linux/net/sctp
Xin Long dae399d7fd sctp: hold transport instead of assoc when lookup assoc in rx path
Prior to this patch, in rx path, before calling lock_sock, it needed to
hold assoc when got it by __sctp_lookup_association, in case other place
would free/put assoc.

But in __sctp_lookup_association, it lookup and hold transport, then got
assoc by transport->assoc, then hold assoc and put transport. It means
it didn't hold transport, yet it was returned and later on directly
assigned to chunk->transport.

Without the protection of sock lock, the transport may be freed/put by
other places, which would cause a use-after-free issue.

This patch is to fix this issue by holding transport instead of assoc.
As holding transport can make sure to access assoc is also safe, and
actually it looks up assoc by searching transport rhashtable, to hold
transport here makes more sense.

Note that the function will be renamed later on on another patch.

Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2016-10-31 16:20:33 -04:00
..
associola.c sctp: rename WORD_TRUNC/ROUND macros 2016-09-22 03:13:26 -04:00
auth.c sctp: use IS_ENABLED() instead of checking for built-in or module 2016-09-10 21:19:11 -07:00
bind_addr.c sctp: fix copying more bytes than expected in sctp_add_bind_addr 2016-03-08 15:04:08 -05:00
chunk.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-10-02 22:20:41 -04:00
debug.c sctp: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
endpointola.c sctp: add SCTP_PR_SUPPORTED on sctp sockopt 2016-07-11 13:25:38 -07:00
input.c sctp: hold transport instead of assoc when lookup assoc in rx path 2016-10-31 16:20:33 -04:00
inqueue.c sctp: rename WORD_TRUNC/ROUND macros 2016-09-22 03:13:26 -04:00
ipv6.c sctp: hold transport instead of assoc when lookup assoc in rx path 2016-10-31 16:20:33 -04:00
Kconfig sctp: add the sctp_diag.c file 2016-04-15 17:29:36 -04:00
Makefile sctp: Add GSO support 2016-06-03 19:37:21 -04:00
objcnt.c sctp: fix checkpatch errors with (foo*)|foo * bar|foo* bar 2013-12-26 13:47:47 -05:00
offload.c sctp: fix GSO for IPv6 2016-07-16 22:02:09 -07:00
output.c sctp: fix the panic caused by route update 2016-10-26 17:32:19 -04:00
outqueue.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-10-02 22:20:41 -04:00
primitive.c sctp: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
probe.c net: sctp: Convert log timestamps to be y2038 safe 2016-03-01 17:18:44 -05:00
proc.c net: Suppress the "Comparison to NULL could be written" warnings 2016-09-30 01:50:45 -04:00
protocol.c sctp: use inet_recvmsg to support sctp RFS well 2016-07-25 10:56:28 -07:00
sctp_diag.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-10-02 22:20:41 -04:00
sm_make_chunk.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-10-02 22:20:41 -04:00
sm_sideeffect.c sctp: make sctp_outq_flush/tail/uncork return void 2016-09-18 22:02:33 -04:00
sm_statefuns.c sctp: validate chunk len before actually using it 2016-10-29 12:00:10 -04:00
sm_statetable.c sctp: fix checkpatch errors with indent 2013-12-26 13:47:48 -05:00
socket.c sctp: hold transport instead of assoc in sctp_diag 2016-10-31 16:20:32 -04:00
ssnmap.c sctp: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
sysctl.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2016-01-11 23:55:43 -05:00
transport.c sctp: rename WORD_TRUNC/ROUND macros 2016-09-22 03:13:26 -04:00
tsnmap.c sctp: Fix FSF address in file headers 2013-12-06 12:37:56 -05:00
ulpevent.c sctp: rename WORD_TRUNC/ROUND macros 2016-09-22 03:13:26 -04:00
ulpqueue.c sctp: Remove some redundant code 2016-09-19 01:34:01 -04:00