From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1755013AbdDDR3X (ORCPT ); Tue, 4 Apr 2017 13:29:23 -0400 Received: from mail-qk0-f174.google.com ([209.85.220.174]:35760 "EHLO mail-qk0-f174.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1753188AbdDDR3V (ORCPT ); Tue, 4 Apr 2017 13:29:21 -0400 MIME-Version: 1.0 In-Reply-To: References: From: Xin Long Date: Wed, 5 Apr 2017 01:29:19 +0800 Message-ID: Subject: Re: net/sctp: list double add warning in sctp_endpoint_add_asoc To: Andrey Konovalov Cc: Vlad Yasevich , Neil Horman , "David S. Miller" , linux-sctp@vger.kernel.org, netdev , LKML , Marcelo Ricardo Leitner , Dmitry Vyukov , Eric Dumazet , Kostya Serebryany , syzkaller Content-Type: text/plain; charset=UTF-8 Sender: linux-kernel-owner@vger.kernel.org List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Tue, Apr 4, 2017 at 9:28 PM, Andrey Konovalov wrote: > Hi, > > I've got the following error report while fuzzing the kernel with syzkaller. > > On commit a71c9a1c779f2499fb2afc0553e543f18aff6edf (4.11-rc5). > > A reproducer and .config are attached. The script is pretty hard to reproduce the issue in my env. But there seems a case to cause a use-after-free when out of snd_buf. the case is like: ----------- one thread: another thread: sctp_rcv hold asoc (hold transport) enqueue the chunk to backlog queue [refcnt=2] sctp_close free assoc [refcnt=1] sctp_sendmsg find asoc but not hold it out of snd_buf hold asoc, schedule out [refcnt = 2] process backlog and put asoc/transport [refcnt=1] schedule in, put asoc [refcnt=0] <--- destroyed sctp_sendmsg continue using asoc, panic -------------------- Maybe we should check if asoc is dead already when schedule back into sctp_sendmsg because of out of snd_buf. From mboxrd@z Thu Jan 1 00:00:00 1970 From: Xin Long Date: Tue, 04 Apr 2017 17:29:19 +0000 Subject: Re: net/sctp: list double add warning in sctp_endpoint_add_asoc Message-Id: List-Id: References: In-Reply-To: MIME-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Andrey Konovalov Cc: Vlad Yasevich , Neil Horman , "David S. Miller" , linux-sctp@vger.kernel.org, netdev , LKML , Marcelo Ricardo Leitner , Dmitry Vyukov , Eric Dumazet , Kostya Serebryany , syzkaller On Tue, Apr 4, 2017 at 9:28 PM, Andrey Konovalov wrote: > Hi, > > I've got the following error report while fuzzing the kernel with syzkaller. > > On commit a71c9a1c779f2499fb2afc0553e543f18aff6edf (4.11-rc5). > > A reproducer and .config are attached. The script is pretty hard to reproduce the issue in my env. But there seems a case to cause a use-after-free when out of snd_buf. the case is like: ----------- one thread: another thread: sctp_rcv hold asoc (hold transport) enqueue the chunk to backlog queue [refcnt=2] sctp_close free assoc [refcnt=1] sctp_sendmsg find asoc but not hold it out of snd_buf hold asoc, schedule out [refcnt = 2] process backlog and put asoc/transport [refcnt=1] schedule in, put asoc [refcnt=0] <--- destroyed sctp_sendmsg continue using asoc, panic -------------------- Maybe we should check if asoc is dead already when schedule back into sctp_sendmsg because of out of snd_buf.