alistair23-linux/net/sctp
Xin Long 6910e25de2 sctp: remove sctp_chunk_put from fail_mark err path in sctp_ulpevent_make_rcvmsg
In Commit 1f45f78f8e ("sctp: allow GSO frags to access the chunk too"),
it held the chunk in sctp_ulpevent_make_rcvmsg to access it safely later
in recvmsg. However, it also added sctp_chunk_put in fail_mark err path,
which is only triggered before holding the chunk.

syzbot reported a use-after-free crash happened on this err path, where
it shouldn't call sctp_chunk_put.

This patch simply removes this call.

Fixes: 1f45f78f8e ("sctp: allow GSO frags to access the chunk too")
Reported-by: syzbot+141d898c5f24489db4aa@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-05-10 17:48:36 -04:00
..
associola.c sctp: delay the authentication for the duplicated cookie-echo chunk 2018-05-07 23:39:10 -04:00
auth.c sctp: add SCTP_AUTH_FREE_KEY type for AUTHENTICATION_EVENT 2018-03-14 13:48:27 -04:00
bind_addr.c
chunk.c selinux/stable-4.17 PR 20180403 2018-04-06 15:39:26 -07:00
debug.c
diag.c
endpointola.c sctp: remove unnecessary asoc in sctp_has_association 2018-03-27 10:22:11 -04:00
input.c sctp: remove unnecessary asoc in sctp_has_association 2018-03-27 10:22:11 -04:00
inqueue.c sctp: fix the issue that the cookie-ack with auth can't get processed 2018-05-02 11:15:33 -04:00
ipv6.c sctp: handle two v4 addrs comparison in sctp_inet6_cmp_addr 2018-04-27 13:21:50 -04:00
Kconfig
Makefile
objcnt.c sctp: use proc_remove_subtree() 2018-03-17 20:11:22 -04:00
offload.c net: use skb_is_gso_sctp() instead of open-coding 2018-03-09 11:41:47 -05:00
output.c selinux/stable-4.17 PR 20180403 2018-04-06 15:39:26 -07:00
outqueue.c
primitive.c
proc.c net: Use octal not symbolic permissions 2018-03-26 12:07:48 -04:00
protocol.c selinux/stable-4.17 PR 20180403 2018-04-06 15:39:26 -07:00
sm_make_chunk.c sctp: fix spelling mistake: "max_retans" -> "max_retrans" 2018-05-10 15:23:50 -04:00
sm_sideeffect.c sctp: add SCTP_AUTH_NO_AUTH type for AUTHENTICATION_EVENT 2018-03-14 13:48:27 -04:00
sm_statefuns.c sctp: delay the authentication for the duplicated cookie-echo chunk 2018-05-07 23:39:10 -04:00
sm_statetable.c
socket.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-04-09 17:04:10 -07:00
stream.c sctp: clear the new asoc's stream outcnt in sctp_stream_update 2018-04-27 13:34:34 -04:00
stream_interleave.c
stream_sched.c
stream_sched_prio.c
stream_sched_rr.c
sysctl.c
transport.c
tsnmap.c
ulpevent.c sctp: remove sctp_chunk_put from fail_mark err path in sctp_ulpevent_make_rcvmsg 2018-05-10 17:48:36 -04:00
ulpqueue.c