From: Marcelo Ricardo Leitner <marcelo.leitner@xxxxxxxxx> Date: Tue, 16 Oct 2018 15:18:17 -0300 > syzbot reported an use-after-free involving sctp_id2asoc. Dmitry Vyukov > helped to root cause it and it is because of reading the asoc after it > was freed: > > CPU 1 CPU 2 > (working on socket 1) (working on socket 2) > sctp_association_destroy > sctp_id2asoc > spin lock > grab the asoc from idr > spin unlock > spin lock > remove asoc from idr > spin unlock > free(asoc) > if asoc->base.sk != sk ... [*] > > This can only be hit if trying to fetch asocs from different sockets. As > we have a single IDR for all asocs, in all SCTP sockets, their id is > unique on the system. An application can try to send stuff on an id > that matches on another socket, and the if in [*] will protect from such > usage. But it didn't consider that as that asoc may belong to another > socket, it may be freed in parallel (read: under another socket lock). > > We fix it by moving the checks in [*] into the protected region. This > fixes it because the asoc cannot be freed while the lock is held. > > Reported-by: syzbot+c7dd55d7aec49d48e49a@xxxxxxxxxxxxxxxxxxxxxxxxx > Acked-by: Dmitry Vyukov <dvyukov@xxxxxxxxxx> > Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@xxxxxxxxx> Applied and queued up for -stable.
