From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
stable@vger.kernel.org, Xin Long <lucien.xin@gmail.com>,
"David S. Miller" <davem@davemloft.net>
Subject: [PATCH 5.15 26/72] sctp: hold endpoint before calling cb in sctp_transport_lookup_process
Date: Mon, 10 Jan 2022 08:23:03 +0100 [thread overview]
Message-ID: <20220110071822.454728244@linuxfoundation.org> (raw)
In-Reply-To: <20220110071821.500480371@linuxfoundation.org>
From: Xin Long <lucien.xin@gmail.com>
commit f9d31c4cf4c11ff10317f038b9c6f7c3bda6cdd4 upstream.
The same fix in commit 5ec7d18d1813 ("sctp: use call_rcu to free endpoint")
is also needed for dumping one asoc and sock after the lookup.
Fixes: 86fdb3448cc1 ("sctp: ensure ep is not destroyed before doing the dump")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
include/net/sctp/sctp.h | 3 +--
net/sctp/diag.c | 48 ++++++++++++++++++++++--------------------------
net/sctp/socket.c | 22 +++++++++++++++-------
3 files changed, 38 insertions(+), 35 deletions(-)
--- a/include/net/sctp/sctp.h
+++ b/include/net/sctp/sctp.h
@@ -112,8 +112,7 @@ struct sctp_transport *sctp_transport_ge
struct rhashtable_iter *iter);
struct sctp_transport *sctp_transport_get_idx(struct net *net,
struct rhashtable_iter *iter, int pos);
-int sctp_transport_lookup_process(int (*cb)(struct sctp_transport *, void *),
- struct net *net,
+int sctp_transport_lookup_process(sctp_callback_t cb, struct net *net,
const union sctp_addr *laddr,
const union sctp_addr *paddr, void *p);
int sctp_transport_traverse_process(sctp_callback_t cb, sctp_callback_t cb_done,
--- a/net/sctp/diag.c
+++ b/net/sctp/diag.c
@@ -245,48 +245,44 @@ static size_t inet_assoc_attr_size(struc
+ 64;
}
-static int sctp_tsp_dump_one(struct sctp_transport *tsp, void *p)
+static int sctp_sock_dump_one(struct sctp_endpoint *ep, struct sctp_transport *tsp, void *p)
{
struct sctp_association *assoc = tsp->asoc;
- struct sock *sk = tsp->asoc->base.sk;
struct sctp_comm_param *commp = p;
- struct sk_buff *in_skb = commp->skb;
+ struct sock *sk = ep->base.sk;
const struct inet_diag_req_v2 *req = commp->r;
- const struct nlmsghdr *nlh = commp->nlh;
- struct net *net = sock_net(in_skb->sk);
+ struct sk_buff *skb = commp->skb;
struct sk_buff *rep;
int err;
err = sock_diag_check_cookie(sk, req->id.idiag_cookie);
if (err)
- goto out;
+ return err;
- err = -ENOMEM;
rep = nlmsg_new(inet_assoc_attr_size(assoc), GFP_KERNEL);
if (!rep)
- goto out;
+ return -ENOMEM;
lock_sock(sk);
- if (sk != assoc->base.sk) {
- release_sock(sk);
- sk = assoc->base.sk;
- lock_sock(sk);
- }
- err = inet_sctp_diag_fill(sk, assoc, rep, req,
- sk_user_ns(NETLINK_CB(in_skb).sk),
- NETLINK_CB(in_skb).portid,
- nlh->nlmsg_seq, 0, nlh,
- commp->net_admin);
- release_sock(sk);
+ if (ep != assoc->ep) {
+ err = -EAGAIN;
+ goto out;
+ }
+
+ err = inet_sctp_diag_fill(sk, assoc, rep, req, sk_user_ns(NETLINK_CB(skb).sk),
+ NETLINK_CB(skb).portid, commp->nlh->nlmsg_seq, 0,
+ commp->nlh, commp->net_admin);
if (err < 0) {
WARN_ON(err == -EMSGSIZE);
- kfree_skb(rep);
goto out;
}
+ release_sock(sk);
- err = nlmsg_unicast(net->diag_nlsk, rep, NETLINK_CB(in_skb).portid);
+ return nlmsg_unicast(sock_net(skb->sk)->diag_nlsk, rep, NETLINK_CB(skb).portid);
out:
+ release_sock(sk);
+ kfree_skb(rep);
return err;
}
@@ -429,15 +425,15 @@ static void sctp_diag_get_info(struct so
static int sctp_diag_dump_one(struct netlink_callback *cb,
const struct inet_diag_req_v2 *req)
{
- struct sk_buff *in_skb = cb->skb;
- struct net *net = sock_net(in_skb->sk);
+ struct sk_buff *skb = cb->skb;
+ struct net *net = sock_net(skb->sk);
const struct nlmsghdr *nlh = cb->nlh;
union sctp_addr laddr, paddr;
struct sctp_comm_param commp = {
- .skb = in_skb,
+ .skb = skb,
.r = req,
.nlh = nlh,
- .net_admin = netlink_net_capable(in_skb, CAP_NET_ADMIN),
+ .net_admin = netlink_net_capable(skb, CAP_NET_ADMIN),
};
if (req->sdiag_family == AF_INET) {
@@ -460,7 +456,7 @@ static int sctp_diag_dump_one(struct net
paddr.v6.sin6_family = AF_INET6;
}
- return sctp_transport_lookup_process(sctp_tsp_dump_one,
+ return sctp_transport_lookup_process(sctp_sock_dump_one,
net, &laddr, &paddr, &commp);
}
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -5317,23 +5317,31 @@ int sctp_for_each_endpoint(int (*cb)(str
}
EXPORT_SYMBOL_GPL(sctp_for_each_endpoint);
-int sctp_transport_lookup_process(int (*cb)(struct sctp_transport *, void *),
- struct net *net,
+int sctp_transport_lookup_process(sctp_callback_t cb, struct net *net,
const union sctp_addr *laddr,
const union sctp_addr *paddr, void *p)
{
struct sctp_transport *transport;
- int err;
+ struct sctp_endpoint *ep;
+ int err = -ENOENT;
rcu_read_lock();
transport = sctp_addrs_lookup_transport(net, laddr, paddr);
+ if (!transport) {
+ rcu_read_unlock();
+ return err;
+ }
+ ep = transport->asoc->ep;
+ if (!sctp_endpoint_hold(ep)) { /* asoc can be peeled off */
+ sctp_transport_put(transport);
+ rcu_read_unlock();
+ return err;
+ }
rcu_read_unlock();
- if (!transport)
- return -ENOENT;
- err = cb(transport, p);
+ err = cb(ep, transport, p);
+ sctp_endpoint_put(ep);
sctp_transport_put(transport);
-
return err;
}
EXPORT_SYMBOL_GPL(sctp_transport_lookup_process);
next prev parent reply other threads:[~2022-01-10 7:41 UTC|newest]
Thread overview: 83+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-01-10 7:22 [PATCH 5.15 00/72] 5.15.14-rc1 review Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 01/72] fscache_cookie_enabled: check cookie is valid before accessing it Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 02/72] selftests: x86: fix [-Wstringop-overread] warn in test_process_vm_readv() Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 03/72] tracing: Fix check for trace_percpu_buffer validity in get_trace_buf() Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 04/72] tracing: Tag trace_percpu_buffer as a percpu pointer Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 05/72] Revert "RDMA/mlx5: Fix releasing unallocated memory in dereg MR flow" Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 06/72] ieee802154: atusb: fix uninit value in atusb_set_extended_addr Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 07/72] i40e: Fix to not show opcode msg on unsuccessful VF MAC change Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 08/72] iavf: Fix limit of total number of queues to active queues of VF Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 09/72] RDMA/core: Dont infoleak GRH fields Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 10/72] Revert "net: usb: r8152: Add MAC passthrough support for more Lenovo Docks" Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 11/72] netrom: fix copying in user data in nr_setsockopt Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 12/72] RDMA/uverbs: Check for null return of kmalloc_array Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 13/72] mac80211: initialize variable have_higher_than_11mbit Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 14/72] mac80211: mesh: embedd mesh_paths and mpp_paths into ieee80211_if_mesh Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 15/72] sfc: The RX page_ring is optional Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 16/72] i40e: fix use-after-free in i40e_sync_filters_subtask() Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 17/72] i40e: Fix for displaying message regarding NVM version Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 18/72] i40e: Fix incorrect netdevs real number of RX/TX queues Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 19/72] ftrace/samples: Add missing prototypes direct functions Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 20/72] ipv4: Check attribute length for RTA_GATEWAY in multipath route Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 21/72] ipv4: Check attribute length for RTA_FLOW " Greg Kroah-Hartman
2022-01-10 7:22 ` [PATCH 5.15 22/72] ipv6: Check attribute length for RTA_GATEWAY " Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 23/72] ipv6: Check attribute length for RTA_GATEWAY when deleting " Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 24/72] lwtunnel: Validate RTA_ENCAP_TYPE attribute length Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 25/72] selftests: net: udpgro_fwd.sh: explicitly checking the available ping feature Greg Kroah-Hartman
2022-01-10 7:23 ` Greg Kroah-Hartman [this message]
2022-01-10 7:23 ` [PATCH 5.15 27/72] batman-adv: mcast: dont send link-local multicast to mcast routers Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 28/72] sch_qfq: prevent shift-out-of-bounds in qfq_init_qdisc Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 29/72] net: ena: Fix undefined state when tx request id is out of bounds Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 30/72] net: ena: Fix wrong rx request id by resetting device Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 31/72] net: ena: Fix error handling when calculating max IO queues number Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 32/72] md/raid1: fix missing bitmap update w/o WriteMostly devices Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 33/72] EDAC/i10nm: Release mdev/mbase when failing to detect HBM Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 34/72] KVM: x86: Check for rmaps allocation Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 35/72] cgroup: Use open-time credentials for process migraton perm checks Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 36/72] cgroup: Allocate cgroup_file_ctx for kernfs_open_file->priv Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 37/72] cgroup: Use open-time cgroup namespace for process migration perm checks Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 38/72] Revert "i2c: core: support bus regulator controlling in adapter" Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 39/72] i2c: mpc: Avoid out of bounds memory access Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 40/72] xfs: map unwritten blocks in XFS_IOC_{ALLOC,FREE}SP just like fallocate Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 41/72] power: supply: core: Break capacity loop Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 42/72] power: reset: ltc2952: Fix use of floating point literals Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 43/72] reset: renesas: Fix Runtime PM usage Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 44/72] rndis_host: support Hytera digital radios Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 45/72] gpio: gpio-aspeed-sgpio: Fix wrong hwirq base in irq handler Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 46/72] net ticp:fix a kernel-infoleak in __tipc_sendmsg() Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 47/72] phonet: refcount leak in pep_sock_accep Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 48/72] fbdev: fbmem: add a helper to determine if an aperture is used by a fw fb Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 49/72] drm/amdgpu: disable runpm if we are the primary adapter Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 50/72] power: bq25890: Enable continuous conversion for ADC at charging Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 51/72] ipv6: Continue processing multipath route even if gateway attribute is invalid Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 52/72] ipv6: Do cleanup if attribute validation fails in multipath route Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 53/72] auxdisplay: charlcd: checking for pointer reference before dereferencing Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 54/72] drm/amdgpu: fix dropped backing store handling in amdgpu_dma_buf_move_notify Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 55/72] drm/amd/pm: Fix xgmi link control on aldebaran Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 56/72] usb: mtu3: fix interval value for intr and isoc Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 57/72] scsi: libiscsi: Fix UAF in iscsi_conn_get_param()/iscsi_conn_teardown() Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 58/72] ip6_vti: initialize __ip6_tnl_parm struct in vti6_siocdevprivate Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 59/72] net: udp: fix alignment problem in udp4_seq_show() Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 60/72] atlantic: Fix buff_ring OOB in aq_ring_rx_clean Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 61/72] drm/amd/pm: skip setting gfx cgpg in the s0ix suspend-resume Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 62/72] drm/amdgpu: always reset the asic in suspend (v2) Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 63/72] drm/amdgpu: put SMU into proper state on runpm suspending for BOCO capable platform Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 64/72] mISDN: change function names to avoid conflicts Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 65/72] drm/amd/display: fix B0 TMDS deepcolor no dislay issue Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 66/72] drm/amd/display: Added power down for DCN10 Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 67/72] ipv6: raw: check passed optlen before reading Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 68/72] userfaultfd/selftests: fix hugetlb area allocations Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 69/72] ARM: dts: gpio-ranges property is now required Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 70/72] Input: zinitix - make sure the IRQ is allocated before it gets enabled Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 71/72] Revert "drm/amdgpu: stop scheduler when calling hw_fini (v2)" Greg Kroah-Hartman
2022-01-10 7:23 ` [PATCH 5.15 72/72] drm/amd/pm: keep the BACO feature enabled for suspend Greg Kroah-Hartman
2022-01-10 11:49 ` [PATCH 5.15 00/72] 5.15.14-rc1 review Jon Hunter
2022-01-10 14:30 ` Jeffrin Jose T
2022-01-10 20:16 ` Florian Fainelli
2022-01-10 21:17 ` Fox Chen
2022-01-10 22:55 ` Shuah Khan
2022-01-10 23:50 ` Guenter Roeck
2022-01-11 3:48 ` Zan Aziz
2022-01-11 5:14 ` Naresh Kamboju
2022-01-11 7:35 ` Rudi Heitbaum
2022-01-11 12:41 ` Sudip Mukherjee
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220110071822.454728244@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
--cc=lucien.xin@gmail.com \
--cc=stable@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).