From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+56a40ceee5fb35932f4d@syzkaller.appspotmail.com,
Xin Long <lucien.xin@gmail.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 3.18 04/83] sctp: clear the transport of some out_chunk_list chunks in sctp_assoc_rm_peer
Date: Thu, 29 Nov 2018 15:11:22 +0100 [thread overview]
Message-ID: <20181129140138.261155061@linuxfoundation.org> (raw)
In-Reply-To: <20181129140138.002176596@linuxfoundation.org>
3.18-stable review patch. If anyone has any objections, please let me know.
------------------
From: Xin Long <lucien.xin@gmail.com>
commit df132eff463873e14e019a07f387b4d577d6d1f9 upstream.
If a transport is removed by asconf but there still are some chunks with
this transport queuing on out_chunk_list, later an use-after-free issue
will be caused when accessing this transport from these chunks in
sctp_outq_flush().
This is an old bug, we fix it by clearing the transport of these chunks
in out_chunk_list when removing a transport in sctp_assoc_rm_peer().
Reported-by: syzbot+56a40ceee5fb35932f4d@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sctp/associola.c | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
--- a/net/sctp/associola.c
+++ b/net/sctp/associola.c
@@ -487,8 +487,9 @@ void sctp_assoc_set_primary(struct sctp_
void sctp_assoc_rm_peer(struct sctp_association *asoc,
struct sctp_transport *peer)
{
- struct list_head *pos;
- struct sctp_transport *transport;
+ struct sctp_transport *transport;
+ struct list_head *pos;
+ struct sctp_chunk *ch;
pr_debug("%s: association:%p addr:%pISpc\n",
__func__, asoc, &peer->ipaddr.sa);
@@ -544,7 +545,6 @@ void sctp_assoc_rm_peer(struct sctp_asso
*/
if (!list_empty(&peer->transmitted)) {
struct sctp_transport *active = asoc->peer.active_path;
- struct sctp_chunk *ch;
/* Reset the transport of each chunk on this list */
list_for_each_entry(ch, &peer->transmitted,
@@ -566,6 +566,10 @@ void sctp_assoc_rm_peer(struct sctp_asso
sctp_transport_hold(active);
}
+ list_for_each_entry(ch, &asoc->outqueue.out_chunk_list, list)
+ if (ch->transport == peer)
+ ch->transport = NULL;
+
asoc->peer.transport_count--;
sctp_transport_free(peer);
next prev parent reply other threads:[~2018-11-30 1:20 UTC|newest]
Thread overview: 97+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-29 14:11 [PATCH 3.18 00/83] 3.18.128-stable review Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 01/83] usb: core: Fix hub port connection events lost Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 02/83] v9fs_dir_readdir: fix double-free on p9stat_read error Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 03/83] bfs: add sanity check at bfs_fill_super() Greg Kroah-Hartman
2018-11-29 14:11 ` Greg Kroah-Hartman [this message]
2018-11-29 14:11 ` [PATCH 3.18 05/83] gfs2: Dont leave s_fs_info pointing to freed memory in init_sbd Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 06/83] llc: do not use sk_eat_skb() Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 07/83] drm/ast: fixed cursor may disappear sometimes Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 08/83] drm/ast: change resolution may cause screen blurred Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 09/83] can: dev: can_get_echo_skb(): factor out non sending code to __can_get_echo_skb() Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 10/83] can: dev: __can_get_echo_skb(): replace struct can_frame by canfd_frame to access frame length Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 11/83] can: dev: __can_get_echo_skb(): Dont crash the kernel if can_priv::echo_skb is accessed out of bounds Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 12/83] can: dev: __can_get_echo_skb(): print error message, if trying to echo non existing skb Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 13/83] cpufreq: imx6q: add return value check for voltage scale Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 14/83] ARM: make lookup_processor_type() non-__init Greg Kroah-Hartman
2018-11-29 14:28 ` Russell King - ARM Linux
2018-11-30 15:15 ` Greg Kroah-Hartman
2018-11-30 15:18 ` Greg Kroah-Hartman
2018-11-30 19:02 ` Russell King - ARM Linux
2018-12-02 15:17 ` Sasha Levin
2018-12-02 16:15 ` Greg Kroah-Hartman
2018-12-02 16:25 ` Sasha Levin
2018-12-02 20:11 ` Greg Kroah-Hartman
2018-12-02 20:32 ` Sasha Levin
2018-11-29 14:11 ` [PATCH 3.18 15/83] SUNRPC: Fix a bogus get/put in generic_key_to_expire() Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 16/83] kdb: Use strscpy with destination buffer size Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 17/83] powerpc/numa: Suppress "VPHN is not supported" messages Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 18/83] tmpfs: make lseek(SEEK_DATA/SEK_HOLE) return ENXIO with a negative offset Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 19/83] arm64: remove no-op -p linker flag Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 20/83] Input: initialize device counter variables with -1 Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 21/83] Input: xpad - add rumble support for Xbox One controller Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 22/83] Input: xpad - set the LEDs properly on XBox Wireless controllers Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 23/83] Input: xpad - re-send LED command on present event Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 24/83] Input: xpad - add Covert Forces edition of the Xbox One controller Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 25/83] Input: xpad - fix Razer Atrox Arcade Stick button mapping Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 26/83] Input: xpad - clarify LED enumeration Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 27/83] Input: xpad - use ida() for finding the pad_nr Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 28/83] Input: xpad - remove needless bulk out URB used for LED setup Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 29/83] Input: xpad - factor out URB submission in xpad_play_effect Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 30/83] Input: xpad - x360w: report dpad as buttons and axes Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 31/83] Input: xpad - move the input device creation to a new function Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 32/83] Input: xpad - query wireless controller state at init Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 33/83] Input: xpad - fix clash of presence handling with LED setting Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 34/83] Input: xpad - remove spurious events of wireless xpad 360 controller Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 35/83] Input: xpad - handle "present" and "gone" correctly Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 36/83] Input: xpad - correctly handle concurrent LED and FF requests Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 37/83] Input: xpad - update Xbox One Force Feedback Support Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 38/83] Input: xpad - workaround dead irq_out after suspend/ resume Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 39/83] Input: xpad - use LED API when identifying wireless controllers Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 40/83] Input: xpad - correct xbox one pad device name Greg Kroah-Hartman
2018-11-29 14:11 ` [PATCH 3.18 41/83] Input: xpad - remove unused function Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 42/83] Input: xpad - add Mad Catz FightStick TE 2 VID/PID Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 43/83] Input: xpad - move pending clear to the correct location Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 44/83] Input: xpad - prevent spurious input from wired Xbox 360 controllers Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 45/83] Input: xpad - add more third-party controllers Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 46/83] Input: xpad - xbox one elite controller support Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 47/83] Input: xpad - fix rumble on Xbox One controllers with 2015 firmware Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 48/83] Input: xpad - fix oops when attaching an unknown Xbox One gamepad Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 49/83] Input: xpad - power off wireless 360 controllers on suspend Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 50/83] Input: xpad - add product ID for Xbox One S pad Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 51/83] Input: xpad - fix Xbox One rumble stopping after 2.5 secs Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 52/83] Input: xpad - use correct product id for x360w controllers Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 53/83] Input: xpad - correctly sort vendor ids Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 54/83] Input: xpad - move reporting xbox one home button to common function Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 55/83] Input: xpad - simplify error condition in init_output Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 56/83] Input: xpad - dont depend on endpoint order Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 57/83] Input: xpad - fix stuck mode button on Xbox One S pad Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 58/83] Input: xpad - restore LED state after device resume Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 59/83] Input: xpad - support some quirky Xbox One pads Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 60/83] Input: xpad - sort supported devices by USB ID Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 61/83] Input: xpad - sync supported devices with xboxdrv Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 62/83] Input: xpad - add USB IDs for Mad Catz Brawlstick and Razer Sabertooth Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 63/83] Input: xpad - sync supported devices with 360Controller Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 64/83] Input: xpad - sync supported devices with XBCD Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 65/83] Input: xpad - constify usb_device_id Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 66/83] Input: xpad - fix PowerA init quirk for some gamepad models Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 67/83] Input: xpad - validate USB endpoint type during probe Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 68/83] Input: xpad - add support for PDP Xbox One controllers Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 69/83] Input: xpad - add PDP device id 0x02a4 Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 70/83] Input: xpad - fix some coding style issues Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 71/83] Input: xpad - avoid using __set_bit() for capabilities Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 72/83] Input: xpad - add GPD Win 2 Controller USB IDs Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 73/83] Input: xpad - fix GPD Win 2 controller name Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 74/83] Input: xpad - add support for Xbox1 PDP Camo series gamepad Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 75/83] cw1200: Dont leak memory if krealloc failes Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 76/83] scsi: ufs: fix bugs related to null pointer access and array size Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 77/83] scsi: ufshcd: Fix race between clk scaling and ungate work Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 78/83] scsi: ufs: fix race between clock gating and devfreq scaling work Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 79/83] scsi: qla2xxx: do not queue commands when unloading Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 80/83] tty: wipe buffer Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 81/83] tty: wipe buffer if not echoing data Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 82/83] af_unix: move unix_mknod() out of bindlock Greg Kroah-Hartman
2018-11-29 14:12 ` [PATCH 3.18 83/83] drm/ast: Remove existing framebuffers before loading driver Greg Kroah-Hartman
2018-11-29 19:51 ` [PATCH 3.18 00/83] 3.18.128-stable review kernelci.org bot
2018-11-29 20:25 ` shuah
2018-11-29 21:49 ` Harsh Shandilya
2018-11-30 22:26 ` Guenter Roeck
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20181129140138.261155061@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=lucien.xin@gmail.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+56a40ceee5fb35932f4d@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).