* [PATCH net 1/1] sctp: diag: reject stale associations in dump_one path
[not found] <cover.1780113823.git.zzhan461@ucr.edu>
@ 2026-05-30 15:57 ` Ren Wei
2026-06-01 17:43 ` Xin Long
2026-06-02 21:40 ` patchwork-bot+netdevbpf
0 siblings, 2 replies; 3+ messages in thread
From: Ren Wei @ 2026-05-30 15:57 UTC (permalink / raw)
To: linux-sctp, netdev
Cc: marcelo.leitner, lucien.xin, davem, yuantan098, yifanwucs,
tomapufckgml, zcliangcn, bird, zzhan461, n05ec
From: Zhao Zhang <zzhan461@ucr.edu>
The SCTP exact sock_diag lookup can hold a transport reference, block on
lock_sock(sk), and then resume after sctp_association_free() has marked
the association dead and freed its bind address list.
When that happens, inet_assoc_attr_size() and
inet_diag_msg_sctpasoc_fill() can still dereference association state
that is no longer valid for reporting. In particular,
inet_diag_msg_sctpasoc_fill() may read an empty bind-address list as a
real sctp_sockaddr_entry and trigger an out-of-bounds read from
unrelated association memory.
Reject the association after taking the socket lock if it has been
reaped or detached from the endpoint, and report the lookup as stale.
This keeps the exact dump-one path from formatting torn association
state.
Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Assisted-by: Codex:GPT-5.4
Signed-off-by: Zhao Zhang <zzhan461@ucr.edu>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
---
net/sctp/diag.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
diff --git a/net/sctp/diag.c b/net/sctp/diag.c
index 2afb376299fe..d758f5c3e06e 100644
--- a/net/sctp/diag.c
+++ b/net/sctp/diag.c
@@ -266,15 +266,15 @@ static int sctp_sock_dump_one(struct sctp_endpoint *ep, struct sctp_transport *t
lock_sock(sk);
- rep = nlmsg_new(inet_assoc_attr_size(sk, assoc), GFP_KERNEL);
- if (!rep) {
- release_sock(sk);
- return -ENOMEM;
+ if (ep != assoc->ep || assoc->base.dead) {
+ err = -ESTALE;
+ goto out_unlock;
}
- if (ep != assoc->ep) {
- err = -EAGAIN;
- goto out;
+ rep = nlmsg_new(inet_assoc_attr_size(sk, assoc), GFP_KERNEL);
+ if (!rep) {
+ err = -ENOMEM;
+ goto out_unlock;
}
err = inet_sctp_diag_fill(sk, assoc, rep, req, sk_user_ns(NETLINK_CB(skb).sk),
@@ -289,8 +289,9 @@ static int sctp_sock_dump_one(struct sctp_endpoint *ep, struct sctp_transport *t
return nlmsg_unicast(sock_net(skb->sk)->diag_nlsk, rep, NETLINK_CB(skb).portid);
out:
- release_sock(sk);
kfree_skb(rep);
+out_unlock:
+ release_sock(sk);
return err;
}
--
2.47.3
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH net 1/1] sctp: diag: reject stale associations in dump_one path
2026-05-30 15:57 ` [PATCH net 1/1] sctp: diag: reject stale associations in dump_one path Ren Wei
@ 2026-06-01 17:43 ` Xin Long
2026-06-02 21:40 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: Xin Long @ 2026-06-01 17:43 UTC (permalink / raw)
To: Ren Wei
Cc: linux-sctp, netdev, marcelo.leitner, davem, yuantan098, yifanwucs,
tomapufckgml, zcliangcn, bird, zzhan461
On Sat, May 30, 2026 at 11:57 AM Ren Wei <n05ec@lzu.edu.cn> wrote:
>
> From: Zhao Zhang <zzhan461@ucr.edu>
>
> The SCTP exact sock_diag lookup can hold a transport reference, block on
> lock_sock(sk), and then resume after sctp_association_free() has marked
> the association dead and freed its bind address list.
>
> When that happens, inet_assoc_attr_size() and
> inet_diag_msg_sctpasoc_fill() can still dereference association state
> that is no longer valid for reporting. In particular,
> inet_diag_msg_sctpasoc_fill() may read an empty bind-address list as a
> real sctp_sockaddr_entry and trigger an out-of-bounds read from
> unrelated association memory.
>
> Reject the association after taking the socket lock if it has been
> reaped or detached from the endpoint, and report the lookup as stale.
> This keeps the exact dump-one path from formatting torn association
> state.
>
> Fixes: 8f840e47f190 ("sctp: add the sctp_diag.c file")
> Cc: stable@kernel.org
> Reported-by: Yuan Tan <yuantan098@gmail.com>
> Reported-by: Yifan Wu <yifanwucs@gmail.com>
> Reported-by: Juefei Pu <tomapufckgml@gmail.com>
> Reported-by: Zhengchuan Liang <zcliangcn@gmail.com>
> Reported-by: Xin Liu <bird@lzu.edu.cn>
> Assisted-by: Codex:GPT-5.4
> Signed-off-by: Zhao Zhang <zzhan461@ucr.edu>
> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
> ---
> net/sctp/diag.c | 17 +++++++++--------
> 1 file changed, 9 insertions(+), 8 deletions(-)
>
> diff --git a/net/sctp/diag.c b/net/sctp/diag.c
> index 2afb376299fe..d758f5c3e06e 100644
> --- a/net/sctp/diag.c
> +++ b/net/sctp/diag.c
> @@ -266,15 +266,15 @@ static int sctp_sock_dump_one(struct sctp_endpoint *ep, struct sctp_transport *t
>
> lock_sock(sk);
>
> - rep = nlmsg_new(inet_assoc_attr_size(sk, assoc), GFP_KERNEL);
> - if (!rep) {
> - release_sock(sk);
> - return -ENOMEM;
> + if (ep != assoc->ep || assoc->base.dead) {
> + err = -ESTALE;
> + goto out_unlock;
> }
>
> - if (ep != assoc->ep) {
> - err = -EAGAIN;
> - goto out;
> + rep = nlmsg_new(inet_assoc_attr_size(sk, assoc), GFP_KERNEL);
> + if (!rep) {
> + err = -ENOMEM;
> + goto out_unlock;
> }
>
> err = inet_sctp_diag_fill(sk, assoc, rep, req, sk_user_ns(NETLINK_CB(skb).sk),
> @@ -289,8 +289,9 @@ static int sctp_sock_dump_one(struct sctp_endpoint *ep, struct sctp_transport *t
> return nlmsg_unicast(sock_net(skb->sk)->diag_nlsk, rep, NETLINK_CB(skb).portid);
>
> out:
> - release_sock(sk);
> kfree_skb(rep);
> +out_unlock:
> + release_sock(sk);
> return err;
> }
>
> --
> 2.47.3
>
Thanks for the fix.
Acked-by: Xin Long <lucien.xin@gmail.com>
Note that the issue reported in
https://sashiko.dev/#/patchset/fac6043fa20a2ff68e12958c431836f692c51268.1780113823.git.zzhan461%40ucr.edu.
I don't think it exists, as sctp_sock_filter() is called via
sctp_transport_traverse_process() where sctp_transport_get_next() only
returns primary_path's transport, not each transport.
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH net 1/1] sctp: diag: reject stale associations in dump_one path
2026-05-30 15:57 ` [PATCH net 1/1] sctp: diag: reject stale associations in dump_one path Ren Wei
2026-06-01 17:43 ` Xin Long
@ 2026-06-02 21:40 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2026-06-02 21:40 UTC (permalink / raw)
To: Ren Wei
Cc: linux-sctp, netdev, marcelo.leitner, lucien.xin, davem,
yuantan098, yifanwucs, tomapufckgml, zcliangcn, bird, zzhan461
Hello:
This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:
On Sat, 30 May 2026 23:57:14 +0800 you wrote:
> From: Zhao Zhang <zzhan461@ucr.edu>
>
> The SCTP exact sock_diag lookup can hold a transport reference, block on
> lock_sock(sk), and then resume after sctp_association_free() has marked
> the association dead and freed its bind address list.
>
> When that happens, inet_assoc_attr_size() and
> inet_diag_msg_sctpasoc_fill() can still dereference association state
> that is no longer valid for reporting. In particular,
> inet_diag_msg_sctpasoc_fill() may read an empty bind-address list as a
> real sctp_sockaddr_entry and trigger an out-of-bounds read from
> unrelated association memory.
>
> [...]
Here is the summary with links:
- [net,1/1] sctp: diag: reject stale associations in dump_one path
https://git.kernel.org/netdev/net/c/5eba3e48d78e
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2026-06-02 21:40 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
[not found] <cover.1780113823.git.zzhan461@ucr.edu>
2026-05-30 15:57 ` [PATCH net 1/1] sctp: diag: reject stale associations in dump_one path Ren Wei
2026-06-01 17:43 ` Xin Long
2026-06-02 21:40 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox