linux/net/sctp
Xin Long af98c5a785 sctp: set stream ext to NULL after freeing it in sctp_stream_outq_migrate
In sctp_stream_init(), after sctp_stream_outq_migrate() freed the
surplus streams' ext, but sctp_stream_alloc_out() returns -ENOMEM,
stream->outcnt will not be set to 'outcnt'.

With the bigger value on stream->outcnt, when closing the assoc and
freeing its streams, the ext of those surplus streams will be freed
again since those stream exts were not set to NULL after freeing in
sctp_stream_outq_migrate(). Then the invalid-free issue reported by
syzbot would be triggered.

We fix it by simply setting them to NULL after freeing.

Fixes: 5bbbbe32a4 ("sctp: introduce stream scheduler foundations")
Reported-by: syzbot+58e480e7b28f2d890bfd@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2019-02-13 19:33:44 -05:00
..
associola.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-12-09 21:43:31 -08:00
auth.c treewide: kzalloc() -> kcalloc() 2018-06-12 16:19:22 -07:00
bind_addr.c sctp: add sock_reuseport for the sock in __sctp_hash_endpoint 2018-11-12 09:09:51 -08:00
chunk.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2018-12-09 21:43:31 -08:00
debug.c sctp: add SCTP_CID_I_DATA and SCTP_CID_I_FWD_TSN conversion in sctp_cname 2018-02-12 11:40:01 -05:00
diag.c inet_diag: fix reporting cgroup classid and fallback to priority 2019-02-12 13:35:57 -05:00
endpointola.c treewide: Use struct_size() for kmalloc()-family 2018-06-06 11:15:43 -07:00
input.c sctp: add sock_reuseport for the sock in __sctp_hash_endpoint 2018-11-12 09:09:51 -08:00
inqueue.c sctp: fix the issue that the cookie-ack with auth can't get processed 2018-05-02 11:15:33 -04:00
ipv6.c sctp: set flow sport from saddr only when it's 0 2019-01-24 18:13:57 -08:00
Kconfig sctp: whitespace fixes 2018-07-24 14:10:42 -07:00
Makefile sctp: rename sctp_diag.c as diag.c 2018-02-13 13:56:31 -05:00
objcnt.c proc: introduce proc_create_seq{,_data} 2018-05-16 07:23:35 +02:00
offload.c sctp: call gso_reset_checksum when computing checksum in sctp_gso_segment 2019-02-13 19:31:43 -05:00
output.c sctp: increase sk_wmem_alloc when head->truesize is increased 2018-11-27 15:42:31 -08:00
outqueue.c sctp: define SCTP_SS_DEFAULT for Stream schedulers 2018-11-03 19:40:29 -07:00
primitive.c sctp: rename enum sctp_event to sctp_event_type 2018-11-19 12:25:43 -08:00
proc.c sctp: remove useless start_fail from sctp_ht_iter in proc 2018-08-27 15:13:17 -07:00
protocol.c sctp: set flow sport from saddr only when it's 0 2019-01-24 18:13:57 -08:00
sm_make_chunk.c sctp: set chunk transport correctly when it's a new asoc 2019-01-24 18:13:57 -08:00
sm_sideeffect.c sctp: rename enum sctp_event to sctp_event_type 2018-11-19 12:25:43 -08:00
sm_statefuns.c sctp: delay the authentication for the duplicated cookie-echo chunk 2018-05-07 23:39:10 -04:00
sm_statetable.c sctp: rename enum sctp_event to sctp_event_type 2018-11-19 12:25:43 -08:00
socket.c sctp: walk the list of asoc safely 2019-02-01 10:41:46 -08:00
stream_interleave.c sctp: add subscribe per asoc 2018-11-19 12:25:43 -08:00
stream_sched_prio.c net/sctp: Make wrappers for accessing in/out streams 2018-08-11 12:25:15 -07:00
stream_sched_rr.c net/sctp: Make wrappers for accessing in/out streams 2018-08-11 12:25:15 -07:00
stream_sched.c net/sctp: Make wrappers for accessing in/out streams 2018-08-11 12:25:15 -07:00
stream.c sctp: set stream ext to NULL after freeing it in sctp_stream_outq_migrate 2019-02-13 19:33:44 -05:00
sysctl.c
transport.c sctp: update dst pmtu with the correct daddr 2018-09-20 11:29:30 -07:00
tsnmap.c
ulpevent.c sctp: remove sctp_chunk_put from fail_mark err path in sctp_ulpevent_make_rcvmsg 2018-05-10 17:48:36 -04:00
ulpqueue.c sctp: add subscribe per asoc 2018-11-19 12:25:43 -08:00