From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org,
syzbot+c1a380d42b190ad1e559@syzkaller.appspotmail.com,
Xin Long <lucien.xin@gmail.com>,
Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
Neil Horman <nhorman@redhat.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 5.1 20/62] sctp: fix error handling on stream scheduler initialization
Date: Fri, 26 Jul 2019 17:24:32 +0200 [thread overview]
Message-ID: <20190726152303.823668436@linuxfoundation.org> (raw)
In-Reply-To: <20190726152301.720139286@linuxfoundation.org>
From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
[ Upstream commit 4d1415811e492d9a8238f8a92dd0d51612c788e9 ]
It allocates the extended area for outbound streams only on sendmsg
calls, if they are not yet allocated. When using the priority
stream scheduler, this initialization may imply into a subsequent
allocation, which may fail. In this case, it was aborting the stream
scheduler initialization but leaving the ->ext pointer (allocated) in
there, thus in a partially initialized state. On a subsequent call to
sendmsg, it would notice the ->ext pointer in there, and trip on
uninitialized stuff when trying to schedule the data chunk.
The fix is undo the ->ext initialization if the stream scheduler
initialization fails and avoid the partially initialized state.
Although syzkaller bisected this to commit 4ff40b86262b ("sctp: set
chunk transport correctly when it's a new asoc"), this bug was actually
introduced on the commit I marked below.
Reported-by: syzbot+c1a380d42b190ad1e559@syzkaller.appspotmail.com
Fixes: 5bbbbe32a431 ("sctp: introduce stream scheduler foundations")
Tested-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Neil Horman <nhorman@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sctp/stream.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- a/net/sctp/stream.c
+++ b/net/sctp/stream.c
@@ -168,13 +168,20 @@ out:
int sctp_stream_init_ext(struct sctp_stream *stream, __u16 sid)
{
struct sctp_stream_out_ext *soute;
+ int ret;
soute = kzalloc(sizeof(*soute), GFP_KERNEL);
if (!soute)
return -ENOMEM;
SCTP_SO(stream, sid)->ext = soute;
- return sctp_sched_init_sid(stream, sid, GFP_KERNEL);
+ ret = sctp_sched_init_sid(stream, sid, GFP_KERNEL);
+ if (ret) {
+ kfree(SCTP_SO(stream, sid)->ext);
+ SCTP_SO(stream, sid)->ext = NULL;
+ }
+
+ return ret;
}
void sctp_stream_free(struct sctp_stream *stream)
next prev parent reply other threads:[~2019-07-26 15:36 UTC|newest]
Thread overview: 68+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-07-26 15:24 [PATCH 5.1 00/62] 5.1.21-stable review Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 01/62] bnx2x: Prevent load reordering in tx completion processing Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 02/62] caif-hsi: fix possible deadlock in cfhsi_exit_module() Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 03/62] hv_netvsc: Fix extra rcu_read_unlock in netvsc_recv_callback() Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 04/62] igmp: fix memory leak in igmpv3_del_delrec() Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 05/62] ipv4: dont set IPv6 only flags to IPv4 addresses Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 06/62] ipv6: rt6_check should return NULL if from is NULL Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 07/62] ipv6: Unlink sibling route in case of failure Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 08/62] net: bcmgenet: use promisc for unsupported filters Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 09/62] net: dsa: mv88e6xxx: wait after reset deactivation Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 10/62] net: make skb_dst_force return true when dst is refcounted Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 11/62] net: neigh: fix multiple neigh timer scheduling Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 12/62] net: openvswitch: fix csum updates for MPLS actions Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 13/62] net: phy: sfp: hwmon: Fix scaling of RX power Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 14/62] net_sched: unset TCQ_F_CAN_BYPASS when adding filters Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 15/62] net: stmmac: Re-work the queue selection for TSO packets Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 16/62] net/tls: make sure offload also gets the keys wiped Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 17/62] nfc: fix potential illegal memory access Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 18/62] r8169: fix issue with confused RX unit after PHY power-down on RTL8411b Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 19/62] rxrpc: Fix send on a connected, but unbound socket Greg Kroah-Hartman
2019-07-26 15:24 ` Greg Kroah-Hartman [this message]
2019-07-26 15:24 ` [PATCH 5.1 21/62] sctp: not bind the socket in sctp_connect Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 22/62] sky2: Disable MSI on ASUS P6T Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 23/62] tcp: be more careful in tcp_fragment() Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 24/62] tcp: fix tcp_set_congestion_control() use from bpf hook Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 25/62] tcp: Reset bytes_acked and bytes_received when disconnecting Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 26/62] vrf: make sure skb->data contains ip header to make routing Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 27/62] net/mlx5e: IPoIB, Add error path in mlx5_rdma_setup_rn Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 28/62] net: bridge: mcast: fix stale nsrcs pointer in igmp3/mld2 report handling Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 29/62] net: bridge: mcast: fix stale ipv6 hdr pointer when handling v6 query Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 30/62] net: bridge: dont cache ether dest pointer on input Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 31/62] net: bridge: stp: dont cache eth dest pointer before skb pull Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 32/62] macsec: fix use-after-free of skb during RX Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 33/62] macsec: fix checksumming after decryption Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 34/62] netrom: fix a memory leak in nr_rx_frame() Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 35/62] netrom: hold sock when setting skb->destructor Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 36/62] selftests: txring_overwrite: fix incorrect test of mmap() return value Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 37/62] net/tls: fix poll ignoring partially copied records Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 38/62] net/tls: reject offload of TLS 1.3 Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 39/62] net/mlx5e: Fix port tunnel GRE entropy control Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 40/62] net/mlx5e: Rx, Fix checksum calculation for new hardware Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 41/62] net/mlx5e: Fix return value from timeout recover function Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 42/62] net/mlx5e: Fix error flow in tx reporter diagnose Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 43/62] dma-buf: balance refcount inbalance Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 44/62] dma-buf: Discard old fence_excl on retrying get_fences_rcu for realloc Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 45/62] gpiolib: of: fix a memory leak in of_gpio_flags_quirks() Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 46/62] gpio: davinci: silence error prints in case of EPROBE_DEFER Greg Kroah-Hartman
2019-07-26 15:24 ` [PATCH 5.1 47/62] MIPS: lb60: Fix pin mappings Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 5.1 48/62] perf script: Assume native_arch for pipe mode Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 5.1 49/62] perf/core: Fix exclusive events grouping Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 5.1 50/62] perf/core: Fix race between close() and fork() Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 5.1 51/62] ext4: dont allow any modifications to an immutable file Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 5.1 52/62] ext4: enforce the immutable flag on open files Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 5.1 53/62] mm: add filemap_fdatawait_range_keep_errors() Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 5.1 54/62] jbd2: introduce jbd2_inode dirty range scoping Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 5.1 55/62] ext4: use " Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 5.1 56/62] ext4: allow directory holes Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 5.1 57/62] KVM: nVMX: do not use dangling shadow VMCS after guest reset Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 5.1 58/62] KVM: nVMX: Clear pending KVM_REQ_GET_VMCS12_PAGES when leaving nested Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 5.1 59/62] Revert "kvm: x86: Use task structs fpu field for user" Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 5.1 60/62] sd_zbc: Fix report zones buffer allocation Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 5.1 61/62] block: Limit zone array allocation size Greg Kroah-Hartman
2019-07-26 15:25 ` [PATCH 5.1 62/62] mm: vmscan: scan anonymous pages on file refaults Greg Kroah-Hartman
2019-07-27 2:34 ` [PATCH 5.1 00/62] 5.1.21-stable review shuah
2019-07-27 4:34 ` kernelci.org bot
2019-07-27 5:34 ` Naresh Kamboju
2019-07-27 16:07 ` Guenter Roeck
2019-07-29 9:02 ` Jon Hunter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190726152303.823668436@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=lucien.xin@gmail.com \
--cc=marcelo.leitner@gmail.com \
--cc=nhorman@redhat.com \
--cc=stable@vger.kernel.org \
--cc=syzbot+c1a380d42b190ad1e559@syzkaller.appspotmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).