From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Miller Subject: Re: [PATCH net] sctp: remove sctp_chunk_put from fail_mark err path in sctp_ulpevent_make_rcvmsg Date: Thu, 10 May 2018 17:49:08 -0400 (EDT) Message-ID: <20180510.174908.2166045029697003189.davem@davemloft.net> References: Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org, linux-sctp@vger.kernel.org, marcelo.leitner@gmail.com, nhorman@tuxdriver.com, syzkaller@googlegroups.com To: lucien.xin@gmail.com Return-path: Received: from shards.monkeyblade.net ([184.105.139.130]:37790 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752416AbeEJVtJ (ORCPT ); Thu, 10 May 2018 17:49:09 -0400 In-Reply-To: Sender: netdev-owner@vger.kernel.org List-ID: From: Xin Long Date: Thu, 10 May 2018 17:34:13 +0800 > In Commit 1f45f78f8e51 ("sctp: allow GSO frags to access the chunk too"), > it held the chunk in sctp_ulpevent_make_rcvmsg to access it safely later > in recvmsg. However, it also added sctp_chunk_put in fail_mark err path, > which is only triggered before holding the chunk. > > syzbot reported a use-after-free crash happened on this err path, where > it shouldn't call sctp_chunk_put. > > This patch simply removes this call. > > Fixes: 1f45f78f8e51 ("sctp: allow GSO frags to access the chunk too") > Reported-by: syzbot+141d898c5f24489db4aa@syzkaller.appspotmail.com > Signed-off-by: Xin Long Applied and queued up for -stable.