From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-8.2 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS, URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A225BC4321A for ; Fri, 28 Jun 2019 11:06:40 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 8062920645 for ; Fri, 28 Jun 2019 11:06:40 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726730AbfF1LGj (ORCPT ); Fri, 28 Jun 2019 07:06:39 -0400 Received: from charlotte.tuxdriver.com ([70.61.120.58]:58286 "EHLO smtp.tuxdriver.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726514AbfF1LGj (ORCPT ); Fri, 28 Jun 2019 07:06:39 -0400 Received: from cpe-2606-a000-111b-405a-0-0-0-162e.dyn6.twc.com ([2606:a000:111b:405a::162e] helo=localhost) by smtp.tuxdriver.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from ) id 1hgoi5-00018D-AQ; Fri, 28 Jun 2019 07:06:35 -0400 Date: Fri, 28 Jun 2019 07:06:01 -0400 From: Neil Horman To: Marcelo Ricardo Leitner Cc: netdev@vger.kernel.org, Xin Long , linux-sctp@vger.kernel.org, Hillf Danton Subject: Re: [PATCH net] sctp: fix error handling on stream scheduler initialization Message-ID: <20190628110601.GA14635@hmswarspite.think-freely.org> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.12.0 (2019-05-25) Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org On Thu, Jun 27, 2019 at 07:48:10PM -0300, Marcelo Ricardo Leitner wrote: > It allocates the extended area for outbound streams only on sendmsg > calls, if they are not yet allocated. When using the priority > stream scheduler, this initialization may imply into a subsequent > allocation, which may fail. In this case, it was aborting the stream > scheduler initialization but leaving the ->ext pointer (allocated) in > there, thus in a partially initialized state. On a subsequent call to > sendmsg, it would notice the ->ext pointer in there, and trip on > uninitialized stuff when trying to schedule the data chunk. > > The fix is undo the ->ext initialization if the stream scheduler > initialization fails and avoid the partially initialized state. > > Although syzkaller bisected this to commit 4ff40b86262b ("sctp: set > chunk transport correctly when it's a new asoc"), this bug was actually > introduced on the commit I marked below. > > Reported-by: syzbot+c1a380d42b190ad1e559@syzkaller.appspotmail.com > Fixes: 5bbbbe32a431 ("sctp: introduce stream scheduler foundations") > Tested-by: Xin Long > Signed-off-by: Marcelo Ricardo Leitner > --- > net/sctp/stream.c | 9 ++++++++- > 1 file changed, 8 insertions(+), 1 deletion(-) > > diff --git a/net/sctp/stream.c b/net/sctp/stream.c > index 93ed07877337eace4ef7f4775dda5868359ada37..25946604af85c09917e63e5c4a8d7d6fa2caebc4 100644 > --- a/net/sctp/stream.c > +++ b/net/sctp/stream.c > @@ -153,13 +153,20 @@ int sctp_stream_init(struct sctp_stream *stream, __u16 outcnt, __u16 incnt, > int sctp_stream_init_ext(struct sctp_stream *stream, __u16 sid) > { > struct sctp_stream_out_ext *soute; > + int ret; > > soute = kzalloc(sizeof(*soute), GFP_KERNEL); > if (!soute) > return -ENOMEM; > SCTP_SO(stream, sid)->ext = soute; > > - return sctp_sched_init_sid(stream, sid, GFP_KERNEL); > + ret = sctp_sched_init_sid(stream, sid, GFP_KERNEL); > + if (ret) { > + kfree(SCTP_SO(stream, sid)->ext); > + SCTP_SO(stream, sid)->ext = NULL; > + } > + > + return ret; > } > > void sctp_stream_free(struct sctp_stream *stream) > -- > 2.21.0 > > Acked-by: Neil Horman