In case of GSO, per-chunk 'skb' pointer may point to an entry from fraglist created in 'sctp_packet_gso_append()'. To avoid freeing random fraglist entry (and so undefined behavior and/or memory leak), consume 'head_skb' (i.e. beginning of a fraglist) instead. Reported-by: syzbot+8bb053b5d63595ab47db@xxxxxxxxxxxxxxxxxxxxxxxxx Closes: https://syzkaller.appspot.com/bug?id=0d8351bbe54fd04a492c2daab0164138db008042 Signed-off-by: Dmitry Antipov <dmantipov@xxxxxxxxx> --- net/sctp/sm_make_chunk.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/net/sctp/sm_make_chunk.c b/net/sctp/sm_make_chunk.c index f80208edd6a5..30fe34743009 100644 --- a/net/sctp/sm_make_chunk.c +++ b/net/sctp/sm_make_chunk.c @@ -1500,7 +1500,10 @@ static void sctp_chunk_destroy(struct sctp_chunk *chunk) BUG_ON(!list_empty(&chunk->list)); list_del_init(&chunk->transmitted_list); - consume_skb(chunk->skb); + /* In case of GSO, 'skb' may be a pointer to fraglist entry. + * Consume the read head if so. + */ + consume_skb(chunk->head_skb ? chunk->head_skb : chunk->skb); consume_skb(chunk->auth_chunk); SCTP_DBG_OBJCNT_DEC(chunk); -- 2.43.0
