* Patch "sctp: return next obj by passing pos + 1 into sctp_transport_get_idx" has been added to the 4.9-stable tree
@ 2017-06-29 16:59 gregkh
0 siblings, 0 replies; only message in thread
From: gregkh @ 2017-06-29 16:59 UTC (permalink / raw)
To: lucien.xin, davem, gregkh; +Cc: stable, stable-commits
This is a note to let you know that I've just added the patch titled
sctp: return next obj by passing pos + 1 into sctp_transport_get_idx
to the 4.9-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
sctp-return-next-obj-by-passing-pos-1-into-sctp_transport_get_idx.patch
and it can be found in the queue-4.9 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@vger.kernel.org> know about it.
>From foo@baz Thu Jun 29 18:57:46 CEST 2017
From: Xin Long <lucien.xin@gmail.com>
Date: Thu, 15 Jun 2017 17:49:08 +0800
Subject: sctp: return next obj by passing pos + 1 into sctp_transport_get_idx
From: Xin Long <lucien.xin@gmail.com>
[ Upstream commit 988c7322116970696211e902b468aefec95b6ec4 ]
In sctp_for_each_transport, pos is used to save how many objs it has
dumped. Now it gets the last obj by sctp_transport_get_idx, then gets
the next obj by sctp_transport_get_next.
The issue is that in the meanwhile if some objs in transport hashtable
are removed and the objs nums are less than pos, sctp_transport_get_idx
would return NULL and hti.walker.tbl is NULL as well. At this moment
it should stop hti, instead of continue getting the next obj. Or it
would cause a NULL pointer dereference in sctp_transport_get_next.
This patch is to pass pos + 1 into sctp_transport_get_idx to get the
next obj directly, even if pos > objs nums, it would return NULL and
stop hti.
Fixes: 626d16f50f39 ("sctp: export some apis or variables for sctp_diag and reuse some for proc")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sctp/socket.c | 5 ++---
1 file changed, 2 insertions(+), 3 deletions(-)
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -4506,9 +4506,8 @@ int sctp_for_each_transport(int (*cb)(st
if (err)
return err;
- sctp_transport_get_idx(net, &hti, pos);
- obj = sctp_transport_get_next(net, &hti);
- for (; obj && !IS_ERR(obj); obj = sctp_transport_get_next(net, &hti)) {
+ obj = sctp_transport_get_idx(net, &hti, pos + 1);
+ for (; !IS_ERR_OR_NULL(obj); obj = sctp_transport_get_next(net, &hti)) {
struct sctp_transport *transport = obj;
if (!sctp_transport_hold(transport))
Patches currently in stable-queue which might be from lucien.xin@gmail.com are
queue-4.9/ipv6-fix-calling-in6_ifa_hold-incorrectly-for-dad-work.patch
queue-4.9/igmp-acquire-pmc-lock-for-ip_mc_clear_src.patch
queue-4.9/sctp-return-next-obj-by-passing-pos-1-into-sctp_transport_get_idx.patch
queue-4.9/sctp-disable-bh-in-sctp_for_each_endpoint.patch
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2017-06-29 17:00 UTC | newest]
Thread overview: (only message) (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2017-06-29 16:59 Patch "sctp: return next obj by passing pos + 1 into sctp_transport_get_idx" has been added to the 4.9-stable tree gregkh
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.