diff options
| author | David S. Miller <davem@davemloft.net> | 2016-10-31 16:20:33 -0400 | 
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2016-10-31 16:20:33 -0400 | 
| commit | 1137086fc85712aa123d29c87c604310a17a7d4e (patch) | |
| tree | 5ea1f8d710959c462452efaa4fffc8d7d1f0cbb7 /net/sctp/input.c | |
| parent | 87557efc27f6a50140fb20df06a917f368ce3c66 (diff) | |
| parent | dae399d7fdee84d8f5227a9711d95bb4e9a05d4e (diff) | |
Merge branch 'sctp-hold-transport-fixes'
Xin Long says:
====================
sctp: a bunch of fixes by holding transport
There are several places where it holds assoc after getting transport by
searching from transport rhashtable, it may cause use-after-free issue.
This patchset is to fix them by holding transport instead.
v1->v2:
  Fix the changelog of patch 2/3
====================
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/sctp/input.c')
| -rw-r--r-- | net/sctp/input.c | 35 | 
1 files changed, 17 insertions, 18 deletions
| diff --git a/net/sctp/input.c b/net/sctp/input.c index a2ea1d1cc06a..a01a56ec8b8c 100644 --- a/net/sctp/input.c +++ b/net/sctp/input.c @@ -181,9 +181,10 @@ int sctp_rcv(struct sk_buff *skb)  	 * bound to another interface, via SO_BINDTODEVICE, treat it as OOTB  	 */  	if (sk->sk_bound_dev_if && (sk->sk_bound_dev_if != af->skb_iif(skb))) { -		if (asoc) { -			sctp_association_put(asoc); +		if (transport) { +			sctp_transport_put(transport);  			asoc = NULL; +			transport = NULL;  		} else {  			sctp_endpoint_put(ep);  			ep = NULL; @@ -269,8 +270,8 @@ int sctp_rcv(struct sk_buff *skb)  	bh_unlock_sock(sk);  	/* Release the asoc/ep ref we took in the lookup calls. */ -	if (asoc) -		sctp_association_put(asoc); +	if (transport) +		sctp_transport_put(transport);  	else  		sctp_endpoint_put(ep); @@ -283,8 +284,8 @@ discard_it:  discard_release:  	/* Release the asoc/ep ref we took in the lookup calls. */ -	if (asoc) -		sctp_association_put(asoc); +	if (transport) +		sctp_transport_put(transport);  	else  		sctp_endpoint_put(ep); @@ -300,6 +301,7 @@ int sctp_backlog_rcv(struct sock *sk, struct sk_buff *skb)  {  	struct sctp_chunk *chunk = SCTP_INPUT_CB(skb)->chunk;  	struct sctp_inq *inqueue = &chunk->rcvr->inqueue; +	struct sctp_transport *t = chunk->transport;  	struct sctp_ep_common *rcvr = NULL;  	int backloged = 0; @@ -351,7 +353,7 @@ int sctp_backlog_rcv(struct sock *sk, struct sk_buff *skb)  done:  	/* Release the refs we took in sctp_add_backlog */  	if (SCTP_EP_TYPE_ASSOCIATION == rcvr->type) -		sctp_association_put(sctp_assoc(rcvr)); +		sctp_transport_put(t);  	else if (SCTP_EP_TYPE_SOCKET == rcvr->type)  		sctp_endpoint_put(sctp_ep(rcvr));  	else @@ -363,6 +365,7 @@ done:  static int sctp_add_backlog(struct sock *sk, struct sk_buff *skb)  {  	struct sctp_chunk *chunk = SCTP_INPUT_CB(skb)->chunk; +	struct sctp_transport *t = chunk->transport;  	struct sctp_ep_common *rcvr = chunk->rcvr;  	int ret; @@ -373,7 +376,7 @@ static int sctp_add_backlog(struct sock *sk, struct sk_buff *skb)  		 * from us  		 */  		if (SCTP_EP_TYPE_ASSOCIATION == rcvr->type) -			sctp_association_hold(sctp_assoc(rcvr)); +			sctp_transport_hold(t);  		else if (SCTP_EP_TYPE_SOCKET == rcvr->type)  			sctp_endpoint_hold(sctp_ep(rcvr));  		else @@ -537,15 +540,15 @@ struct sock *sctp_err_lookup(struct net *net, int family, struct sk_buff *skb,  	return sk;  out: -	sctp_association_put(asoc); +	sctp_transport_put(transport);  	return NULL;  }  /* Common cleanup code for icmp/icmpv6 error handler. */ -void sctp_err_finish(struct sock *sk, struct sctp_association *asoc) +void sctp_err_finish(struct sock *sk, struct sctp_transport *t)  {  	bh_unlock_sock(sk); -	sctp_association_put(asoc); +	sctp_transport_put(t);  }  /* @@ -641,7 +644,7 @@ void sctp_v4_err(struct sk_buff *skb, __u32 info)  	}  out_unlock: -	sctp_err_finish(sk, asoc); +	sctp_err_finish(sk, transport);  }  /* @@ -952,11 +955,8 @@ static struct sctp_association *__sctp_lookup_association(  		goto out;  	asoc = t->asoc; -	sctp_association_hold(asoc);  	*pt = t; -	sctp_transport_put(t); -  out:  	return asoc;  } @@ -986,7 +986,7 @@ int sctp_has_association(struct net *net,  	struct sctp_transport *transport;  	if ((asoc = sctp_lookup_association(net, laddr, paddr, &transport))) { -		sctp_association_put(asoc); +		sctp_transport_put(transport);  		return 1;  	} @@ -1021,7 +1021,6 @@ static struct sctp_association *__sctp_rcv_init_lookup(struct net *net,  	struct sctphdr *sh = sctp_hdr(skb);  	union sctp_params params;  	sctp_init_chunk_t *init; -	struct sctp_transport *transport;  	struct sctp_af *af;  	/* @@ -1052,7 +1051,7 @@ static struct sctp_association *__sctp_rcv_init_lookup(struct net *net,  		af->from_addr_param(paddr, params.addr, sh->source, 0); -		asoc = __sctp_lookup_association(net, laddr, paddr, &transport); +		asoc = __sctp_lookup_association(net, laddr, paddr, transportp);  		if (asoc)  			return asoc;  	} | 
