Re: net/sctp: list double add warning in sctp_endpoint_add_asoc

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, Apr 4, 2017 at 9:28 PM, Andrey Konovalov <andreyknvl@xxxxxxxxxx> wrote:
> Hi,
>
> I've got the following error report while fuzzing the kernel with syzkaller.
>
> On commit a71c9a1c779f2499fb2afc0553e543f18aff6edf (4.11-rc5).
>
> A reproducer and .config are attached.
The script is pretty hard to reproduce the issue in my env.
But there seems a case to cause a use-after-free when out of snd_buf.

the case is like:
-----------
one thread:                       another thread:
                                  sctp_rcv hold asoc (hold transport)
                                  enqueue the chunk to backlog queue
                                  [refcnt=2]

sctp_close free assoc
[refcnt=1]

sctp_sendmsg find asoc
but not hold it

out of snd_buf
hold asoc, schedule out
[refcnt = 2]

                                  process backlog and put asoc/transport
                                  [refcnt=1]

schedule in, put asoc
[refcnt=0] <--- destroyed

sctp_sendmsg continue
using asoc, panic

--------------------

Maybe we should check if asoc is dead already when schedule back
into sctp_sendmsg because of out of snd_buf.
--
To unsubscribe from this list: send the line "unsubscribe linux-sctp" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html



[Index of Archives]     [Linux Networking Development]     [Linux OMAP]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux