 ffff88003e806d00 >>>> ffff880036fa8000 ffff880036fa8000 ffff880061d6f730 ffffffff81618784 >>>> ffff88003e806d00 ffffea0000dbea00 ffff880036fa8000 0000000000000000 >>>> >>>> Call Trace: >>>> [<ffffffff8162131e>] __asan_report_load4_noabort+0x3e/0x40 >>>> [<ffffffff8475ac76>] sctp_do_sm+0x42f6/0x4f60 >>>> [<ffffffff847b50e9>] sctp_primitive_SHUTDOWN+0xa9/0xd0 >>>> [<ffffffff847a1426>] sctp_close+0x616/0x790 >>>> [<ffffffff8409bb0d>] inet_release+0xed/0x1c0 ./net/ipv4/af_inet.c:471 >>>> [<ffffffff84192cc0>] inet6_release+0x50/0x70 ./net/ipv6/af_inet6.c:416 >>>> [< inline >] constant_test_bit ././arch/x86/include/asm/bitops.h:321 >>>> [<ffffffff83dc78cd>] sock_release+0x8d/0x200 ./net/socket.c:601 >>>> [<ffffffff83dc7a56>] sock_close+0x16/0x20 ./net/socket.c:1188 >>>> [<ffffffff81662f5d>] __fput+0x21d/0x6e0 ./fs/file_table.c:265 >>>> [<ffffffff816634a5>] ____fput+0x15/0x20 ./fs/file_table.c:84 >>>> [<ffffffff812a33d3>] task_work_run+0x163/0x1f0 ./include/trace/events/rcu.h:20 >>>> [< inline >] __list_add ./include/linux/list.h:42 >>>> [< inline >] list_add_tail ./include/linux/list.h:76 >>>> [< inline >] list_move_tail ./include/linux/list.h:168 >>>> [< inline >] reparent_leader ./kernel/exit.c:618 >>>> [< inline >] forget_original_parent ./kernel/exit.c:669 >>>> [< inline >] exit_notify ./kernel/exit.c:697 >>>> [<ffffffff812505d9>] do_exit+0x809/0x2b90 ./kernel/exit.c:878 >>>> [<ffffffff81252ad8>] do_group_exit+0x108/0x320 ./kernel/exit.c:985 >>>> [<ffffffff81252d0d>] SyS_exit_group+0x1d/0x20 ./kernel/exit.c:1002 >>>> [<ffffffff84bf0c36>] entry_SYSCALL_64_fastpath+0x16/0x7a >>>> ================================= >>>> >>>> >>>> I am on commit 90b55590c43258a157a2a143748455dcc50fbb53 of net-next (Nov 22). >> >> The right commit is: >> >> commit 7d267278a9ece963d77eefec61630223fce08c6c >> Author: Rainer Weikusat >> Date: Fri Nov 20 22:07:23 2015 +0000 >> unix: avoid use-after-free in ep_remove_wait_queue > This commit doesn't seem to exist I don't think this matters... I think what's happening is that a close is happening on a socket still in connection initialization phase and we've never handled that particularly well... Net-next kernel with mem debugging hangs on boot for me with a ton of printks suppressed. Will try the net kernel to see if that's better -vlad > > Neil > >> -- >> To unsubscribe from this list: send the line "unsubscribe linux-sctp" in >> the body of a message to majordomo@vger.kernel.org >> More majordomo info at http://vger.kernel.org/majordomo-info.html >>
next prev parent reply other threads:[~2015-11-25 15:12 UTC|newest] Thread overview: 153+ messages / expand[flat|nested] mbox.gz Atom feed top 2015-11-24 9:15 use-after-free in sctp_do_sm Dmitry Vyukov 2015-11-24 9:15 ` Dmitry Vyukov 2015-11-24 9:31 ` Dmitry Vyukov 2015-11-24 9:31 ` Dmitry Vyukov 2015-11-24 10:10 ` Dmitry Vyukov 2015-11-24 10:10 ` Dmitry Vyukov 2015-11-24 20:45 ` Neil Horman 2015-11-24 20:45 ` Neil Horman 2015-11-24 21:08 ` Eric Dumazet 2015-11-24 21:08 ` Eric Dumazet 2015-11-24 21:12 ` David Miller 2015-11-24 21:12 ` David Miller 2015-11-25 15:12 ` Vlad Yasevich [this message] 2015-11-25 15:12 ` Vlad Yasevich 2015-11-28 15:50 ` Dmitry Vyukov 2015-11-28 15:50 ` Dmitry Vyukov 2015-12-03 16:51 ` Marcelo Ricardo Leitner 2015-12-03 16:51 ` Marcelo Ricardo Leitner 2015-12-03 17:43 ` Marcelo Ricardo Leitner 2015-12-03 17:43 ` Marcelo Ricardo Leitner 2015-12-03 17:59 ` Eric Dumazet 2015-12-03 17:59 ` Eric Dumazet 2015-12-03 18:06 ` Marcelo 2015-12-03 18:06 ` Marcelo 2015-12-03 18:35 ` Vlad Yasevich 2015-12-03 18:35 ` Vlad Yasevich 2015-12-03 18:43 ` Marcelo 2015-12-03 18:43 ` Marcelo 2015-12-04 17:14 ` [PATCH net 0/3] sctp: packet timestamp fixes Marcelo Ricardo Leitner 2015-12-04 17:14 ` Marcelo Ricardo Leitner 2015-12-04 17:14 ` [PATCH net 1/3] sctp: use the same clock as if sock source timestamps were on Marcelo Ricardo Leitner 2015-12-04 17:14 ` Marcelo Ricardo Leitner 2015-12-04 20:31 ` Vlad Yasevich 2015-12-04 20:31 ` Vlad Yasevich 2015-12-04 17:14 ` [PATCH net 2/3] sctp: update the netstamp_needed counter when copying sockets Marcelo Ricardo Leitner 2015-12-04 17:14 ` Marcelo Ricardo Leitner 2015-12-04 20:33 ` Vlad Yasevich 2015-12-04 20:33 ` Vlad Yasevich 2015-12-04 17:14 ` [PATCH net 3/3] sctp: also copy sk_tsflags when copying the socket Marcelo Ricardo Leitner 2015-12-04 17:14 ` Marcelo Ricardo Leitner 2015-12-04 20:33 ` Vlad Yasevich 2015-12-04 20:33 ` Vlad Yasevich 2015-12-06 3:24 ` [PATCH net 0/3] sctp: packet timestamp fixes David Miller 2015-12-06 3:24 ` David Miller 2015-12-03 13:05 ` use-after-free in sctp_do_sm Marcelo Ricardo Leitner 2015-12-03 13:05 ` Marcelo Ricardo Leitner 2015-12-03 13:45 ` Dmitry Vyukov 2015-12-03 13:45 ` Dmitry Vyukov 2015-12-03 14:48 ` Eric Dumazet 2015-12-03 14:48 ` Eric Dumazet 2015-12-03 15:55 ` Dmitry Vyukov 2015-12-03 15:55 ` Dmitry Vyukov 2015-12-03 16:15 ` Marcelo Ricardo Leitner 2015-12-03 16:15 ` Marcelo Ricardo Leitner 2015-12-03 17:02 ` Eric Dumazet 2015-12-03 17:02 ` Eric Dumazet 2015-12-03 17:12 ` Dmitry Vyukov 2015-12-03 17:12 ` Dmitry Vyukov 2015-12-03 18:52 ` Aaron Conole 2015-12-03 18:52 ` Aaron Conole 2015-12-03 19:06 ` Joe Perches 2015-12-03 19:06 ` Joe Perches 2015-12-03 19:32 ` Jason Baron 2015-12-03 19:32 ` Jason Baron 2015-12-03 20:03 ` Joe Perches 2015-12-03 20:03 ` Joe Perches 2015-12-03 20:10 ` Jason Baron 2015-12-03 20:10 ` Jason Baron 2015-12-03 20:24 ` Joe Perches 2015-12-03 20:24 ` Joe Perches 2015-12-03 20:42 ` Jason Baron 2015-12-03 20:42 ` Jason Baron 2015-12-03 20:51 ` Joe Perches 2015-12-03 20:51 ` Joe Perches 2015-12-04 10:40 ` Dmitry Vyukov 2015-12-04 10:40 ` Dmitry Vyukov 2015-12-04 12:55 ` Marcelo Ricardo Leitner 2015-12-04 12:55 ` Marcelo Ricardo Leitner 2015-12-04 15:37 ` Vlad Yasevich 2015-12-04 15:37 ` Vlad Yasevich 2015-12-04 15:51 ` Aaron Conole 2015-12-04 15:51 ` Aaron Conole 2015-12-04 16:12 ` Dmitry Vyukov 2015-12-04 16:12 ` Dmitry Vyukov 2015-12-04 16:47 ` Jason Baron 2015-12-04 16:47 ` Jason Baron 2015-12-04 17:03 ` Joe Perches 2015-12-04 17:03 ` Joe Perches 2015-12-04 17:11 ` Jason Baron 2015-12-04 17:11 ` Jason Baron 2015-12-04 10:41 ` Dmitry Vyukov 2015-12-04 10:41 ` Dmitry Vyukov 2015-12-04 17:48 ` Marcelo Ricardo Leitner 2015-12-04 17:48 ` Marcelo Ricardo Leitner 2015-12-04 20:25 ` Dmitry Vyukov 2015-12-04 20:25 ` Dmitry Vyukov 2015-12-04 21:34 ` Marcelo Ricardo Leitner 2015-12-04 21:34 ` Marcelo Ricardo Leitner 2015-12-04 21:38 ` Dmitry Vyukov 2015-12-04 21:38 ` Dmitry Vyukov 2015-12-05 16:39 ` Vlad Yasevich 2015-12-05 16:39 ` Vlad Yasevich 2015-12-07 11:26 ` Dmitry Vyukov 2015-12-07 11:26 ` Dmitry Vyukov 2015-12-07 13:15 ` Marcelo Ricardo Leitner 2015-12-07 13:15 ` Marcelo Ricardo Leitner 2015-12-07 13:20 ` Dmitry Vyukov 2015-12-07 13:20 ` Dmitry Vyukov 2015-12-07 18:52 ` Marcelo Ricardo Leitner 2015-12-07 18:52 ` Marcelo Ricardo Leitner 2015-12-07 19:33 ` Vlad Yasevich 2015-12-07 19:33 ` Vlad Yasevich 2015-12-07 19:50 ` Marcelo Ricardo Leitner 2015-12-07 19:50 ` Marcelo Ricardo Leitner 2015-12-07 20:37 ` Vlad Yasevich 2015-12-07 20:37 ` Vlad Yasevich 2015-12-07 20:52 ` Marcelo Ricardo Leitner 2015-12-07 20:52 ` Marcelo Ricardo Leitner 2015-12-08 17:30 ` Dmitry Vyukov 2015-12-08 17:30 ` Dmitry Vyukov 2015-12-08 17:40 ` Marcelo Ricardo Leitner 2015-12-08 17:40 ` Marcelo Ricardo Leitner 2015-12-08 19:22 ` Dmitry Vyukov 2015-12-08 19:22 ` Dmitry Vyukov 2015-12-09 14:41 ` Dmitry Vyukov 2015-12-09 14:41 ` Dmitry Vyukov 2015-12-09 15:03 ` Marcelo Ricardo Leitner 2015-12-09 15:03 ` Marcelo Ricardo Leitner 2015-12-09 16:41 ` Marcelo Ricardo Leitner 2015-12-09 16:41 ` Marcelo Ricardo Leitner 2015-12-11 13:35 ` Dmitry Vyukov 2015-12-11 13:35 ` Dmitry Vyukov 2015-12-11 13:51 ` Marcelo Ricardo Leitner 2015-12-11 13:51 ` Marcelo Ricardo Leitner 2015-12-11 14:03 ` Marcelo Ricardo Leitner 2015-12-11 14:03 ` Marcelo Ricardo Leitner 2015-12-11 14:30 ` Dmitry Vyukov 2015-12-11 14:30 ` Dmitry Vyukov 2015-12-11 15:55 ` Marcelo Ricardo Leitner 2015-12-11 15:55 ` Marcelo Ricardo Leitner 2016-01-08 13:00 ` [PATCH] sctp: fix use-after-free in pr_debug statement Marcelo Ricardo Leitner 2016-01-08 13:00 ` Marcelo Ricardo Leitner 2016-01-11 17:00 ` Vlad Yasevich 2016-01-11 17:00 ` Vlad Yasevich 2016-01-11 22:13 ` David Miller 2016-01-11 22:13 ` David Miller 2016-01-12 8:41 ` Dmitry Vyukov 2016-01-12 8:41 ` Dmitry Vyukov 2015-12-11 18:37 ` use-after-free in sctp_do_sm Vlad Yasevich 2015-12-11 18:37 ` Vlad Yasevich 2015-12-14 9:50 ` David Laight 2015-12-14 14:25 ` Vlad Yasevich 2015-12-14 14:25 ` Vlad Yasevich
Reply instructions: You may reply publicly to this message via plain-text email using any one of the following methods: * Save the following mbox file, import it into your mail client, and reply-to-all from there: mbox Avoid top-posting and favor interleaved quoting: https://en.wikipedia.org/wiki/Posting_style#Interleaved_style * Reply using the --to, --cc, and --in-reply-to switches of git-send-email(1): git send-email \ --in-reply-to=5655CFDC.4050206@gmail.com \ --to=vyasevich@gmail.com \ --cc=dvyukov@google.com \ --cc=edumazet@google.com \ --cc=glider@google.com \ --cc=kcc@google.com \ --cc=linux-sctp@vger.kernel.org \ --cc=maze@google.com \ --cc=netdev@vger.kernel.org \ --cc=nhorman@tuxdriver.com \ --cc=sasha.levin@oracle.com \ --cc=syzkaller@googlegroups.com \ /path/to/YOUR_REPLY https://kernel.org/pub/software/scm/git/docs/git-send-email.html * If your mail client supports setting the In-Reply-To header via mailto: links, try the mailto: linkBe sure your reply has a Subject: header at the top and a blank line before the message body.
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.