linux-stable/include/net/sctp
Xin Long fb6df5a623 sctp: kfree_rcu asoc
In sctp_hash_transport/sctp_epaddr_lookup_transport, it dereferences
a transport's asoc under rcu_read_lock while asoc is freed not after
a grace period, which leads to a use-after-free panic.

This patch fixes it by calling kfree_rcu to make asoc be freed after
a grace period.

Note that only the asoc's memory is delayed to free in the patch, it
won't cause sk to linger longer.

Thanks Neil and Marcelo to make this clear.

Fixes: 7fda702f93 ("sctp: use new rhlist interface on sctp transport rhashtable")
Fixes: cd2b708750 ("sctp: check duplicate node before inserting a new transport")
Reported-by: syzbot+0b05d8aa7cb185107483@syzkaller.appspotmail.com
Reported-by: syzbot+aad231d51b1923158444@syzkaller.appspotmail.com
Suggested-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2018-12-03 15:54:41 -08:00
..
auth.h sctp: add sockopt SCTP_AUTH_DEACTIVATE_KEY 2018-03-14 13:48:27 -04:00
checksum.h
command.h sctp: add SCTP_AUTH_NO_AUTH type for AUTHENTICATION_EVENT 2018-03-14 13:48:27 -04:00
constants.h sctp: count both sk and asoc sndbuf with skb truesize and sctp_chunk size 2018-10-18 11:23:47 -07:00
sctp.h Revert "sctp: remove sctp_transport_pmtu_check" 2018-11-19 12:42:47 -08:00
sm.h sctp: fix the data size calculation in sctp_data_size 2018-10-17 22:32:21 -07:00
stream_interleave.h sctp: implement handle_ftsn for sctp_stream_interleave 2017-12-15 13:52:22 -05:00
stream_sched.h
structs.h sctp: kfree_rcu asoc 2018-12-03 15:54:41 -08:00
tsnmap.h
ulpevent.h sctp: implement abort_pd for sctp_stream_interleave 2017-12-11 11:23:05 -05:00
ulpqueue.h sctp: add support for the process of unordered idata 2017-12-11 11:23:05 -05:00