On Tue, Apr 4, 2017 at 9:28 PM, Andrey Konovalov <andreyknvl@xxxxxxxxxx> wrote:
> Hi,
>
> I've got the following error report while fuzzing the kernel with syzkaller.
>
> On commit a71c9a1c779f2499fb2afc0553e543f18aff6edf (4.11-rc5).
>
> A reproducer and .config are attached.
The script is pretty hard to reproduce the issue in my env.
But there seems a case to cause a use-after-free when out of snd_buf.
the case is like:
-----------
one thread: another thread:
sctp_rcv hold asoc (hold transport)
enqueue the chunk to backlog queue
[refcnt=2]
sctp_close free assoc
[refcnt=1]
sctp_sendmsg find asoc
but not hold it
out of snd_buf
hold asoc, schedule out
[refcnt = 2]
process backlog and put asoc/transport
[refcnt=1]
schedule in, put asoc
[refcnt=0] <--- destroyed
sctp_sendmsg continue
using asoc, panic
--------------------
Maybe we should check if asoc is dead already when schedule back
into sctp_sendmsg because of out of snd_buf.
--
To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
