asgardius/android_kernel_motorola_sm6225
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
android_kernel_motorola_sm6225/net
History
Qiujun Huang 6ce6aea362 sctp: fix refcount bug in sctp_wfree 
[ Upstream commit 5c3e82fe159622e46e91458c1a6509c321a62820 ]

We should iterate over the datamsgs to move
all chunks(skbs) to newsk.

The following case cause the bug:
for the trouble SKB, it was in outq->transmitted list

sctp_outq_sack
        sctp_check_transmitted
                SKB was moved to outq->sacked list
        then throw away the sack queue
                SKB was deleted from outq->sacked
(but it was held by datamsg at sctp_datamsg_to_asoc
So, sctp_wfree was not called here)

then migrate happened

        sctp_for_each_tx_datachunk(
        sctp_clear_owner_w);
        sctp_assoc_migrate();
        sctp_for_each_tx_datachunk(
        sctp_set_owner_w);
SKB was not in the outq, and was not changed to newsk

finally

__sctp_outq_teardown
        sctp_chunk_put (for another skb)
                sctp_datamsg_put
                        __kfree_skb(msg->frag_list)
                                sctp_wfree (for SKB)
	SKB->sk was still oldsk (skb->sk != asoc->base.sk).

Reported-and-tested-by: syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com
Signed-off-by: Qiujun Huang <hqjagain@gmail.com>
Acked-by: Marcelo Ricardo Leitner <mleitner@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2020-04-13 10:44:57 +02:00
..
6lowpan 6lowpan: Off by one handling ->nexthdr 2020-01-27 14:50:41 +01:00
9p 9p: Transport error uninitialized 2019-10-11 18:21:12 +02:00
802
8021q vlan: vlan_changelink() should propagate errors 2020-01-12 12:17:28 +01:00
appletalk appletalk: Set error code if register_snap_client failed 2019-12-13 08:52:59 +01:00
atm net: use skb_queue_empty_lockless() in poll() handlers 2019-11-10 11:27:48 +01:00
ax25 ax25: enforce CAP_NET_RAW for raw sockets 2019-10-05 13:09:32 +02:00
batman-adv batman-adv: Avoid free/alloc race when handling OGM2 buffer 2020-03-18 07:14:25 +01:00
bluetooth Bluetooth: Fix race condition in hci_release_sock() 2020-02-05 14:43:39 +00:00
bpf bpf/test_run: support cgroup local storage 2018-08-03 00:47:32 +02:00
bpfilter signal/bpfilter: Fix bpfilter_kernl to use send_sig not force_sig 2020-01-27 14:50:51 +01:00
bridge netfilter: ebtables: CONFIG_COMPAT: reject trailing data after last rule 2020-01-27 14:50:47 +01:00
caif net: use skb_queue_empty_lockless() in poll() handlers 2019-11-10 11:27:48 +01:00
can can: gw: Fix error path of cgw_module_init 2019-08-29 08:28:30 +02:00
ceph ceph: check POOL_FLAG_FULL/NEARFULL in addition to OSDMAP_FULL/NEARFULL 2020-04-02 15:28:16 +02:00
core devlink: validate length of region addr/len 2020-03-18 07:14:18 +01:00
dcb net: dcb: Add priority-to-DSCP map getters 2018-07-27 13:17:50 -07:00
dccp dccp: Fix memleak in __feat_register_sp 2020-01-17 19:46:58 +01:00
decnet net: add bool confirm_neigh parameter for dst_ops.update_pmtu 2020-01-04 19:13:37 +01:00
dns_resolver net: remove blank lines at end of file 2018-07-24 14:10:43 -07:00
dsa net: dsa: Fix duplicate frames flooded by learning 2020-04-02 15:28:11 +02:00
ethernet net: add annotations on hh->hh_len lockless accesses 2020-01-09 10:19:09 +01:00
hsr hsr: set .netnsok flag 2020-04-02 15:28:14 +02:00
ieee802154 nl802154: add missing attribute validation for dev_type 2020-03-18 07:14:15 +01:00
ife
ipv4 net, ip_tunnel: fix interface lookup with no key 2020-04-13 10:44:57 +02:00
ipv6 vti6: Fix memory leak of skb if input policy check fails 2020-04-02 15:28:19 +02:00
iucv net/af_iucv: always register net_device notifier 2020-01-27 14:50:56 +01:00
kcm kcm: switch order of device registration to fix a crash 2019-04-17 08:38:40 +02:00
key af_key: fix leaks in key_pol_get_resp and dump_sp. 2019-07-26 09:14:01 +02:00
l2tp l2tp: Allow duplicate session creation with UDP 2020-02-11 04:33:52 -08:00
l3mdev
lapb lapb: fixed leak of control-blocks. 2019-06-22 08:15:13 +02:00
llc llc: fix sk_buff refcounting in llc_conn_state_process() 2020-01-27 14:51:17 +01:00
mac80211 mac80211: fix authentication with iwlwifi/mvm 2020-04-02 15:28:22 +02:00
mac802154 net: mac802154: tx: expand tailroom if necessary 2018-08-06 11:21:37 +02:00
mpls mpls: fix warning with multi-label encap 2020-01-27 14:50:54 +01:00
ncsi net/ncsi: Fixup .dumpit message flags and ID check in Netlink handler 2018-08-22 21:39:08 -07:00
netfilter netfilter: nft_fwd_netdev: validate family and chain type 2020-04-02 15:28:19 +02:00
netlabel netlabel: fix out-of-bounds memory accesses 2019-03-10 07:17:18 +01:00
netlink netlink: Use netlink header as base to calculate bad attribute offset 2020-03-18 07:14:12 +01:00
netrom netrom: hold sock when setting skb->destructor 2019-07-28 08:29:27 +02:00
nfc nfc: add missing attribute validation for vendor subcommand 2020-03-18 07:14:17 +01:00
nsh nsh: set mac len based on inner packet 2018-07-12 16:55:29 -07:00
openvswitch openvswitch: support asymmetric conntrack 2019-12-21 10:57:14 +01:00
packet net/packet: tpacket_rcv: avoid a producer race condition 2020-04-02 15:28:11 +02:00
phonet net: use skb_queue_empty_lockless() in poll() handlers 2019-11-10 11:27:48 +01:00
psample net: psample: fix skb_over_panic 2019-12-05 09:21:30 +01:00
qrtr net: qrtr: fix len of skb_put_padto in qrtr_node_enqueue 2020-03-20 11:55:59 +01:00
rds net/rds: Fix 'ib_evt_handler_call' element in 'rds_ib_stat_names' 2020-01-27 14:51:13 +01:00
rfkill rfkill: Fix incorrect check to avoid NULL pointer dereference 2020-01-12 12:17:17 +01:00
rose net/rose: fix unbound loop in rose_loopback_timer() 2019-05-02 09:59:00 +02:00
rxrpc rxrpc: Fix call RCU cleanup using non-bh-safe locks 2020-02-28 16:39:00 +01:00
sched net_sched: keep alloc_hash updated after hash allocation 2020-04-02 15:28:11 +02:00
sctp sctp: fix refcount bug in sctp_wfree 2020-04-13 10:44:57 +02:00
smc net/smc: cancel event worker during device removal 2020-03-18 07:14:25 +01:00
strparser net: strparser: partially revert "strparser: Call skb_unclone conditionally" 2019-05-16 19:41:27 +02:00
sunrpc sunrpc: expiry_time should be seconds not timeval 2020-02-11 04:34:07 -08:00
switchdev
tipc tipc: add missing attribute validation for MTU property 2020-03-18 07:14:18 +01:00
tls net/tls: Fix to avoid gettig invalid tls record 2020-03-05 16:42:17 +01:00
unix af_unix: add compat_ioctl support 2020-01-17 19:47:07 +01:00
vmw_vsock hv_sock: Remove the accept port restriction 2020-02-14 16:33:22 -05:00
wimax wimax: remove blank lines at EOF 2018-07-24 14:10:42 -07:00
wireless nl80211: fix NL80211_ATTR_CHANNEL_WIDTH attribute type 2020-04-02 15:28:17 +02:00
x25 net/x25: fix nonblocking connect 2020-01-29 16:43:24 +01:00
xdp xsk: Fix registration of Rx-only sockets 2020-01-27 14:51:19 +01:00
xfrm xfrm: policy: Fix doulbe free in xfrm_policy_timer 2020-04-02 15:28:19 +02:00
compat.c sock: Make sock->sk_stamp thread-safe 2019-01-09 17:38:33 +01:00
Kconfig net: remove blank lines at end of file 2018-07-24 14:10:43 -07:00
Makefile bpfilter: check compiler capability in Kconfig 2018-06-28 13:36:39 +09:00
socket.c compat_ioctl: handle SIOCOUTQNSD 2020-01-17 19:47:07 +01:00
sysctl_net.c