diff mbox

use-after-free in sctp_do_sm

Message ID fcceeb2a58ce2054cedb091f0e251393b36418ba.1449250981.git.marcelo.leitner@gmail.com
State RFC, archived
Delegated to: David Miller
Headers show

Commit Message

Marcelo Ricardo Leitner Dec. 4, 2015, 5:48 p.m. UTC 
Hi Dmitry,

Can you please test this patch?
I'll re-post with proper subject if it works.

Thanks.

---8<---

Dmitry Vyukov reported a use-after-free in the code expanded by the
macro debug_post_sfx, which is caused by the use of the asoc pointer
after it was freed within sctp_side_effect() scope.

This patch fixes it by allowing sctp_side_effect to clear that asoc
pointer when the TCB is freed.

The macro is already prepared to handle such NULL pointer.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
---
 net/sctp/sm_sideeffect.c | 9 +++++----
 1 file changed, 5 insertions(+), 4 deletions(-)

Comments

Dmitry Vyukov Dec. 4, 2015, 8:25 p.m. UTC | #1 
On Fri, Dec 4, 2015 at 6:48 PM, Marcelo Ricardo Leitner
<marcelo.leitner@gmail.com> wrote:
> Hi Dmitry,
>
> Can you please test this patch?
> I'll re-post with proper subject if it works.

Still happening with the same stacks.


> ---8<---
>
> Dmitry Vyukov reported a use-after-free in the code expanded by the
> macro debug_post_sfx, which is caused by the use of the asoc pointer
> after it was freed within sctp_side_effect() scope.
>
> This patch fixes it by allowing sctp_side_effect to clear that asoc
> pointer when the TCB is freed.
>
> The macro is already prepared to handle such NULL pointer.
>
> Reported-by: Dmitry Vyukov <dvyukov@google.com>
> Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
> ---
>  net/sctp/sm_sideeffect.c | 9 +++++----
>  1 file changed, 5 insertions(+), 4 deletions(-)
>
> diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c
> index 6098d4c42fa91287d3cde36ac05d860f76d4fe32..05594dcd93e0d649cace5215d225bef2713f9310 100644
> --- a/net/sctp/sm_sideeffect.c
> +++ b/net/sctp/sm_sideeffect.c
> @@ -63,7 +63,7 @@ static int sctp_cmd_interpreter(sctp_event_t event_type,
>  static int sctp_side_effects(sctp_event_t event_type, sctp_subtype_t subtype,
>                              sctp_state_t state,
>                              struct sctp_endpoint *ep,
> -                            struct sctp_association *asoc,
> +                            struct sctp_association **asoc,
>                              void *event_arg,
>                              sctp_disposition_t status,
>                              sctp_cmd_seq_t *commands,
> @@ -1123,7 +1123,7 @@ int sctp_do_sm(struct net *net, sctp_event_t event_type, sctp_subtype_t subtype,
>         debug_post_sfn();
>
>         error = sctp_side_effects(event_type, subtype, state,
> -                                 ep, asoc, event_arg, status,
> +                                 ep, &asoc, event_arg, status,
>                                   &commands, gfp);
>         debug_post_sfx();
>
> @@ -1136,7 +1136,7 @@ int sctp_do_sm(struct net *net, sctp_event_t event_type, sctp_subtype_t subtype,
>  static int sctp_side_effects(sctp_event_t event_type, sctp_subtype_t subtype,
>                              sctp_state_t state,
>                              struct sctp_endpoint *ep,
> -                            struct sctp_association *asoc,
> +                            struct sctp_association **asoc,
>                              void *event_arg,
>                              sctp_disposition_t status,
>                              sctp_cmd_seq_t *commands,
> @@ -1151,7 +1151,7 @@ static int sctp_side_effects(sctp_event_t event_type, sctp_subtype_t subtype,
>          * disposition SCTP_DISPOSITION_CONSUME.
>          */
>         if (0 != (error = sctp_cmd_interpreter(event_type, subtype, state,
> -                                              ep, asoc,
> +                                              ep, *asoc,
>                                                event_arg, status,
>                                                commands, gfp)))
>                 goto bail;
> @@ -1175,6 +1175,7 @@ static int sctp_side_effects(sctp_event_t event_type, sctp_subtype_t subtype,
>
>         case SCTP_DISPOSITION_DELETE_TCB:
>                 /* This should now be a command. */
> +               *asoc = NULL;
>                 break;
>
>         case SCTP_DISPOSITION_CONSUME:
> --
> 2.5.0
>
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Marcelo Ricardo Leitner Dec. 4, 2015, 9:34 p.m. UTC | #2 
On Fri, Dec 04, 2015 at 09:25:35PM +0100, Dmitry Vyukov wrote:
> On Fri, Dec 4, 2015 at 6:48 PM, Marcelo Ricardo Leitner
> <marcelo.leitner@gmail.com> wrote:
> > Hi Dmitry,
> >
> > Can you please test this patch?
> > I'll re-post with proper subject if it works.
> 
> Still happening with the same stacks.

Then there may be another one, I'm afraid.

I'm using the testapp you shared in the first email, with that debug line
enabled and added a new one:
+       pr_debug("%p %d\n", asoc, asoc ? asoc->state : 0);
        debug_post_sfx();
(should have used %x, but ok)

Also enabled slub_debug=PUZ, and I get:

without the patch:
[   87.873640] sctp: ffff8800b71533d8 1
[   87.873647] sctp: sctp_do_sm[post-sfx]: error:0,
asoc:ffff8800b71533d8[STATE_CLOSED]
[   87.873739] sctp: ffff8800b71533d8 1
[   87.873742] sctp: sctp_do_sm[post-sfx]: error:0,
asoc:ffff8800b71533d8[STATE_CLOSED]
[   87.875149] sctp: ffff8800b71533d8 1802201963
[   87.875238] sctp: sctp_do_sm[post-sfx]: error:0,
asoc:ffff8800b71533d8[STATE_CLOSED]

1802201963 = 0x6b6b6b6b, poison

with the patch:
[   81.071265] sctp: ffff880137571148 1
[   81.071273] sctp: sctp_do_sm[post-sfx]: error:0,
asoc:ffff880137571148[STATE_CLOSED]
[   81.071372] sctp: ffff880137571148 1
[   81.071375] sctp: sctp_do_sm[post-sfx]: error:0,
asoc:ffff880137571148[STATE_CLOSED]
[   81.072423] sctp:           (null) 0
[   81.072427] sctp: sctp_do_sm[post-sfx]: error:0, asoc:
(null)[STATE_CLOSED]

This one, at least, is gone with this patch.

  Marcelo

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Dmitry Vyukov Dec. 4, 2015, 9:38 p.m. UTC | #3 
On Fri, Dec 4, 2015 at 10:34 PM, Marcelo Ricardo Leitner
<marcelo.leitner@gmail.com> wrote:
> On Fri, Dec 04, 2015 at 09:25:35PM +0100, Dmitry Vyukov wrote:
>> On Fri, Dec 4, 2015 at 6:48 PM, Marcelo Ricardo Leitner
>> <marcelo.leitner@gmail.com> wrote:
>> > Hi Dmitry,
>> >
>> > Can you please test this patch?
>> > I'll re-post with proper subject if it works.
>>
>> Still happening with the same stacks.
>
> Then there may be another one, I'm afraid.
>
> I'm using the testapp you shared in the first email, with that debug line
> enabled and added a new one:
> +       pr_debug("%p %d\n", asoc, asoc ? asoc->state : 0);
>         debug_post_sfx();
> (should have used %x, but ok)
>
> Also enabled slub_debug=PUZ, and I get:
>
> without the patch:
> [   87.873640] sctp: ffff8800b71533d8 1
> [   87.873647] sctp: sctp_do_sm[post-sfx]: error:0,
> asoc:ffff8800b71533d8[STATE_CLOSED]
> [   87.873739] sctp: ffff8800b71533d8 1
> [   87.873742] sctp: sctp_do_sm[post-sfx]: error:0,
> asoc:ffff8800b71533d8[STATE_CLOSED]
> [   87.875149] sctp: ffff8800b71533d8 1802201963
> [   87.875238] sctp: sctp_do_sm[post-sfx]: error:0,
> asoc:ffff8800b71533d8[STATE_CLOSED]
>
> 1802201963 = 0x6b6b6b6b, poison
>
> with the patch:
> [   81.071265] sctp: ffff880137571148 1
> [   81.071273] sctp: sctp_do_sm[post-sfx]: error:0,
> asoc:ffff880137571148[STATE_CLOSED]
> [   81.071372] sctp: ffff880137571148 1
> [   81.071375] sctp: sctp_do_sm[post-sfx]: error:0,
> asoc:ffff880137571148[STATE_CLOSED]
> [   81.072423] sctp:           (null) 0
> [   81.072427] sctp: sctp_do_sm[post-sfx]: error:0, asoc:
> (null)[STATE_CLOSED]
>
> This one, at least, is gone with this patch.


I will try to extract reproducer next week.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Vladislav Yasevich Dec. 5, 2015, 4:39 p.m. UTC | #4 
On 12/04/2015 04:34 PM, Marcelo Ricardo Leitner wrote:
> On Fri, Dec 04, 2015 at 09:25:35PM +0100, Dmitry Vyukov wrote:
>> On Fri, Dec 4, 2015 at 6:48 PM, Marcelo Ricardo Leitner
>> <marcelo.leitner@gmail.com> wrote:
>>> Hi Dmitry,
>>>
>>> Can you please test this patch?
>>> I'll re-post with proper subject if it works.
>>
>> Still happening with the same stacks.
> 
> Then there may be another one, I'm afraid.
> 
> I'm using the testapp you shared in the first email, with that debug line
> enabled and added a new one:
> +       pr_debug("%p %d\n", asoc, asoc ? asoc->state : 0);
>         debug_post_sfx();
> (should have used %x, but ok)
> 
> Also enabled slub_debug=PUZ, and I get:
> 
> without the patch:
> [   87.873640] sctp: ffff8800b71533d8 1
> [   87.873647] sctp: sctp_do_sm[post-sfx]: error:0,
> asoc:ffff8800b71533d8[STATE_CLOSED]
> [   87.873739] sctp: ffff8800b71533d8 1
> [   87.873742] sctp: sctp_do_sm[post-sfx]: error:0,
> asoc:ffff8800b71533d8[STATE_CLOSED]
> [   87.875149] sctp: ffff8800b71533d8 1802201963
> [   87.875238] sctp: sctp_do_sm[post-sfx]: error:0,
> asoc:ffff8800b71533d8[STATE_CLOSED]
> 
> 1802201963 = 0x6b6b6b6b, poison
> 
> with the patch:
> [   81.071265] sctp: ffff880137571148 1
> [   81.071273] sctp: sctp_do_sm[post-sfx]: error:0,
> asoc:ffff880137571148[STATE_CLOSED]
> [   81.071372] sctp: ffff880137571148 1
> [   81.071375] sctp: sctp_do_sm[post-sfx]: error:0,
> asoc:ffff880137571148[STATE_CLOSED]
> [   81.072423] sctp:           (null) 0
> [   81.072427] sctp: sctp_do_sm[post-sfx]: error:0, asoc:
> (null)[STATE_CLOSED]
> 
> This one, at least, is gone with this patch.
> 
>   Marcelo
> 

Hi Marcelo

I think you also need to catch the SCTP_DISPOSITION_ABORT and update
the pointer.  There are some issues there though as some functions report
that code without actually destroying the association.  This happens when
the ABORT chunk may be dropped.

I think this might be why we still see the issue.

-vlad
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Dmitry Vyukov Dec. 7, 2015, 11:26 a.m. UTC | #5 
On Sat, Dec 5, 2015 at 5:39 PM, Vlad Yasevich <vyasevich@gmail.com> wrote:
> On 12/04/2015 04:34 PM, Marcelo Ricardo Leitner wrote:
>> On Fri, Dec 04, 2015 at 09:25:35PM +0100, Dmitry Vyukov wrote:
>>> On Fri, Dec 4, 2015 at 6:48 PM, Marcelo Ricardo Leitner
>>> <marcelo.leitner@gmail.com> wrote:
>>>> Hi Dmitry,
>>>>
>>>> Can you please test this patch?
>>>> I'll re-post with proper subject if it works.
>>>
>>> Still happening with the same stacks.
>>
>> Then there may be another one, I'm afraid.
>>
>> I'm using the testapp you shared in the first email, with that debug line
>> enabled and added a new one:
>> +       pr_debug("%p %d\n", asoc, asoc ? asoc->state : 0);
>>         debug_post_sfx();
>> (should have used %x, but ok)
>>
>> Also enabled slub_debug=PUZ, and I get:
>>
>> without the patch:
>> [   87.873640] sctp: ffff8800b71533d8 1
>> [   87.873647] sctp: sctp_do_sm[post-sfx]: error:0,
>> asoc:ffff8800b71533d8[STATE_CLOSED]
>> [   87.873739] sctp: ffff8800b71533d8 1
>> [   87.873742] sctp: sctp_do_sm[post-sfx]: error:0,
>> asoc:ffff8800b71533d8[STATE_CLOSED]
>> [   87.875149] sctp: ffff8800b71533d8 1802201963
>> [   87.875238] sctp: sctp_do_sm[post-sfx]: error:0,
>> asoc:ffff8800b71533d8[STATE_CLOSED]
>>
>> 1802201963 = 0x6b6b6b6b, poison
>>
>> with the patch:
>> [   81.071265] sctp: ffff880137571148 1
>> [   81.071273] sctp: sctp_do_sm[post-sfx]: error:0,
>> asoc:ffff880137571148[STATE_CLOSED]
>> [   81.071372] sctp: ffff880137571148 1
>> [   81.071375] sctp: sctp_do_sm[post-sfx]: error:0,
>> asoc:ffff880137571148[STATE_CLOSED]
>> [   81.072423] sctp:           (null) 0
>> [   81.072427] sctp: sctp_do_sm[post-sfx]: error:0, asoc:
>> (null)[STATE_CLOSED]
>>
>> This one, at least, is gone with this patch.
>>
>>   Marcelo
>>
>
> Hi Marcelo
>
> I think you also need to catch the SCTP_DISPOSITION_ABORT and update
> the pointer.  There are some issues there though as some functions report
> that code without actually destroying the association.  This happens when
> the ABORT chunk may be dropped.
>
> I think this might be why we still see the issue.


Marcelo,

Is this info enough for you to cook another fix?
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Marcelo Ricardo Leitner Dec. 7, 2015, 1:15 p.m. UTC | #6 
On Mon, Dec 07, 2015 at 12:26:09PM +0100, Dmitry Vyukov wrote:
> On Sat, Dec 5, 2015 at 5:39 PM, Vlad Yasevich <vyasevich@gmail.com> wrote:
> > On 12/04/2015 04:34 PM, Marcelo Ricardo Leitner wrote:
> >> On Fri, Dec 04, 2015 at 09:25:35PM +0100, Dmitry Vyukov wrote:
> >>> On Fri, Dec 4, 2015 at 6:48 PM, Marcelo Ricardo Leitner
> >>> <marcelo.leitner@gmail.com> wrote:
> >>>> Hi Dmitry,
> >>>>
> >>>> Can you please test this patch?
> >>>> I'll re-post with proper subject if it works.
> >>>
> >>> Still happening with the same stacks.
> >>
> >> Then there may be another one, I'm afraid.
> >>
> >> I'm using the testapp you shared in the first email, with that debug line
> >> enabled and added a new one:
> >> +       pr_debug("%p %d\n", asoc, asoc ? asoc->state : 0);
> >>         debug_post_sfx();
> >> (should have used %x, but ok)
> >>
> >> Also enabled slub_debug=PUZ, and I get:
> >>
> >> without the patch:
> >> [   87.873640] sctp: ffff8800b71533d8 1
> >> [   87.873647] sctp: sctp_do_sm[post-sfx]: error:0,
> >> asoc:ffff8800b71533d8[STATE_CLOSED]
> >> [   87.873739] sctp: ffff8800b71533d8 1
> >> [   87.873742] sctp: sctp_do_sm[post-sfx]: error:0,
> >> asoc:ffff8800b71533d8[STATE_CLOSED]
> >> [   87.875149] sctp: ffff8800b71533d8 1802201963
> >> [   87.875238] sctp: sctp_do_sm[post-sfx]: error:0,
> >> asoc:ffff8800b71533d8[STATE_CLOSED]
> >>
> >> 1802201963 = 0x6b6b6b6b, poison
> >>
> >> with the patch:
> >> [   81.071265] sctp: ffff880137571148 1
> >> [   81.071273] sctp: sctp_do_sm[post-sfx]: error:0,
> >> asoc:ffff880137571148[STATE_CLOSED]
> >> [   81.071372] sctp: ffff880137571148 1
> >> [   81.071375] sctp: sctp_do_sm[post-sfx]: error:0,
> >> asoc:ffff880137571148[STATE_CLOSED]
> >> [   81.072423] sctp:           (null) 0
> >> [   81.072427] sctp: sctp_do_sm[post-sfx]: error:0, asoc:
> >> (null)[STATE_CLOSED]
> >>
> >> This one, at least, is gone with this patch.
> >>
> >>   Marcelo
> >>
> >
> > Hi Marcelo
> >
> > I think you also need to catch the SCTP_DISPOSITION_ABORT and update
> > the pointer.  There are some issues there though as some functions report
> > that code without actually destroying the association.  This happens when
> > the ABORT chunk may be dropped.
> >
> > I think this might be why we still see the issue.
> 
> 
> Marcelo,
> 
> Is this info enough for you to cook another fix?

Hi, I think so. I was really wondering how you could trigger that issue
without the timestamp fix and Vlad's comment does shed some light on it.

I'll do more tests later today, but what did you have connecting to the
listening socket? Somehow you made that accept() call to return..

  Marcelo

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Dmitry Vyukov Dec. 7, 2015, 1:20 p.m. UTC | #7 
On Mon, Dec 7, 2015 at 2:15 PM, Marcelo Ricardo Leitner
<marcelo.leitner@gmail.com> wrote:
> On Mon, Dec 07, 2015 at 12:26:09PM +0100, Dmitry Vyukov wrote:
>> On Sat, Dec 5, 2015 at 5:39 PM, Vlad Yasevich <vyasevich@gmail.com> wrote:
>> > On 12/04/2015 04:34 PM, Marcelo Ricardo Leitner wrote:
>> >> On Fri, Dec 04, 2015 at 09:25:35PM +0100, Dmitry Vyukov wrote:
>> >>> On Fri, Dec 4, 2015 at 6:48 PM, Marcelo Ricardo Leitner
>> >>> <marcelo.leitner@gmail.com> wrote:
>> >>>> Hi Dmitry,
>> >>>>
>> >>>> Can you please test this patch?
>> >>>> I'll re-post with proper subject if it works.
>> >>>
>> >>> Still happening with the same stacks.
>> >>
>> >> Then there may be another one, I'm afraid.
>> >>
>> >> I'm using the testapp you shared in the first email, with that debug line
>> >> enabled and added a new one:
>> >> +       pr_debug("%p %d\n", asoc, asoc ? asoc->state : 0);
>> >>         debug_post_sfx();
>> >> (should have used %x, but ok)
>> >>
>> >> Also enabled slub_debug=PUZ, and I get:
>> >>
>> >> without the patch:
>> >> [   87.873640] sctp: ffff8800b71533d8 1
>> >> [   87.873647] sctp: sctp_do_sm[post-sfx]: error:0,
>> >> asoc:ffff8800b71533d8[STATE_CLOSED]
>> >> [   87.873739] sctp: ffff8800b71533d8 1
>> >> [   87.873742] sctp: sctp_do_sm[post-sfx]: error:0,
>> >> asoc:ffff8800b71533d8[STATE_CLOSED]
>> >> [   87.875149] sctp: ffff8800b71533d8 1802201963
>> >> [   87.875238] sctp: sctp_do_sm[post-sfx]: error:0,
>> >> asoc:ffff8800b71533d8[STATE_CLOSED]
>> >>
>> >> 1802201963 = 0x6b6b6b6b, poison
>> >>
>> >> with the patch:
>> >> [   81.071265] sctp: ffff880137571148 1
>> >> [   81.071273] sctp: sctp_do_sm[post-sfx]: error:0,
>> >> asoc:ffff880137571148[STATE_CLOSED]
>> >> [   81.071372] sctp: ffff880137571148 1
>> >> [   81.071375] sctp: sctp_do_sm[post-sfx]: error:0,
>> >> asoc:ffff880137571148[STATE_CLOSED]
>> >> [   81.072423] sctp:           (null) 0
>> >> [   81.072427] sctp: sctp_do_sm[post-sfx]: error:0, asoc:
>> >> (null)[STATE_CLOSED]
>> >>
>> >> This one, at least, is gone with this patch.
>> >>
>> >>   Marcelo
>> >>
>> >
>> > Hi Marcelo
>> >
>> > I think you also need to catch the SCTP_DISPOSITION_ABORT and update
>> > the pointer.  There are some issues there though as some functions report
>> > that code without actually destroying the association.  This happens when
>> > the ABORT chunk may be dropped.
>> >
>> > I think this might be why we still see the issue.
>>
>>
>> Marcelo,
>>
>> Is this info enough for you to cook another fix?
>
> Hi, I think so. I was really wondering how you could trigger that issue
> without the timestamp fix and Vlad's comment does shed some light on it.
>
> I'll do more tests later today, but what did you have connecting to the
> listening socket? Somehow you made that accept() call to return..

Local connect in another thread I guess.
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Marcelo Ricardo Leitner Dec. 7, 2015, 6:52 p.m. UTC | #8 
On Mon, Dec 07, 2015 at 02:20:47PM +0100, Dmitry Vyukov wrote:
> On Mon, Dec 7, 2015 at 2:15 PM, Marcelo Ricardo Leitner
> <marcelo.leitner@gmail.com> wrote:
> > On Mon, Dec 07, 2015 at 12:26:09PM +0100, Dmitry Vyukov wrote:
> >> On Sat, Dec 5, 2015 at 5:39 PM, Vlad Yasevich <vyasevich@gmail.com> wrote:
...
> >> > Hi Marcelo
> >> >
> >> > I think you also need to catch the SCTP_DISPOSITION_ABORT and update
> >> > the pointer.  There are some issues there though as some functions report
> >> > that code without actually destroying the association.  This happens when
> >> > the ABORT chunk may be dropped.
> >> >
> >> > I think this might be why we still see the issue.
> >>
> >>
> >> Marcelo,
> >>
> >> Is this info enough for you to cook another fix?
> >
> > Hi, I think so. I was really wondering how you could trigger that issue
> > without the timestamp fix and Vlad's comment does shed some light on it.
> >
> > I'll do more tests later today, but what did you have connecting to the
> > listening socket? Somehow you made that accept() call to return..
> 
> Local connect in another thread I guess.

Vlad, I reviewed the places on which it returns SCTP_DISPOSITION_ABORT,
and if I didn't miss something in there all of them either issue
SCTP_CMD_ASSOC_FAILED or SCTP_CMD_INIT_FAILED before returning it, thus
delaying DELETE_TCB and with that the asoc free. There is one place,
though, that may not do it that way, it's sctp_sf_abort_violation(), but
then that code only runs if asoc is already NULL by then.

Dmitry, still no luck here, cannot reproduce another hit.
I'm using sctp_test and a custom test of mine, both on localhost so I
would catch it in server or client side, nothing..

I need more info. Please enable the pr_debug() on debug_post_sfn() macro
and see which status is being reported when you trigger the issue.
And/or share a traffic capture so we can see what's going on with the
association.

  Marcelo
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Vladislav Yasevich Dec. 7, 2015, 7:33 p.m. UTC | #9 
On 12/07/2015 01:52 PM, Marcelo Ricardo Leitner wrote:
> On Mon, Dec 07, 2015 at 02:20:47PM +0100, Dmitry Vyukov wrote:
>> On Mon, Dec 7, 2015 at 2:15 PM, Marcelo Ricardo Leitner
>> <marcelo.leitner@gmail.com> wrote:
>>> On Mon, Dec 07, 2015 at 12:26:09PM +0100, Dmitry Vyukov wrote:
>>>> On Sat, Dec 5, 2015 at 5:39 PM, Vlad Yasevich <vyasevich@gmail.com> wrote:
> ...
>>>>> Hi Marcelo
>>>>>
>>>>> I think you also need to catch the SCTP_DISPOSITION_ABORT and update
>>>>> the pointer.  There are some issues there though as some functions report
>>>>> that code without actually destroying the association.  This happens when
>>>>> the ABORT chunk may be dropped.
>>>>>
>>>>> I think this might be why we still see the issue.
>>>>
>>>>
>>>> Marcelo,
>>>>
>>>> Is this info enough for you to cook another fix?
>>>
>>> Hi, I think so. I was really wondering how you could trigger that issue
>>> without the timestamp fix and Vlad's comment does shed some light on it.
>>>
>>> I'll do more tests later today, but what did you have connecting to the
>>> listening socket? Somehow you made that accept() call to return..
>>
>> Local connect in another thread I guess.
> 
> Vlad, I reviewed the places on which it returns SCTP_DISPOSITION_ABORT,
> and if I didn't miss something in there all of them either issue
> SCTP_CMD_ASSOC_FAILED or SCTP_CMD_INIT_FAILED before returning it, thus
> delaying DELETE_TCB and with that the asoc free.

They delay it from the perspective of the command interpreter since the command
to delete the TCB happens a little later, but status code  is checked after all
commands are processed and command processing doesn't change it.  So the 'status'
code would still be SCTP_DISPOSITION_ABORT after DELETE_TCB command was processed.
So, I think we may still have an use-after-free issue here.

> There is one place,
> though, that may not do it that way, it's sctp_sf_abort_violation(), but
> then that code only runs if asoc is already NULL by then.

I don't believe so.  The violation state function can run with a non-NULL association
if we are encountering protocol violations after the association is established.

-vlad

> 
> Dmitry, still no luck here, cannot reproduce another hit.
> I'm using sctp_test and a custom test of mine, both on localhost so I
> would catch it in server or client side, nothing..
> 
> I need more info. Please enable the pr_debug() on debug_post_sfn() macro
> and see which status is being reported when you trigger the issue.
> And/or share a traffic capture so we can see what's going on with the
> association.
> 
>   Marcelo
> 

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox

Patch

diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c
index 6098d4c42fa91287d3cde36ac05d860f76d4fe32..05594dcd93e0d649cace5215d225bef2713f9310 100644
--- a/net/sctp/sm_sideeffect.c
+++ b/net/sctp/sm_sideeffect.c
@@ -63,7 +63,7 @@  static int sctp_cmd_interpreter(sctp_event_t event_type,
 static int sctp_side_effects(sctp_event_t event_type, sctp_subtype_t subtype,
 			     sctp_state_t state,
 			     struct sctp_endpoint *ep,
-			     struct sctp_association *asoc,
+			     struct sctp_association **asoc,
 			     void *event_arg,
 			     sctp_disposition_t status,
 			     sctp_cmd_seq_t *commands,
@@ -1123,7 +1123,7 @@  int sctp_do_sm(struct net *net, sctp_event_t event_type, sctp_subtype_t subtype,
 	debug_post_sfn();
 
 	error = sctp_side_effects(event_type, subtype, state,
-				  ep, asoc, event_arg, status,
+				  ep, &asoc, event_arg, status,
 				  &commands, gfp);
 	debug_post_sfx();
 
@@ -1136,7 +1136,7 @@  int sctp_do_sm(struct net *net, sctp_event_t event_type, sctp_subtype_t subtype,
 static int sctp_side_effects(sctp_event_t event_type, sctp_subtype_t subtype,
 			     sctp_state_t state,
 			     struct sctp_endpoint *ep,
-			     struct sctp_association *asoc,
+			     struct sctp_association **asoc,
 			     void *event_arg,
 			     sctp_disposition_t status,
 			     sctp_cmd_seq_t *commands,
@@ -1151,7 +1151,7 @@  static int sctp_side_effects(sctp_event_t event_type, sctp_subtype_t subtype,
 	 * disposition SCTP_DISPOSITION_CONSUME.
 	 */
 	if (0 != (error = sctp_cmd_interpreter(event_type, subtype, state,
-					       ep, asoc,
+					       ep, *asoc,
 					       event_arg, status,
 					       commands, gfp)))
 		goto bail;
@@ -1175,6 +1175,7 @@  static int sctp_side_effects(sctp_event_t event_type, sctp_subtype_t subtype,
 
 	case SCTP_DISPOSITION_DELETE_TCB:
 		/* This should now be a command. */
+		*asoc = NULL;
 		break;
 
 	case SCTP_DISPOSITION_CONSUME: