From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Miller Subject: Re: [PATCH net] sctp: return error if the asoc has been peeled off in sctp_wait_for_sndbuf Date: Tue, 16 Jan 2018 14:25:07 -0500 (EST) Message-ID: <20180116.142507.1091619802487211287.davem@davemloft.net> References: <3c7ffecf19e5b08ed1df58e5359617e9513f77ef.1516006896.git.lucien.xin@gmail.com> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org, linux-sctp@vger.kernel.org, marcelo.leitner@gmail.com, nhorman@tuxdriver.com To: lucien.xin@gmail.com Return-path: Received: from shards.monkeyblade.net ([184.105.139.130]:58312 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1750898AbeAPTZJ (ORCPT ); Tue, 16 Jan 2018 14:25:09 -0500 In-Reply-To: <3c7ffecf19e5b08ed1df58e5359617e9513f77ef.1516006896.git.lucien.xin@gmail.com> Sender: netdev-owner@vger.kernel.org List-ID: From: Xin Long Date: Mon, 15 Jan 2018 17:01:36 +0800 > After commit cea0cc80a677 ("sctp: use the right sk after waking up from > wait_buf sleep"), it may change to lock another sk if the asoc has been > peeled off in sctp_wait_for_sndbuf. > > However, the asoc's new sk could be already closed elsewhere, as it's in > the sendmsg context of the old sk that can't avoid the new sk's closing. > If the sk's last one refcnt is held by this asoc, later on after putting > this asoc, the new sk will be freed, while under it's own lock. > > This patch is to revert that commit, but fix the old issue by returning > error under the old sk's lock. > > Fixes: cea0cc80a677 ("sctp: use the right sk after waking up from wait_buf sleep") > Reported-by: syzbot+ac6ea7baa4432811eb50@syzkaller.appspotmail.com > Signed-off-by: Xin Long Applied and queued up for -stable.