linux/net
Xin Long 715f5552b1 sctp: hold the transport before using it in sctp_hash_cmp
Since commit 4f00878126 ("sctp: apply rhashtable api to send/recv
path"), sctp uses transport rhashtable with .obj_cmpfn sctp_hash_cmp,
in which it compares the members of the transport with the rhashtable
args to check if it's the right transport.

But sctp uses the transport without holding it in sctp_hash_cmp, it can
cause a use-after-free panic. As after it gets transport from hashtable,
another CPU may close the sk and free the asoc. In sctp_association_free,
it frees all the transports, meanwhile, the assoc's refcnt may be reduced
to 0, assoc can be destroyed by sctp_association_destroy.

So after that, transport->assoc is actually an unavailable memory address
in sctp_hash_cmp. Although sctp_hash_cmp is under rcu_read_lock, it still
can not avoid this, as assoc is not freed by RCU.

This patch is to hold the transport before checking it's members with
sctp_transport_hold, in which it checks the refcnt first, holds it if
it's not 0.

Fixes: 4f00878126 ("sctp: apply rhashtable api to send/recv path")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-09-13 11:44:58 -04:00
..
6lowpan 6lowpan: ndisc: set invalid unicast short addr to unspec 2016-07-08 13:23:12 +02:00
9p 9p/trans_virtio: use kvfree() for iov_iter_get_pages_alloc() 2016-08-09 13:42:36 +03:00
802
8021q net: remove type_check from dev_get_nest_level() 2016-08-13 15:15:54 -07:00
appletalk
atm net: add dev arg to ndo_neigh_construct/destroy 2016-07-05 09:06:28 -07:00
ax25 AX.25: Close socket connection on session completion 2016-06-18 20:55:34 -07:00
batman-adv Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-07-24 00:53:32 -04:00
bluetooth Bluetooth: Fix hci_sock_recvmsg when MSG_TRUNC is not set 2016-08-25 20:58:47 +02:00
bridge net: bridge: don't increment tx_dropped in br_do_proxy_arp 2016-09-01 16:35:30 -07:00
caif caif: Remove unneeded header file 2016-06-28 05:26:14 -04:00
can can: only call can_stat_update with procfs 2016-06-23 11:23:49 +02:00
ceph libceph: using kfree_rcu() to simplify the code 2016-08-08 21:41:42 +02:00
core bonding: Fix bonding crash 2016-09-04 11:41:12 -07:00
dcb
dccp Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2016-07-29 17:38:46 -07:00
decnet net: fix decnet rtnexthop parsing 2016-07-05 14:08:47 -07:00
dns_resolver
dsa net: dsa: support switchdev ageing time attr 2016-07-19 19:42:01 -07:00
ethernet
hsr net/hsr: Use setup_timer and mod_timer. 2016-05-16 14:00:43 -04:00
ieee802154 ieee802154: 6lowpan: fix intra pan id check 2016-07-08 13:23:12 +02:00
ipv4 Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 2016-09-13 11:17:24 -04:00
ipv6 Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf 2016-09-13 11:17:24 -04:00
ipx
irda net/irda: handle iriap_register_lsap() allocation failure 2016-08-13 15:09:07 -07:00
iucv Merge branch 'next' of git://git.kernel.org/pub/scm/linux/kernel/git/jmorris/linux-security 2016-07-29 17:38:46 -07:00
kcm kcm: fix a socket double free 2016-08-31 21:00:19 -07:00
key
l2tp l2tp: fix use-after-free during module unload 2016-09-02 11:44:44 -07:00
l3mdev net: vrf: Implement get_saddr for IPv6 2016-06-17 21:25:29 -07:00
lapb net/lapb: tuse %*ph to dump buffers 2016-05-29 22:33:25 -07:00
llc Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-05-09 15:59:24 -04:00
mac80211 mac80211: TDLS: don't require beaconing for AP BW 2016-08-30 08:03:41 +02:00
mac802154
mpls mpls: allow routes on ipip and sit devices 2016-07-09 17:45:56 -04:00
ncsi net/ncsi: avoid maybe-uninitialized warning 2016-07-25 10:32:59 -07:00
netfilter netfilter: synproxy: Check oom when adding synproxy and seqadj ct extensions 2016-09-13 10:50:56 +02:00
netlabel netlabel: Implement CALIPSO config functions for SMACK. 2016-06-27 15:06:18 -04:00
netlink net/netlink/af_netlink.h: Remove unused structure. 2016-06-09 22:26:24 -07:00
netrom
nfc NFC: digital: Fix RTOX supervisor PDU handling 2016-07-11 02:02:03 +02:00
openvswitch openvswitch: do not ignore netdev errors when creating tunnel vports 2016-08-10 23:13:23 -07:00
packet Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-07-24 00:53:32 -04:00
phonet
qrtr Merge tag 'qcom-soc-for-4.7-2' into net-next 2016-05-17 14:11:19 -04:00
rds RDS: TCP: Enable multipath RDS for TCP 2016-07-15 11:36:58 -07:00
rfkill
rose rose: limit sk_filter trim to payload 2016-07-13 11:53:40 -07:00
rxrpc rxrpc: Free packets discarded in data_ready 2016-08-09 17:13:56 +01:00
sched qdisc: fix a module refcount leak in qdisc_create_dflt() 2016-08-25 16:44:20 -07:00
sctp sctp: hold the transport before using it in sctp_hash_cmp 2016-09-13 11:44:58 -04:00
sunrpc SUNRPC: Silence WARN_ON when NFSv4.1 over RDMA is in use 2016-08-24 22:32:55 -04:00
switchdev net/switchdev: Export the same parent ID service function 2016-07-14 13:34:29 -07:00
tipc tipc: fix random link resets while adding a second bearer 2016-09-01 10:12:26 -07:00
unix af_unix: split 'u->readlock' into two: 'iolock' and 'bindlock' 2016-09-04 13:29:29 -07:00
vmw_vsock vhost/vsock: drop space available check for TX vq 2016-08-15 05:05:21 +03:00
wimax
wireless Three little fixes: 2016-08-30 21:34:48 -07:00
x25 net: fix a kernel infoleak in x25 module 2016-05-09 22:45:33 -04:00
xfrm net/xfrm_input: fix possible NULL deref of tunnel.ip6->parms.i_key 2016-08-11 13:15:57 +02:00
compat.c packet: compat support for sock_fprog 2016-06-09 23:41:03 -07:00
Kconfig net/ncsi: Resource management 2016-07-19 20:49:16 -07:00
Makefile net/ncsi: Resource management 2016-07-19 20:49:16 -07:00
socket.c fs: poll/select/recvmmsg: use timespec64 for timeout events 2016-05-19 19:12:14 -07:00
sysctl_net.c net: Use ns_capable_noaudit() when determining net sysctl permissions 2016-06-06 20:16:22 +10:00