From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+fe62a0c9aa6a85c6de16@syzkaller.appspotmail.com,
Xin Long <lucien.xin@gmail.com>,
Neil Horman <nhorman@tuxdriver.com>,
Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 4.9 10/78] sctp: hold transport before accessing its asoc in sctp_transport_get_next
Date: Thu, 13 Sep 2018 15:30:57 +0200 [thread overview]
Message-ID: <20180913131806.402048634@linuxfoundation.org> (raw)
In-Reply-To: <20180913131805.732342940@linuxfoundation.org>
4.9-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
[ Upstream commit bab1be79a5169ac748d8292b20c86d874022d7ba ]
As Marcelo noticed, in sctp_transport_get_next, it is iterating over
transports but then also accessing the association directly, without
checking any refcnts before that, which can cause an use-after-free
Read.
So fix it by holding transport before accessing the association. With
that, sctp_transport_hold calls can be removed in the later places.
Fixes: 626d16f50f39 ("sctp: export some apis or variables for sctp_diag and reuse some for proc")
Reported-by: syzbot+fe62a0c9aa6a85c6de16@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sctp/proc.c | 4 ----
net/sctp/socket.c | 22 +++++++++++++++-------
2 files changed, 15 insertions(+), 11 deletions(-)
--- a/net/sctp/proc.c
+++ b/net/sctp/proc.c
@@ -337,8 +337,6 @@ static int sctp_assocs_seq_show(struct s
}
transport = (struct sctp_transport *)v;
- if (!sctp_transport_hold(transport))
- return 0;
assoc = transport->asoc;
epb = &assoc->base;
sk = epb->sk;
@@ -428,8 +426,6 @@ static int sctp_remaddr_seq_show(struct
}
transport = (struct sctp_transport *)v;
- if (!sctp_transport_hold(transport))
- return 0;
assoc = transport->asoc;
list_for_each_entry_rcu(tsp, &assoc->peer.transport_addr_list,
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -4476,9 +4476,14 @@ struct sctp_transport *sctp_transport_ge
break;
}
+ if (!sctp_transport_hold(t))
+ continue;
+
if (net_eq(sock_net(t->asoc->base.sk), net) &&
t->asoc->peer.primary_path == t)
break;
+
+ sctp_transport_put(t);
}
return t;
@@ -4488,13 +4493,18 @@ struct sctp_transport *sctp_transport_ge
struct rhashtable_iter *iter,
int pos)
{
- void *obj = SEQ_START_TOKEN;
+ struct sctp_transport *t;
+
+ if (!pos)
+ return SEQ_START_TOKEN;
- while (pos && (obj = sctp_transport_get_next(net, iter)) &&
- !IS_ERR(obj))
- pos--;
+ while ((t = sctp_transport_get_next(net, iter)) && !IS_ERR(t)) {
+ if (!--pos)
+ break;
+ sctp_transport_put(t);
+ }
- return obj;
+ return t;
}
int sctp_for_each_endpoint(int (*cb)(struct sctp_endpoint *, void *),
@@ -4556,8 +4566,6 @@ int sctp_for_each_transport(int (*cb)(st
for (; !IS_ERR_OR_NULL(obj); obj = sctp_transport_get_next(net, &hti)) {
struct sctp_transport *transport = obj;
- if (!sctp_transport_hold(transport))
- continue;
err = cb(transport, p);
sctp_transport_put(transport);
if (err)
next prev parent reply other threads:[~2018-09-13 13:35 UTC|newest]
Thread overview: 82+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-09-13 13:30 [PATCH 4.9 00/78] 4.9.127-stable review Greg Kroah-Hartman
2018-09-13 13:30 ` [PATCH 4.9 01/78] x86/speculation/l1tf: Fix up pte->pfn conversion for PAE Greg Kroah-Hartman
2018-09-13 13:30 ` [PATCH 4.9 02/78] act_ife: fix a potential use-after-free Greg Kroah-Hartman
2018-09-13 13:30 ` [PATCH 4.9 03/78] ipv4: tcp: send zero IPID for RST and ACK sent in SYN-RECV and TIME-WAIT state Greg Kroah-Hartman
2018-09-13 13:30 ` [PATCH 4.9 04/78] net: bcmgenet: use MAC link status for fixed phy Greg Kroah-Hartman
2018-09-13 13:30 ` [PATCH 4.9 05/78] net: sched: Fix memory exposure from short TCA_U32_SEL Greg Kroah-Hartman
2018-09-13 13:30 ` [PATCH 4.9 06/78] qlge: Fix netdev features configuration Greg Kroah-Hartman
2018-09-13 13:30 ` [PATCH 4.9 07/78] r8169: add support for NCube 8168 network card Greg Kroah-Hartman
2018-09-13 13:30 ` [PATCH 4.9 08/78] tcp: do not restart timewait timer on rst reception Greg Kroah-Hartman
2018-09-13 13:30 ` [PATCH 4.9 09/78] vti6: remove !skb->ignore_df check from vti6_xmit() Greg Kroah-Hartman
2018-09-13 13:30 ` Greg Kroah-Hartman [this message]
2018-09-13 13:30 ` [PATCH 4.9 11/78] vhost: correctly check the iova range when waking virtqueue Greg Kroah-Hartman
2018-09-13 13:30 ` [PATCH 4.9 12/78] hv_netvsc: ignore devices that are not PCI Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 13/78] act_ife: move tcfa_lock down to where necessary Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 14/78] act_ife: fix a potential deadlock Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 15/78] net: sched: action_ife: take reference to meta module Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 16/78] cifs: check if SMB2 PDU size has been padded and suppress the warning Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 17/78] hfsplus: dont return 0 when fill_super() failed Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 18/78] hfs: prevent crash on exit from failed search Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 19/78] sunrpc: Dont use stack buffer with scatterlist Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 20/78] fork: dont copy inconsistent signal handler state to child Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 21/78] reiserfs: change j_timestamp type to time64_t Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 22/78] hfsplus: fix NULL dereference in hfsplus_lookup() Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 23/78] fat: validate ->i_start before using Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 24/78] scripts: modpost: check memory allocation results Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 25/78] virtio: pci-legacy: Validate queue pfn Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 26/78] mm/fadvise.c: fix signed overflow UBSAN complaint Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 27/78] fs/dcache.c: fix kmemcheck splat at take_dentry_name_snapshot() Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 28/78] platform/x86: intel_punit_ipc: fix build errors Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 29/78] s390/kdump: Fix memleak in nt_vmcoreinfo Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 30/78] ipvs: fix race between ip_vs_conn_new() and ip_vs_del_dest() Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 31/78] mfd: sm501: Set coherent_dma_mask when creating subdevices Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 32/78] platform/x86: asus-nb-wmi: Add keymap entry for lid flip action on UX360 Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 33/78] RDMA/hns: Fix usage of bitmap allocation functions return values Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 34/78] irqchip/bcm7038-l1: Hide cpu offline callback when building for !SMP Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 35/78] net/9p/trans_fd.c: fix race by holding the lock Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 36/78] net/9p: fix error path of p9_virtio_probe Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 37/78] powerpc: Fix size calculation using resource_size() Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 38/78] perf probe powerpc: Fix trace event post-processing Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 39/78] block: bvec_nr_vecs() returns value for wrong slab Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 40/78] s390/dasd: fix hanging offline processing due to canceled worker Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 41/78] s390/dasd: fix panic for failed online processing Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 42/78] ACPI / scan: Initialize status to ACPI_STA_DEFAULT Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 43/78] scsi: aic94xx: fix an error code in aic94xx_init() Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 44/78] PCI: mvebu: Fix I/O space end address calculation Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 45/78] dm kcopyd: avoid softlockup in run_complete_job Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 46/78] staging: comedi: ni_mio_common: fix subdevice flags for PFI subdevice Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 47/78] selftests/powerpc: Kill child processes on SIGINT Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 48/78] RDS: IB: fix passing zero to ERR_PTR() warning Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 49/78] smb3: fix reset of bytes read and written stats Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 50/78] SMB3: Number of requests sent should be displayed for SMB3 not just CIFS Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 51/78] powerpc/pseries: Avoid using the size greater than RTAS_ERROR_LOG_MAX Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 52/78] clk: rockchip: Add pclk_rkpwm_pmu to PMU critical clocks in rk3399 Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 53/78] btrfs: replace: Reset on-disk dev stats value after replace Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 54/78] btrfs: relocation: Only remove reloc rb_trees if reloc control has been initialized Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 55/78] btrfs: Dont remove block group that still has pinned down bytes Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 56/78] arm64: rockchip: Force CONFIG_PM on Rockchip systems Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 57/78] ARM: " Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 58/78] drm/edid: Add 6 bpc quirk for SDC panel in Lenovo B50-80 Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 59/78] tcp: Revert "tcp: tcp_probe: use spin_lock_bh()" Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 60/78] debugobjects: Make stack check warning more informative Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 61/78] x86/pae: use 64 bit atomic xchg function in native_ptep_get_and_clear Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 62/78] kbuild: make missing $DEPMOD a Warning instead of an Error Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 63/78] irda: Fix memory leak caused by repeated binds of irda socket Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 64/78] irda: Only insert new objects into the global database via setsockopt Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 65/78] Revert "ARM: imx_v6_v7_defconfig: Select ULPI support" Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 66/78] enic: do not call enic_change_mtu in enic_probe Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 67/78] Fixes: Commit 2aa6d036b716 ("mm: numa: avoid waiting on freed migrated pages") Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 68/78] sch_htb: fix crash on init failure Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 69/78] sch_multiq: fix double free " Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 70/78] sch_hhf: fix null pointer dereference " Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 71/78] sch_netem: avoid null pointer deref " Greg Kroah-Hartman
2018-09-13 13:31 ` [PATCH 4.9 72/78] sch_tbf: fix two null pointer dereferences " Greg Kroah-Hartman
2018-09-13 13:32 ` [PATCH 4.9 73/78] mei: me: allow runtime pm for platform with D0i3 Greg Kroah-Hartman
2018-09-13 13:32 ` [PATCH 4.9 74/78] s390/lib: use expoline for all bcr instructions Greg Kroah-Hartman
2018-09-13 13:32 ` [PATCH 4.9 75/78] ASoC: wm8994: Fix missing break in switch Greg Kroah-Hartman
2018-09-13 13:32 ` [PATCH 4.9 76/78] btrfs: use correct compare function of dirty_metadata_bytes Greg Kroah-Hartman
2018-09-13 13:32 ` [PATCH 4.9 77/78] arm64: Fix mismatched cache line size detection Greg Kroah-Hartman
2018-09-13 13:32 ` [PATCH 4.9 78/78] arm64: Handle mismatched cache type Greg Kroah-Hartman
2018-09-13 19:10 ` [PATCH 4.9 00/78] 4.9.127-stable review Nathan Chancellor
2018-09-14 12:42 ` Naresh Kamboju
2018-09-14 14:55 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20180913131806.402048634@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=lucien.xin@gmail.com \
--cc=marcelo.leitner@gmail.com \
--cc=nhorman@tuxdriver.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+fe62a0c9aa6a85c6de16@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).