From patchwork Tue Feb 12 10:51:01 2019 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Xin Long X-Patchwork-Id: 1040500 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming-netdev@ozlabs.org Delivered-To: patchwork-incoming-netdev@ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netdev-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="sbQcRlzt"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 43zKFx0sW4z9s3x for ; Tue, 12 Feb 2019 21:51:17 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728973AbfBLKvK (ORCPT ); Tue, 12 Feb 2019 05:51:10 -0500 Received: from mail-pg1-f196.google.com ([209.85.215.196]:37464 "EHLO mail-pg1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727865AbfBLKvK (ORCPT ); Tue, 12 Feb 2019 05:51:10 -0500 Received: by mail-pg1-f196.google.com with SMTP id q206so1083452pgq.4; Tue, 12 Feb 2019 02:51:09 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=5JxqX8/KPhZ5ksvIq0G/bu7zCyf8OsXuVKLCDi1/GRs=; b=sbQcRlztm7g8v5tI7OHh9ejojBw7b12Nv0u7hSbA0zRv2PY9zY42b021TyS0rB9rKd JriXcxgQR/H2lMGvV9GSzbZFUi8GlgKNCXtGs4hq1FUW49fgz/eITxsQCYltj+yYHTy0 Ba5/QHd83GAqOS1SNKI98NeeGB7uzSldIxh4zdI7fSYeP1aFsLNTx8fHkWcnh3UUDeC0 XpXDw0br5VvFvFE690FjmDx21T3z26Fv7kP48reFZVy9QKeIOqKpD0P686NOCGbCUBpt y8bKZYarOo5gSNMfIV3SN3VbChqK/V3JSdvidZFdSGS7LterhQ6PxwYi7voI58ZIPLXE wRsA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=5JxqX8/KPhZ5ksvIq0G/bu7zCyf8OsXuVKLCDi1/GRs=; b=QlJkb5wvMges1fKECpvUg58r4qR73vRP5y7nShGZHSmXE52/mlggfHsIU+CAjYIOCl aKEDW/c0F4gH5sqygfnzTxvgn4A1Gv2I2vY9PqF3k7ciVWKBYOrScxly5RDh4nyf/0Xj 3Oy0xgYsn9PvbAYXcurseDZ7ZZDzbYYLl22znXK4O5YmiNfvsresx0Lo5RsC7TprQjoN e9f7KGO6eon8q0qIyLY3bLdhw2IQS5IHSeHf3/1P/LPt7FBNWHIT75r1sF/NM2tvtp0y xDZznUCPUw0P8M/AW/9zDEqAOTZTc8/VguTZP3AT9f4iAW9EEjPbP0am88zlQp1GW70b Mu1Q== X-Gm-Message-State: AHQUAuaDlOjiFXhnBHAbgdHxQGJx6FCS6wcHVVT7BAD2QPPOvBKUtFoA pPvXIs1eNd22wTTwwE3NyfYOnrmF X-Google-Smtp-Source: AHgI3IZRxDIxIue+IFro6fJPxBJ0rXHdoOJWRL7moYzD/bWKcpg9dr7lR+5q8Swti5szyYlp5Ia4/w== X-Received: by 2002:a65:6294:: with SMTP id f20mr3043263pgv.174.1549968669037; Tue, 12 Feb 2019 02:51:09 -0800 (PST) Received: from localhost ([209.132.188.80]) by smtp.gmail.com with ESMTPSA id 14sm15748965pgq.22.2019.02.12.02.51.07 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 12 Feb 2019 02:51:08 -0800 (PST) From: Xin Long To: linux-kernel@vger.kernel.org, network dev , linux-sctp@vger.kernel.org Cc: davem@davemloft.net, Marcelo Ricardo Leitner , Neil Horman Subject: [PATCH net] sctp: set stream ext to NULL after freeing it in sctp_stream_outq_migrate Date: Tue, 12 Feb 2019 18:51:01 +0800 Message-Id: <0cb9e543c21495df48c3723044d6c9f64f238eca.1549968661.git.lucien.xin@gmail.com> X-Mailer: git-send-email 2.1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org In sctp_stream_init(), after sctp_stream_outq_migrate() freed the surplus streams' ext, but sctp_stream_alloc_out() returns -ENOMEM, stream->outcnt will not be set to 'outcnt'. With the bigger value on stream->outcnt, when closing the assoc and freeing its streams, the ext of those surplus streams will be freed again since those stream exts were not set to NULL after freeing in sctp_stream_outq_migrate(). Then the invalid-free issue reported by syzbot would be triggered. We fix it by simply setting them to NULL after freeing. Fixes: 5bbbbe32a431 ("sctp: introduce stream scheduler foundations") Reported-by: syzbot+58e480e7b28f2d890bfd@syzkaller.appspotmail.com Signed-off-by: Xin Long Acked-by: Neil Horman Acked-by: Marcelo Ricardo Leitner --- net/sctp/stream.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/sctp/stream.c b/net/sctp/stream.c index f246331..2936ed1 100644 --- a/net/sctp/stream.c +++ b/net/sctp/stream.c @@ -144,8 +144,10 @@ static void sctp_stream_outq_migrate(struct sctp_stream *stream, } } - for (i = outcnt; i < stream->outcnt; i++) + for (i = outcnt; i < stream->outcnt; i++) { kfree(SCTP_SO(stream, i)->ext); + SCTP_SO(stream, i)->ext = NULL; + } } static int sctp_stream_alloc_out(struct sctp_stream *stream, __u16 outcnt,