[PATCH v4] sctp: fix refcount bug in sctp_wfree

From: Qiujun Huang
Date: Sun Mar 22 2020 - 05:04:37 EST

Next message: Ardelean, Alexandru: "Re: [PATCH] MAINTAINERS: remove Stefan Popa's email"
Previous message: Alexandre Belloni: "[GIT PULL] ARM: at91: SoC for 5.7"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

sctp_sock_migrate should iterate over the datamsgs to modify
all trunks(skbs) to newsk. For this, out_msg_list is added to
sctp_outq to maintain datamsgs list.

The following case cause the bug:

for the trouble SKB, it was in outq->transmitted list

sctp_outq_sack
sctp_check_transmitted
SKB was moved to outq->sacked list
then throw away the sack queue
SKB was deleted from outq->sacked
(but it was held by datamsg at sctp_datamsg_to_asoc
So, sctp_wfree was not called here)

then migrate happened

sctp_for_each_tx_datachunk(
sctp_clear_owner_w);
sctp_assoc_migrate();
sctp_for_each_tx_datachunk(
sctp_set_owner_w);
SKB was not in the outq, and was not changed to newsk

finally

__sctp_outq_teardown
sctp_chunk_put (for another skb)
sctp_datamsg_put
__kfree_skb(msg->frag_list)
sctp_wfree (for SKB)
SKB->sk was still oldsk (skb->sk != asoc->base.sk).

Reported-and-tested-by: syzbot+cea71eec5d6de256d54d@xxxxxxxxxxxxxxxxxxxxxxxxx
Signed-off-by: Qiujun Huang <hqjagain@xxxxxxxxx>
---
include/net/sctp/structs.h | 5 +++++
net/sctp/chunk.c | 4 ++++
net/sctp/outqueue.c | 1 +
net/sctp/sm_sideeffect.c | 1 +
net/sctp/socket.c | 27 +++++++--------------------
5 files changed, 18 insertions(+), 20 deletions(-)

diff --git a/include/net/sctp/structs.h b/include/net/sctp/structs.h
index 314a2fa21d6b..f72ba7418230 100644
--- a/include/net/sctp/structs.h
+++ b/include/net/sctp/structs.h
@@ -522,6 +522,8 @@ struct sctp_pf {
struct sctp_datamsg {
/* Chunks waiting to be submitted to lower layer. */
struct list_head chunks;
+ /* List in outq. */
+ struct list_head list;
/* Reference counting. */
refcount_t refcnt;
/* When is this message no longer interesting to the peer? */
@@ -1063,6 +1065,9 @@ struct sctp_outq {
/* Data pending that has never been transmitted. */
struct list_head out_chunk_list;

+ /* Data msg list. */
+ struct list_head out_msg_list;
+
/* Stream scheduler being used */
struct sctp_sched_ops *sched;

diff --git a/net/sctp/chunk.c b/net/sctp/chunk.c
index ab6a997e222f..17b38e9a8a7b 100644
--- a/net/sctp/chunk.c
+++ b/net/sctp/chunk.c
@@ -41,6 +41,7 @@ static void sctp_datamsg_init(struct sctp_datamsg *msg)
msg->abandoned = 0;
msg->expires_at = 0;
INIT_LIST_HEAD(&msg->chunks);
+ INIT_LIST_HEAD(&msg->list);
}

/* Allocate and initialize datamsg. */
@@ -111,6 +112,9 @@ static void sctp_datamsg_destroy(struct sctp_datamsg *msg)
sctp_chunk_put(chunk);
}

+ if (!list_empty(&msg->list))
+ list_del_init(&msg->list);
+
SCTP_DBG_OBJCNT_DEC(datamsg);
kfree(msg);
}
diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c
index 577e3bc4ee6f..3bbcb140c887 100644
--- a/net/sctp/outqueue.c
+++ b/net/sctp/outqueue.c
@@ -194,6 +194,7 @@ void sctp_outq_init(struct sctp_association *asoc, struct sctp_outq *q)

q->asoc = asoc;
INIT_LIST_HEAD(&q->out_chunk_list);
+ INIT_LIST_HEAD(&q->out_msg_list);
INIT_LIST_HEAD(&q->control_chunk_list);
INIT_LIST_HEAD(&q->retransmit);
INIT_LIST_HEAD(&q->sacked);
diff --git a/net/sctp/sm_sideeffect.c b/net/sctp/sm_sideeffect.c
index 2bc29463e1dc..93cc911256f6 100644
--- a/net/sctp/sm_sideeffect.c
+++ b/net/sctp/sm_sideeffect.c
@@ -1099,6 +1099,7 @@ static void sctp_cmd_send_msg(struct sctp_association *asoc,
list_for_each_entry(chunk, &msg->chunks, frag_list)
sctp_outq_tail(&asoc->outqueue, chunk, gfp);

+ list_add_tail(&msg->list, &asoc->outqueue.out_msg_list);
asoc->outqueue.sched->enqueue(&asoc->outqueue, msg);
}

diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 1b56fc440606..32f6111bccbf 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -147,29 +147,16 @@ static void sctp_clear_owner_w(struct sctp_chunk *chunk)
skb_orphan(chunk->skb);
}

-static void sctp_for_each_tx_datachunk(struct sctp_association *asoc,
- void (*cb)(struct sctp_chunk *))
+static void sctp_for_each_tx_datamsg(struct sctp_association *asoc,
+ void (*cb)(struct sctp_chunk *))

{
- struct sctp_outq *q = &asoc->outqueue;
- struct sctp_transport *t;
struct sctp_chunk *chunk;
+ struct sctp_datamsg *msg;

- list_for_each_entry(t, &asoc->peer.transport_addr_list, transports)
- list_for_each_entry(chunk, &t->transmitted, transmitted_list)
+ list_for_each_entry(msg, &asoc->outqueue.out_msg_list, list)
+ list_for_each_entry(chunk, &msg->chunks, frag_list)
cb(chunk);
-
- list_for_each_entry(chunk, &q->retransmit, transmitted_list)
- cb(chunk);
-
- list_for_each_entry(chunk, &q->sacked, transmitted_list)
- cb(chunk);
-
- list_for_each_entry(chunk, &q->abandoned, transmitted_list)
- cb(chunk);
-
- list_for_each_entry(chunk, &q->out_chunk_list, list)
- cb(chunk);
}

static void sctp_for_each_rx_skb(struct sctp_association *asoc, struct sock *sk,
@@ -9574,9 +9561,9 @@ static int sctp_sock_migrate(struct sock *oldsk, struct sock *newsk,
* paths won't try to lock it and then oldsk.
*/
lock_sock_nested(newsk, SINGLE_DEPTH_NESTING);
- sctp_for_each_tx_datachunk(assoc, sctp_clear_owner_w);
+ sctp_for_each_tx_datamsg(assoc, sctp_clear_owner_w);
sctp_assoc_migrate(assoc, newsk);
- sctp_for_each_tx_datachunk(assoc, sctp_set_owner_w);
+ sctp_for_each_tx_datamsg(assoc, sctp_set_owner_w);

/* If the association on the newsk is already closed before accept()
* is called, set RCV_SHUTDOWN flag.
--
2.17.1

Next message: Ardelean, Alexandru: "Re: [PATCH] MAINTAINERS: remove Stefan Popa's email"
Previous message: Alexandre Belloni: "[GIT PULL] ARM: at91: SoC for 5.7"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]