This is a note to let you know that I've just added the patch titled sctp: return next obj by passing pos + 1 into sctp_transport_get_idx to the 4.9-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: sctp-return-next-obj-by-passing-pos-1-into-sctp_transport_get_idx.patch and it can be found in the queue-4.9 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <stable@xxxxxxxxxxxxxxx> know about it. >From foo@baz Thu Jun 29 18:57:46 CEST 2017 From: Xin Long <lucien.xin@xxxxxxxxx> Date: Thu, 15 Jun 2017 17:49:08 +0800 Subject: sctp: return next obj by passing pos + 1 into sctp_transport_get_idx From: Xin Long <lucien.xin@xxxxxxxxx> [ Upstream commit 988c7322116970696211e902b468aefec95b6ec4 ] In sctp_for_each_transport, pos is used to save how many objs it has dumped. Now it gets the last obj by sctp_transport_get_idx, then gets the next obj by sctp_transport_get_next. The issue is that in the meanwhile if some objs in transport hashtable are removed and the objs nums are less than pos, sctp_transport_get_idx would return NULL and hti.walker.tbl is NULL as well. At this moment it should stop hti, instead of continue getting the next obj. Or it would cause a NULL pointer dereference in sctp_transport_get_next. This patch is to pass pos + 1 into sctp_transport_get_idx to get the next obj directly, even if pos > objs nums, it would return NULL and stop hti. Fixes: 626d16f50f39 ("sctp: export some apis or variables for sctp_diag and reuse some for proc") Signed-off-by: Xin Long <lucien.xin@xxxxxxxxx> Signed-off-by: David S. Miller <davem@xxxxxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- net/sctp/socket.c | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -4506,9 +4506,8 @@ int sctp_for_each_transport(int (*cb)(st if (err) return err; - sctp_transport_get_idx(net, &hti, pos); - obj = sctp_transport_get_next(net, &hti); - for (; obj && !IS_ERR(obj); obj = sctp_transport_get_next(net, &hti)) { + obj = sctp_transport_get_idx(net, &hti, pos + 1); + for (; !IS_ERR_OR_NULL(obj); obj = sctp_transport_get_next(net, &hti)) { struct sctp_transport *transport = obj; if (!sctp_transport_hold(transport)) Patches currently in stable-queue which might be from lucien.xin@xxxxxxxxx are queue-4.9/ipv6-fix-calling-in6_ifa_hold-incorrectly-for-dad-work.patch queue-4.9/igmp-acquire-pmc-lock-for-ip_mc_clear_src.patch queue-4.9/sctp-return-next-obj-by-passing-pos-1-into-sctp_transport_get_idx.patch queue-4.9/sctp-disable-bh-in-sctp_for_each_endpoint.patch