On Wed, Jan 3, 2018 at 5:44 AM, Marcelo Ricardo Leitner <marcelo.leitner@xxxxxxxxx> wrote: > syzbot noticed a NULL pointer dereference panic in sctp_stream_free() > which was caused by an incomplete error handling in sctp_stream_init(). > By not clearing stream->outcnt, it made a for() in sctp_stream_free() > think that it had elements to free, but not, leading to the panic. > > As suggested by Xin Long, this patch also simplifies the error path by > moving it to the only if() that uses it. > > See-also: https://www.spinics.net/lists/netdev/msg473756.html > See-also: https://www.spinics.net/lists/netdev/msg465024.html > Reported-by: syzbot <syzkaller@xxxxxxxxxxxxxxxx> > Fixes: f952be79cebd ("sctp: introduce struct sctp_stream_out_ext") > Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@xxxxxxxxx> > --- > net/sctp/stream.c | 22 ++++++++++------------ > 1 file changed, 10 insertions(+), 12 deletions(-) > > diff --git a/net/sctp/stream.c b/net/sctp/stream.c > index 76ea66be0bbee7d3f018676d52c8b95ba06dbcb1..524dfeb94c41ab1ac735746a8acf93af1c96ae48 100644 > --- a/net/sctp/stream.c > +++ b/net/sctp/stream.c > @@ -156,9 +156,9 @@ int sctp_stream_init(struct sctp_stream *stream, __u16 outcnt, __u16 incnt, > sctp_stream_outq_migrate(stream, NULL, outcnt); > sched->sched_all(stream); > > - i = sctp_stream_alloc_out(stream, outcnt, gfp); > - if (i) > - return i; > + ret = sctp_stream_alloc_out(stream, outcnt, gfp); > + if (ret) > + goto out; > > stream->outcnt = outcnt; > for (i = 0; i < stream->outcnt; i++) > @@ -170,19 +170,17 @@ int sctp_stream_init(struct sctp_stream *stream, __u16 outcnt, __u16 incnt, > if (!incnt) > goto out; > > - i = sctp_stream_alloc_in(stream, incnt, gfp); > - if (i) { > - ret = -ENOMEM; > - goto free; > + ret = sctp_stream_alloc_in(stream, incnt, gfp); > + if (ret) { > + sched->free(stream); > + kfree(stream->out); > + stream->out = NULL; > + stream->outcnt = 0; > + goto out; > } > > stream->incnt = incnt; > - goto out; > > -free: > - sched->free(stream); > - kfree(stream->out); > - stream->out = NULL; > out: > return ret; > } > -- > 2.14.3 > Reviewed-by: Xin Long <lucien.xin@xxxxxxxxx> -- To unsubscribe from this list: send the line "unsubscribe linux-sctp" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html