On Fri, 17 Dec 2021 13:46:06 +0000 Lee Jones wrote:
> For example, in sctp_sock_dump(), we could have the following hunk:
>
> sctp_endpoint_hold(tsp->asoc->ep);
> ep = tsp->asoc->ep;
> sk = ep->base.sk
> lock_sock(ep->base.sk);
>
> It is possible for this task to be swapped out immediately following
> the call into sctp_endpoint_hold() that would change the address of
> tsp->asoc->ep to point to a completely different endpoint. This means
> a reference could be taken to the old endpoint and the new one would
> be processed without a reference taken, moreover the new endpoint
> could then be freed whilst still processing as a result, causing a
> use-after-free.
>
> If we return the exact pointer that was held, we ensure this task
> processes only the endpoint we have taken a reference to. The
> resultant hunk now looks like this:
>
> ep = sctp_endpoint_hold(tsp->asoc->ep);
> sk = ep->base.sk
> lock_sock(sk);
If you have to explain what the next patch will do to make sense
of this one it really is better to merge the two patches.
Exporting something is not a functional change, nor does it make
the changes easier to review, in fact the opposite is true.
> Fixes: 8f840e47f190c ("sctp: add the sctp_diag.c file")
This patch in itself fixes exactly nothing.
