Re: [PATCH 4.14 024/119] sctp: change sctp_prot .no_autobind with true

From: Sasha Levin
Date: Thu Oct 31 2019 - 08:10:04 EST

Next message: Mimi Zohar: "Re: [PATCH v3 2/9] KEYS: Defined functions to queue and dequeue keys for measurement"
Previous message: Fabio Estevam: "Re: [PATCH 1/2] arm: dts: imx7s: ccm: add assigned-clocks"
In reply to: Xin Long: "Re: [PATCH 4.14 024/119] sctp: change sctp_prot .no_autobind with true"
Next in thread: Greg Kroah-Hartman: "[PATCH 4.14 025/119] net: avoid potential infinite loop in tc_ctl_action()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Thu, Oct 31, 2019 at 05:14:15PM +0800, Xin Long wrote:

On Thu, Oct 31, 2019 at 3:54 PM Rantala, Tommi T. (Nokia - FI/Espoo)
<tommi.t.rantala@xxxxxxxxx> wrote:

On Sun, 2019-10-27 at 22:00 +0100, Greg Kroah-Hartman wrote:
> From: Xin Long <lucien.xin@xxxxxxxxx>
>
> [ Upstream commit 63dfb7938b13fa2c2fbcb45f34d065769eb09414 ]
>
> syzbot reported a memory leak:
>
> BUG: memory leak, unreferenced object 0xffff888120b3d380 (size 64):
> backtrace:
>
> [...] slab_alloc mm/slab.c:3319 [inline]
> [...] kmem_cache_alloc+0x13f/0x2c0 mm/slab.c:3483
> [...] sctp_bucket_create net/sctp/socket.c:8523 [inline]
> [...] sctp_get_port_local+0x189/0x5a0 net/sctp/socket.c:8270
> [...] sctp_do_bind+0xcc/0x200 net/sctp/socket.c:402
> [...] sctp_bindx_add+0x4b/0xd0 net/sctp/socket.c:497
> [...] sctp_setsockopt_bindx+0x156/0x1b0 net/sctp/socket.c:1022
> [...] sctp_setsockopt net/sctp/socket.c:4641 [inline]
> [...] sctp_setsockopt+0xaea/0x2dc0 net/sctp/socket.c:4611
> [...] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3147
> [...] __sys_setsockopt+0x10f/0x220 net/socket.c:2084
> [...] __do_sys_setsockopt net/socket.c:2100 [inline]
>
> It was caused by when sending msgs without binding a port, in the path:
> inet_sendmsg() -> inet_send_prepare() -> inet_autobind() ->
> .get_port/sctp_get_port(), sp->bind_hash will be set while bp->port is
> not. Later when binding another port by sctp_setsockopt_bindx(), a new
> bucket will be created as bp->port is not set.
>
> sctp's autobind is supposed to call sctp_autobind() where it does all
> things including setting bp->port. Since sctp_autobind() is called in
> sctp_sendmsg() if the sk is not yet bound, it should have skipped the
> auto bind.
>
> THis patch is to avoid calling inet_autobind() in inet_send_prepare()
> by changing sctp_prot .no_autobind with true, also remove the unused
> .get_port.

Hi,

I'm seeing SCTP oops in 4.14.151, reproducible easily with iperf:

# iperf3 -s -1 &
# iperf3 -c localhost --sctp

This patch was also included in 4.19.81, but there it seems to be working
fine.

Any ideas if this patch is valid for 4.14, or what's missing in 4.14 to
make this work?

pls get this commit into 4.14, which has been in 4.19:

commit 644fbdeacf1d3edd366e44b8ba214de9d1dd66a9
Author: Xin Long <lucien.xin@xxxxxxxxx>
Date: Sun May 20 16:39:10 2018 +0800

sctp: fix the issue that flags are ignored when using kernel_connect

Care to send a backport?

--
Thanks,
Sasha

Next message: Mimi Zohar: "Re: [PATCH v3 2/9] KEYS: Defined functions to queue and dequeue keys for measurement"
Previous message: Fabio Estevam: "Re: [PATCH 1/2] arm: dts: imx7s: ccm: add assigned-clocks"
In reply to: Xin Long: "Re: [PATCH 4.14 024/119] sctp: change sctp_prot .no_autobind with true"
Next in thread: Greg Kroah-Hartman: "[PATCH 4.14 025/119] net: avoid potential infinite loop in tc_ctl_action()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]