On Wed, Apr 20, 2022 at 04:52:41PM -0400, Xin Long wrote:
> A null pointer reference issue can be triggered when the response of a
> stream reconf request arrives after the timer is triggered, such as:
>
> send Incoming SSN Reset Request --->
> CPU0:
> reconf timer is triggered,
> go to the handler code before hold sk lock
> <--- reply with Outgoing SSN Reset Request
> CPU1:
> process Outgoing SSN Reset Request,
> and set asoc->strreset_chunk to NULL
> CPU0:
> continue the handler code, hold sk lock,
> and try to hold asoc->strreset_chunk, crash!
>
> In Ying Xu's testing, the call trace is:
>
> [ ] BUG: kernel NULL pointer dereference, address: 0000000000000010
> [ ] RIP: 0010:sctp_chunk_hold+0xe/0x40 [sctp]
> [ ] Call Trace:
> [ ] <IRQ>
> [ ] sctp_sf_send_reconf+0x2c/0x100 [sctp]
> [ ] sctp_do_sm+0xa4/0x220 [sctp]
> [ ] sctp_generate_reconf_event+0xbd/0xe0 [sctp]
> [ ] call_timer_fn+0x26/0x130
>
> This patch is to fix it by returning from the timer handler if asoc
> strreset_chunk is already set to NULL.
Right. The timer callback didn't have a check on whether it was still
needed or not, and per the description above, it would simply try to
handle it twice then.
>
> Fixes: 7b9438de0cd4 ("sctp: add stream reconf timer")
> Reported-by: Ying Xu <yinxu@xxxxxxxxxx>
> Signed-off-by: Xin Long <lucien.xin@xxxxxxxxx>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@xxxxxxxxx>
