On Tue, Oct 17, 2017 at 11:31:30PM +0800, Xin Long wrote: > On Tue, Oct 17, 2017 at 9:45 PM, Eric Dumazet <eric.dumazet@xxxxxxxxx> wrote: > > SCTP experts. > > > > syszkaller reported a few crashes in sctp_packet_config() with invalid > > access to a deleted dst. > > > > The rcu_read_lock() in sctp_packet_config() is suspect. > > > > It does not protect anything at the moment. > > > > If we expect tp->dst to be manipulated/changed by another cpu/thread, > > then we need proper rcu protection. > > > > Following patch to show what would be a minimal change (but obviously > > bigger changes are needed, like sctp_transport_pmtu_check() and > > sctp_transport_dst_check(), and proper sparse annotations) > will check all places accessing tp->dst in sctp. I checked some and sctp_transport_dst_check() should be fine because by then we are holding a reference on dst. Same goes to sctp_transport_pmtu_check(). It's not possible that these would trip on the update going on on sctp_packet_config() because the socket is locked. We may not need (much) more than the example patch, I think. A more thorough check is certainly welcomed, indeed. Marcelo -- To unsubscribe from this list: send the line "unsubscribe linux-sctp" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
