Qiujun Huang 6ce6aea362 sctp: fix refcount bug in sctp_wfree ... [ Upstream commit 5c3e82fe159622e46e91458c1a6509c321a62820 ] We should iterate over the datamsgs to move all chunks(skbs) to newsk. The following case cause the bug: for the trouble SKB, it was in outq->transmitted list sctp_outq_sack sctp_check_transmitted SKB was moved to outq->sacked list then throw away the sack queue SKB was deleted from outq->sacked (but it was held by datamsg at sctp_datamsg_to_asoc So, sctp_wfree was not called here) then migrate happened sctp_for_each_tx_datachunk( sctp_clear_owner_w); sctp_assoc_migrate(); sctp_for_each_tx_datachunk( sctp_set_owner_w); SKB was not in the outq, and was not changed to newsk finally __sctp_outq_teardown sctp_chunk_put (for another skb) sctp_datamsg_put __kfree_skb(msg->frag_list) sctp_wfree (for SKB) SKB->sk was still oldsk (skb->sk != asoc->base.sk). Reported-and-tested-by: syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com Signed-off-by: Qiujun Huang <hqjagain@gmail.com> Acked-by: Marcelo Ricardo Leitner <mleitner@redhat.com> Signed-off-by: David S. Miller <davem@davemloft.net> Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>		2020-04-13 10:44:57 +02:00
..
associola.c	sctp: cache netns in sctp_ep_common	2019-12-05 09:21:32 +01:00
auth.c	treewide: kzalloc() -> kcalloc()	2018-06-12 16:19:22 -07:00
bind_addr.c
chunk.c	sctp: frag_point sanity check	2019-12-13 08:52:29 +01:00
debug.c	sctp: add SCTP_CID_I_DATA and SCTP_CID_I_FWD_TSN conversion in sctp_cname	2018-02-12 11:40:01 -05:00
diag.c	inet_diag: return classid for all socket types	2020-03-18 07:14:11 +01:00
endpointola.c	sctp: cache netns in sctp_ep_common	2019-12-05 09:21:32 +01:00
input.c	sctp: add chunks to sk_backlog when the newsk sk_socket is not set	2020-01-27 14:51:17 +01:00
inqueue.c	sctp: fix the issue that the cookie-ack with auth can't get processed	2018-05-02 11:15:33 -04:00
ipv6.c	sctp: set flow sport from saddr only when it's 0	2019-02-06 17:30:10 +01:00
Kconfig	sctp: whitespace fixes	2018-07-24 14:10:42 -07:00
Makefile	sctp: rename sctp_diag.c as diag.c	2018-02-13 13:56:31 -05:00
objcnt.c	proc: introduce proc_create_seq{,_data}	2018-05-16 07:23:35 +02:00
offload.c	sctp: call gso_reset_checksum when computing checksum in sctp_gso_segment	2019-02-27 10:08:58 +01:00
output.c	sctp: increase sk_wmem_alloc when head->truesize is increased	2019-12-13 08:52:00 +01:00
outqueue.c	sctp: define SCTP_SS_DEFAULT for Stream schedulers	2018-11-23 08:17:06 +01:00
primitive.c
proc.c	sctp: remove useless start_fail from sctp_ht_iter in proc	2018-08-27 15:13:17 -07:00
protocol.c	sctp: fully initialize v4 addr in some functions	2019-12-31 16:34:40 +01:00
sm_make_chunk.c	sctp: Free cookie before we memdup a new one	2019-06-22 08:15:14 +02:00
sm_sideeffect.c	sctp: free cmd->obj.chunk for the unprocessed SCTP_CMD_REPLY	2020-01-12 12:17:27 +01:00
sm_statefuns.c	sctp: move the format error check out of __sctp_sf_do_9_1_abort	2020-03-05 16:42:16 +01:00
sm_statetable.c	sctp: implement validate_ftsn for sctp_stream_interleave	2017-12-15 13:52:22 -05:00
socket.c	sctp: fix refcount bug in sctp_wfree	2020-04-13 10:44:57 +02:00
stream.c	sctp: fix memleak in sctp_send_reset_streams	2019-08-25 10:48:04 +02:00
stream_interleave.c	net/sctp: Make wrappers for accessing in/out streams	2018-08-11 12:25:15 -07:00
stream_sched.c	net/sctp: Make wrappers for accessing in/out streams	2018-08-11 12:25:15 -07:00
stream_sched_prio.c	net/sctp: Make wrappers for accessing in/out streams	2018-08-11 12:25:15 -07:00
stream_sched_rr.c	net/sctp: Make wrappers for accessing in/out streams	2018-08-11 12:25:15 -07:00
sysctl.c	sctp: support sysctl to allow users to use stream interleave	2017-12-15 13:52:22 -05:00
transport.c	net: add bool confirm_neigh parameter for dst_ops.update_pmtu	2020-01-04 19:13:37 +01:00
tsnmap.c
ulpevent.c	sctp: remove sctp_chunk_put from fail_mark err path in sctp_ulpevent_make_rcvmsg	2018-05-10 17:48:36 -04:00
ulpqueue.c	Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net	2017-12-22 11:16:31 -05:00