redonkable
/
alistair23-linux
1
0
Fork 0
Code Releases Activity
alistair23-linux/net
History
Qiujun Huang 7ae5360145 sctp: fix refcount bug in sctp_wfree 
[ Upstream commit 5c3e82fe15 ]

We should iterate over the datamsgs to move
all chunks(skbs) to newsk.

The following case cause the bug:
for the trouble SKB, it was in outq->transmitted list

sctp_outq_sack
        sctp_check_transmitted
                SKB was moved to outq->sacked list
        then throw away the sack queue
                SKB was deleted from outq->sacked
(but it was held by datamsg at sctp_datamsg_to_asoc
So, sctp_wfree was not called here)

then migrate happened

        sctp_for_each_tx_datachunk(
        sctp_clear_owner_w);
        sctp_assoc_migrate();
        sctp_for_each_tx_datachunk(
        sctp_set_owner_w);
SKB was not in the outq, and was not changed to newsk

finally

__sctp_outq_teardown
        sctp_chunk_put (for another skb)
                sctp_datamsg_put
                        __kfree_skb(msg->frag_list)
                                sctp_wfree (for SKB)
	SKB->sk was still oldsk (skb->sk != asoc->base.sk).

Reported-and-tested-by: syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com
Signed-off-by: Qiujun Huang <hqjagain@gmail.com>
Acked-by: Marcelo Ricardo Leitner <mleitner@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
 		2020-06-17 16:40:24 +02:00
..
6lowpan 6lowpan: no need to check return value of debugfs_create functions 2019-07-06 12:50:01 +02:00
9p 9p pull request for inclusion in 5.4 2019-09-27 15:10:34 -07:00
802 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
8021q vlan: vlan_changelink() should propagate errors 2020-01-12 12:21:50 +01:00
appletalk appletalk: enforce CAP_NET_RAW for raw sockets 2019-09-24 16:37:18 +02:00
atm net: atm: Reduce the severity of logging in unlink_clip_vcc 2019-11-18 17:08:20 -08:00
ax25 ax25: fix setsockopt(SO_BINDTODEVICE) 2020-06-03 08:20:39 +02:00
batman-adv batman-adv: Fix refcnt leak in batadv_v_ogm_process 2020-05-14 07:58:28 +02:00
bluetooth Bluetooth: RFCOMM: fix ODEBUG bug in rfcomm_dev_ioctl 2020-04-13 10:48:13 +02:00
bpf bpf/flow_dissector: support flags in BPF_PROG_TEST_RUN 2019-07-25 18:00:41 -07:00
bpfilter net/bpfilter: remove superfluous testing message 2020-04-21 09:04:53 +02:00
bridge bridge: Avoid infinite loop when suppressing NS messages with invalid options 2020-06-17 16:40:20 +02:00
caif net: use skb_queue_empty_lockless() in poll() handlers 2019-10-28 13:33:41 -07:00
can can: j1939: j1939_sk_bind(): take priv after lock is held 2019-12-31 16:45:56 +01:00
ceph libceph: ignore pool overlay and cache logic on redirects 2020-06-03 08:21:25 +02:00
core __netif_receive_skb_core: pass skb by reference 2020-06-03 08:20:47 +02:00
dcb treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 201 2019-05-30 11:29:52 -07:00
dccp net: ipv6: add net argument to ip6_dst_lookup_flow 2019-12-18 16:08:40 +01:00
decnet net: add bool confirm_neigh parameter for dst_ops.update_pmtu 2020-01-04 19:18:58 +01:00
dns_resolver KEYS: Don't write out to userspace while holding key semaphore 2020-04-23 10:36:45 +02:00
dsa net: dsa: declare lockless TX feature for slave ports 2020-06-03 08:21:38 +02:00
ethernet net: add annotations on hh->hh_len lockless accesses 2020-01-09 10:20:06 +01:00
hsr hsr: check protocol version in hsr_newlink() 2020-04-21 09:04:44 +02:00
ieee802154 nl802154: add missing attribute validation for dev_type 2020-03-18 07:17:44 +01:00
ife net: Fix Kconfig indentation 2019-09-26 08:56:17 +02:00
ipv4 ipv4: fix a RCU-list lock in fib_triestat_seq_show 2020-06-17 16:40:24 +02:00
ipv6 ipv6: fix IPV6_ADDRFORM operation logic 2020-06-17 16:40:19 +02:00
iucv net/af_iucv: mark expected switch fall-throughs 2019-07-29 10:26:14 -07:00
kcm kcm: disable preemption in kcm_parse_func_strparser() 2019-09-27 10:27:14 +02:00
key Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-07-08 19:48:57 -07:00
l2tp l2tp: do not use inet_hash()/inet_unhash() 2020-06-10 20:24:54 +02:00
l3mdev ipv6: convert major tx path to use RT6_LOOKUP_F_DST_NOREF 2019-06-23 13:24:17 -07:00
lapb Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-06-17 20:20:36 -07:00
llc llc2: Fix return statement of llc_stat_ev_rx_null_dsap_xid_c (and _test_c) 2020-01-12 12:21:45 +01:00
mac80211 mac80211: mesh: fix discovery timer re-arming issue / crash 2020-06-03 08:21:30 +02:00
mac802154 treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 174 2019-05-30 11:26:41 -07:00
mpls net: ipv6_stub: use ip6_dst_lookup_flow instead of ip6_dst_lookup 2019-12-18 16:08:42 +01:00
ncsi net/ncsi: Disable global multicast filter 2019-09-19 18:04:40 -07:00
netfilter netfilter: nf_conntrack_pptp: fix compilation warning with W=1 build 2020-06-03 08:21:39 +02:00
netlabel netlabel: cope with NULL catmap 2020-05-20 08:20:08 +02:00
netlink netlink: Use netlink header as base to calculate bad attribute offset 2020-03-18 07:17:40 +01:00
netrom net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node 2020-04-29 16:33:08 +02:00
nfc nfc: add missing attribute validation for vendor subcommand 2020-03-18 07:17:46 +01:00
nsh treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 500 2019-06-19 17:09:55 +02:00
openvswitch net: openvswitch: ovs_ct_exit to be done under ovs_lock 2020-04-29 16:33:08 +02:00
packet net/packet: tpacket_rcv: avoid a producer race condition 2020-04-01 11:01:35 +02:00
phonet net: use skb_queue_empty_lockless() in poll() handlers 2019-10-28 13:33:41 -07:00
psample net: psample: fix skb_over_panic 2019-12-04 22:30:54 +01:00
qrtr net: qrtr: Fix passing invalid reference to qrtr_local_enqueue() 2020-06-03 08:21:00 +02:00
rds net/rds: Use ERR_PTR for rds_message_alloc_sgs() 2020-05-20 08:20:27 +02:00
rfkill rfkill: Fix incorrect check to avoid NULL pointer dereference 2020-01-12 12:21:33 +01:00
rose net: core: add generic lockdep keys 2019-10-24 14:53:48 -07:00
rxrpc rxrpc: Fix ack discard 2020-05-27 17:46:51 +02:00
sched net_sched: fix tcm_parent in tc filter dump 2020-05-20 08:20:07 +02:00
sctp sctp: fix refcount bug in sctp_wfree 2020-06-17 16:40:24 +02:00
smc net/smc: cancel event worker during device removal 2020-03-18 07:17:59 +01:00
strparser Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2019-06-22 08:59:24 -04:00
sunrpc SUNRPC: Revert 241b1f419f ("SUNRPC: Remove xdr_buf_trim()") 2020-05-20 08:20:39 +02:00
switchdev treewide: Replace GPLv2 boilerplate/reference with SPDX - rule 152 2019-05-30 11:26:32 -07:00
tipc tipc: block BH before using dst_cache 2020-06-03 08:21:03 +02:00
tls net/tls: free record only on encryption error 2020-06-03 08:21:06 +02:00
unix af_unix: add compat_ioctl support 2020-01-17 19:48:52 +01:00
vmw_vsock vsock: fix timeout in vsock_accept() 2020-06-10 20:24:55 +02:00
wimax wimax: no need to check return value of debugfs_create functions 2019-08-10 15:25:47 -07:00
wireless cfg80211: fix debugfs rename crash 2020-06-03 08:21:29 +02:00
x25 net/x25: Fix x25_neigh refcnt leak when receiving frame 2020-04-29 16:33:09 +02:00
xdp xsk: Add overflow check for u64 division, stored into u32 2020-06-03 08:21:36 +02:00
xfrm xfrm: fix a NULL-ptr deref in xfrm_local_error 2020-06-03 08:21:33 +02:00
Kconfig net: Fix CONFIG_NET_CLS_ACT=n and CONFIG_NFT_FWD_NETDEV={y, m} build 2020-04-01 11:02:18 +02:00
Makefile
compat.c uio: make import_iovec()/compat_import_iovec() return bytes on success 2019-05-31 15:30:03 -06:00
socket.c compat_ioctl: handle SIOCOUTQNSD 2020-01-17 19:48:52 +01:00
sysctl_net.c treewide: Add SPDX license identifier for missed files 2019-05-21 10:50:45 +02:00