There are several places where it holds assoc after getting transport by searching from transport rhashtable, it may cause use-after- free issue. This patchset is to fix them by holding transport instead. Xin Long (3): sctp: hold transport instead of assoc in sctp_diag sctp: return back transport in __sctp_rcv_init_lookup sctp: hold transport instead of assoc when lookup assoc in rx path include/net/sctp/sctp.h | 2 +- net/sctp/input.c | 35 +++++++++++++++++------------------ net/sctp/ipv6.c | 2 +- net/sctp/socket.c | 5 +---- 4 files changed, 20 insertions(+), 24 deletions(-) -- 2.1.0 -- To unsubscribe from this list: send the line "unsubscribe linux-sctp" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
