mirrors/linux-stable
1
0
Fork 0
mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-15 07:04:44 +00:00
Code Issues Releases Wiki Activity
linux-stable/net
History
Jacek Luczak c182f90bc1 SCTP: fix race between sctp_bind_addr_free() and sctp_bind_addr_conflict() 
During the sctp_close() call, we do not use rcu primitives to
destroy the address list attached to the endpoint.  At the same
time, we do the removal of addresses from this list before
attempting to remove the socket from the port hash

As a result, it is possible for another process to find the socket
in the port hash that is in the process of being closed.  It then
proceeds to traverse the address list to find the conflict, only
to have that address list suddenly disappear without rcu() critical
section.

Fix issue by closing address list removal inside RCU critical
section.

Race can result in a kernel crash with general protection fault or
kernel NULL pointer dereference:

kernel: general protection fault: 0000 [#1] SMP
kernel: RIP: 0010:[<ffffffffa02f3dde>]  [<ffffffffa02f3dde>] sctp_bind_addr_conflict+0x64/0x82 [sctp]
kernel: Call Trace:
kernel:  [<ffffffffa02f415f>] ? sctp_get_port_local+0x17b/0x2a3 [sctp]
kernel:  [<ffffffffa02f3d45>] ? sctp_bind_addr_match+0x33/0x68 [sctp]
kernel:  [<ffffffffa02f4416>] ? sctp_do_bind+0xd3/0x141 [sctp]
kernel:  [<ffffffffa02f5030>] ? sctp_bindx_add+0x4d/0x8e [sctp]
kernel:  [<ffffffffa02f5183>] ? sctp_setsockopt_bindx+0x112/0x4a4 [sctp]
kernel:  [<ffffffff81089e82>] ? generic_file_aio_write+0x7f/0x9b
kernel:  [<ffffffffa02f763e>] ? sctp_setsockopt+0x14f/0xfee [sctp]
kernel:  [<ffffffff810c11fb>] ? do_sync_write+0xab/0xeb
kernel:  [<ffffffff810e82ab>] ? fsnotify+0x239/0x282
kernel:  [<ffffffff810c2462>] ? alloc_file+0x18/0xb1
kernel:  [<ffffffff8134a0b1>] ? compat_sys_setsockopt+0x1a5/0x1d9
kernel:  [<ffffffff8134aaf1>] ? compat_sys_socketcall+0x143/0x1a4
kernel:  [<ffffffff810467dc>] ? sysenter_dispatch+0x7/0x32

Signed-off-by: Jacek Luczak <luczak.jacek@gmail.com>
Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com>
CC: Eric Dumazet <eric.dumazet@gmail.com>
Reviewed-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-05-19 17:13:04 -04:00
..
9p 9p: Kill set but unused variable in 9p_client_{read,write}() and p9_client_readdir() 2011-04-12 15:58:41 -07:00
802 garp: remove last synchronize_rcu() call 2011-05-12 17:46:56 -04:00
8021q net: Fix vlan_features propagation 2011-05-12 17:54:13 -04:00
appletalk appletalk: Fix OOPS in atalk_release(). 2011-03-31 18:59:10 -07:00
atm atm: lec: Fix set-but-unused variables. 2011-04-17 00:48:36 -07:00
ax25 ax25: Fix set-but-unused variable. 2011-04-17 00:48:31 -07:00
batman-adv Merge branch 'batman-adv/next' of git://git.open-mesh.org/ecsv/linux-merge 2011-05-14 22:47:51 -04:00
bluetooth bluetooth: Fix warnings in l2cap_core.c 2011-05-16 23:09:26 -04:00
bridge Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2011-05-17 17:33:11 -04:00
caif caif: remove unesesarry exports 2011-05-15 17:45:56 -04:00
can can: rename can_try_module_get to can_get_proto 2011-05-04 14:08:37 -07:00
ceph Merge branch 'for-linus2' of git://git.profusion.mobi/users/lucas/linux-2.6 2011-04-07 11:14:49 -07:00
core Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2011-05-19 15:55:45 -04:00
dcb net: dcbnl: Update copyright dates 2011-03-14 17:02:42 -07:00
dccp ipv4: Make caller provide flowi4 key to inet_csk_route_req(). 2011-05-18 18:32:03 -04:00
decnet net: dont hold rtnl mutex during netlink dump callbacks 2011-05-02 15:26:28 -07:00
dns_resolver DNS: Fix a NULL pointer deref when trying to read an error key [CVE-2011-1076] 2011-03-04 09:56:19 +11:00
dsa Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2011-05-05 14:59:02 -07:00
econet econet: Fix set-but-unused variable. 2011-04-17 00:15:22 -07:00
ethernet
ieee802154 ieee802154: Remove hacked CFLAGS in net/ieee802154/Makefile 2011-04-12 15:33:23 -07:00
ipv4 net: ping: fix the coding style 2011-05-19 16:17:51 -04:00
ipv6 ipv6: reduce per device ICMP mib sizes 2011-05-19 16:21:22 -04:00
ipx ipx: fix ipx_release() 2011-03-21 18:16:39 -07:00
irda net/irda/ircomm_tty.c: Use flip buffers to deliver data 2011-05-12 18:02:51 -04:00
iucv convert old cpumask API into new one 2011-05-13 14:55:21 -04:00
key inet: constify ip headers and in6_addr 2011-04-22 11:04:14 -07:00
l2tp l2tp: fix potential rcu race 2011-05-12 17:27:10 -04:00
lapb
llc llc: Fix length check in llc_fixup_skb(). 2011-04-11 18:59:05 -07:00
mac80211 Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2011-05-17 17:33:11 -04:00
netfilter Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2011-05-17 17:33:11 -04:00
netlabel netlabel: Fix set-but-unused variables. 2011-04-17 17:01:49 -07:00
netlink Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2011-03-03 21:27:42 -08:00
netrom NET: AX.25, NETROM, ROSE: Remove SOCK_DEBUG calls 2011-04-14 00:20:07 -07:00
packet net: filter: Just In Time compiler for x86-64 2011-04-27 23:05:08 -07:00
phonet net: dont hold rtnl mutex during netlink dump callbacks 2011-05-02 15:26:28 -07:00
rds Fix common misspellings 2011-03-31 11:26:23 -03:00
rfkill net/rfkill/core.c: Avoid leaving freed data in a list 2011-05-16 14:10:42 -04:00
rose NET: AX.25, NETROM, ROSE: Remove SOCK_DEBUG calls 2011-04-14 00:20:07 -07:00
rxrpc ipv4: Make caller provide on-stack flow key to ip_route_output_ports(). 2011-05-03 20:25:42 -07:00
sched inet: constify ip headers and in6_addr 2011-04-22 11:04:14 -07:00
sctp SCTP: fix race between sctp_bind_addr_free() and sctp_bind_addr_conflict() 2011-05-19 17:13:04 -04:00
sunrpc Merge branch 'bugfixes' of git://git.linux-nfs.org/projects/trondmy/nfs-2.6 2011-04-08 11:47:35 -07:00
tipc tipc: Revise timings used when sending link request messages 2011-05-10 16:04:02 -04:00
unix af_unix: Only allow recv on connected seqpacket sockets. 2011-05-01 23:16:28 -07:00
wanrouter Fix common misspellings 2011-03-31 11:26:23 -03:00
wimax
wireless Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/linville/wireless-next-2.6 into for-davem 2011-05-16 19:32:19 -04:00
x25 Fix common misspellings 2011-03-31 11:26:23 -03:00
xfrm Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-3.6 2011-05-11 14:26:58 -04:00
compat.c net: Add sendmmsg socket system call 2011-05-05 11:10:14 -07:00
Kconfig bpf: depends on MODULES 2011-04-29 10:20:53 -07:00
Makefile net: Enter net/ipv6/ even if CONFIG_IPV6=n 2011-03-07 12:50:52 -08:00
nonet.c
socket.c Merge branch 'master' of master.kernel.org:/pub/scm/linux/kernel/git/davem/net-2.6 2011-05-17 17:33:11 -04:00
sysctl_net.c
TUNABLE