From patchwork Sat Jun 17 08:10:27 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Xin Long <lucien.xin@gmail.com>
X-Patchwork-Id: 777295
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3wqVL46n6nz9s5L
	for <patchwork-incoming@ozlabs.org>;
	Sat, 17 Jun 2017 18:10:52 +1000 (AEST)
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="VNwCiX4K"; dkim-atps=neutral
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1752607AbdFQIKk (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Sat, 17 Jun 2017 04:10:40 -0400
Received: from mail-pg0-f66.google.com ([74.125.83.66]:34392 "EHLO
	mail-pg0-f66.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1752301AbdFQIKh (ORCPT
	<rfc822;netdev@vger.kernel.org>); Sat, 17 Jun 2017 04:10:37 -0400
Received: by mail-pg0-f66.google.com with SMTP id j186so9314519pge.1;
	Sat, 17 Jun 2017 01:10:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=from:to:cc:subject:date:message-id;
	bh=VhNU8+XjSXpoeQ0yyxVttAqPqeaobUZgXfN6fWaxCzg=;
	b=VNwCiX4KpIO7Bwqc7TdkdPhfaZbsx7+5sE5d3VCCJlCP4Nl8uwcb7pRbo37t0gX36f
	C9F1Cjl5NjaxU6UeNOIa6YSD08455IiGLmnw7nJ2p5tzB36tf7dzrCsQVEQLsqWGwv3N
	2Rp6DfhQvy5wCTlZKJgKhBfTdqkX9uEbo1u69trXNGlb7YH4g4k6zVdmNkkZZWKadKtc
	uVxcEfdZSSbt+mwa8u8U866xGXOi4uYm/NKmRiqZPFtpkv2/dIROncpMTkBHYDA0qN+6
	pQ8vg3JgmwTzxjcqJaNXDFn+8perR8SPoZfDPGkAeVDt1LE+Cwvan3QSe50qUpIv7ONe
	yVrQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:from:to:cc:subject:date:message-id;
	bh=VhNU8+XjSXpoeQ0yyxVttAqPqeaobUZgXfN6fWaxCzg=;
	b=kf7I6kCNvtIGvSfU+bnhSL/LPj2ycbfUU2Mo2L2ezjeM8Z6ONODY6/Noyk7yH+J0Wn
	NJn4KAPjypR0UrTHnnMoSgrFEafIaYZzqdaXkeHcH7KBsk+iFvKOqJX2mz1HhsbENr22
	nrfj6RNH9jNtNDgO0FPCpt989dy2+8fALiFyr3KvgOr1KzCjaYLa355ZgTvnujSp3kjJ
	0efHoOeJiqoJJ+B/0SngrraYIMqY+hM1wNNzDYRN/zn5ip98fjb6OkW1sTbeYKGYXLvD
	p8LTF8+1Fqii1CICoePzyTZLVLJzfZAQ1yN+JhAHGqEZRESEd/NJqXrJnT76EpYu6pro
	UjEw==
X-Gm-Message-State: AKS2vOxI2ZLZIZLnsDvxTCsJVEMA3Mg26HaZt6WUFYuKlivdXYNCbGc6
	HDAmWZAtEg6MtAXJb38=
X-Received: by 10.84.225.5 with SMTP id t5mr17662340plj.238.1497687036074;
	Sat, 17 Jun 2017 01:10:36 -0700 (PDT)
Received: from localhost ([209.132.188.80]) by smtp.gmail.com with ESMTPSA id
	f22sm8872199pfk.104.2017.06.17.01.10.34
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Sat, 17 Jun 2017 01:10:35 -0700 (PDT)
From: Xin Long <lucien.xin@gmail.com>
To: network dev <netdev@vger.kernel.org>, linux-sctp@vger.kernel.org
Cc: davem@davemloft.net, Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>,
	Neil Horman <nhorman@tuxdriver.com>
Subject: [PATCH net] sctp: ensure ep is not destroyed before doing the dump
Date: Sat, 17 Jun 2017 16:10:27 +0800
Message-Id: 
 <6861fd3fc029ccba569fabccf7e05f6a52f28415.1497687027.git.lucien.xin@gmail.com>
X-Mailer: git-send-email 2.1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

Now before dumping a sock in sctp_diag, it only holds the sock while
the ep may be already destroyed. It can cause a use-after-free panic
when accessing ep->asocs.

This patch is to set sctp_sk(sk)->ep NULL in sctp_endpoint_destroy,
and check if this ep is already destroyed before dumping this ep.

Suggested-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdrver.com>
---
 net/sctp/endpointola.c | 1 +
 net/sctp/sctp_diag.c   | 5 +++--
 2 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/net/sctp/endpointola.c b/net/sctp/endpointola.c
index 8c58923..3dcd0ec 100644
--- a/net/sctp/endpointola.c
+++ b/net/sctp/endpointola.c
@@ -275,6 +275,7 @@ static void sctp_endpoint_destroy(struct sctp_endpoint *ep)
 		if (sctp_sk(sk)->bind_hash)
 			sctp_put_port(sk);
 
+		sctp_sk(sk)->ep = NULL;
 		sock_put(sk);
 	}
 
diff --git a/net/sctp/sctp_diag.c b/net/sctp/sctp_diag.c
index 048954e..9a64721 100644
--- a/net/sctp/sctp_diag.c
+++ b/net/sctp/sctp_diag.c
@@ -278,7 +278,6 @@ static int sctp_tsp_dump_one(struct sctp_transport *tsp, void *p)
 
 static int sctp_sock_dump(struct sock *sk, void *p)
 {
-	struct sctp_endpoint *ep = sctp_sk(sk)->ep;
 	struct sctp_comm_param *commp = p;
 	struct sk_buff *skb = commp->skb;
 	struct netlink_callback *cb = commp->cb;
@@ -287,7 +286,9 @@ static int sctp_sock_dump(struct sock *sk, void *p)
 	int err = 0;
 
 	lock_sock(sk);
-	list_for_each_entry(assoc, &ep->asocs, asocs) {
+	if (!sctp_sk(sk)->ep)
+		goto release;
+	list_for_each_entry(assoc, &sctp_sk(sk)->ep->asocs, asocs) {
 		if (cb->args[4] < cb->args[1])
 			goto next;