linux

iv/linux

History

Xin Long fb6df5a623 sctp: kfree_rcu asoc In sctp_hash_transport/sctp_epaddr_lookup_transport, it dereferences a transport's asoc under rcu_read_lock while asoc is freed not after a grace period, which leads to a use-after-free panic. This patch fixes it by calling kfree_rcu to make asoc be freed after a grace period. Note that only the asoc's memory is delayed to free in the patch, it won't cause sk to linger longer. Thanks Neil and Marcelo to make this clear. Fixes: `7fda702f93` ("sctp: use new rhlist interface on sctp transport rhashtable") Fixes: `cd2b708750` ("sctp: check duplicate node before inserting a new transport") Reported-by: syzbot+0b05d8aa7cb185107483@syzkaller.appspotmail.com Reported-by: syzbot+aad231d51b1923158444@syzkaller.appspotmail.com Suggested-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: Xin Long <lucien.xin@gmail.com> Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Signed-off-by: David S. Miller <davem@davemloft.net>		2018-12-03 15:54:41 -08:00
..
6lowpan
9p	Merge branch 'work.afs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2018-11-03 10:35:52 -07:00
802
8021q
appletalk
atm	Revert "net: simplify sock_poll_wait"	2018-10-23 10:57:06 -07:00
ax25
batman-adv	batman-adv: Expand merged fragment buffer for full packet	2018-11-12 10:41:29 +01:00
bluetooth	Merge branch 'work.afs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2018-11-01 19:58:52 -07:00
bpf
bpfilter	net: bpfilter: Set user mode helper's command line	2018-10-22 19:37:36 -07:00
bridge	net: bridge: fix vlan stats use-after-free on destruction	2018-11-17 21:38:44 -08:00
caif	Revert "net: simplify sock_poll_wait"	2018-10-23 10:57:06 -07:00
can	can: raw: check for CAN FD capable netdev in raw_sendmsg()	2018-11-09 17:19:34 +01:00
ceph	libceph: fall back to sendmsg for slab pages	2018-11-19 17:59:47 +01:00
core	net: fix XPS static_key accounting	2018-11-29 11:06:08 -08:00
dcb
dccp	Revert "net: simplify sock_poll_wait"	2018-10-23 10:57:06 -07:00
decnet
dns_resolver
dsa	net: dsa: Fix tagging attribute location	2018-11-30 17:17:39 -08:00
ethernet
hsr
ieee802154
ife
ipv4	tcp: fix SNMP TCP timeout under-estimation	2018-11-30 17:22:41 -08:00
ipv6	Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf	2018-11-28 11:02:45 -08:00
iucv	Revert "net: simplify sock_poll_wait"	2018-10-23 10:57:06 -07:00
kcm
key
l2tp	l2tp: fix a sock refcnt leak in l2tp_tunnel_register	2018-11-14 22:49:31 -08:00
l3mdev
lapb
llc	llc: do not use sk_eat_skb()	2018-10-22 19:59:20 -07:00
mac80211
mac802154
mpls
ncsi
netfilter	netfilter: nf_tables: deactivate expressions in rule replecement routine	2018-11-28 10:56:40 +01:00
netlabel
netlink
netrom
nfc	Merge branch 'work.tty-ioctl' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2018-10-24 14:43:41 +01:00
nsh
openvswitch	openvswitch: fix spelling mistake "execeeds" -> "exceeds"	2018-11-30 13:18:09 -08:00
packet	packet: copy user buffers before orphan or clone	2018-11-23 11:08:03 -08:00
phonet
psample
qrtr
rds
rfkill
rose
rxrpc	rxrpc: Fix life check	2018-11-15 11:35:40 -08:00
sched	net/sched: act_police: fix memory leak in case of invalid control action	2018-11-30 17:14:06 -08:00
sctp	sctp: kfree_rcu asoc	2018-12-03 15:54:41 -08:00
smc	net/smc: use after free fix in smc_wr_tx_put_slot()	2018-11-21 16:14:56 -08:00
strparser
sunrpc	NFS client bugfixes for Linux 4.20	2018-11-15 10:59:37 -06:00
switchdev
tipc	tipc: fix lockdep warning during node delete	2018-11-27 16:30:39 -08:00
tls	Merge branch 'work.afs' of git://git.kernel.org/pub/scm/linux/kernel/git/viro/vfs	2018-11-01 19:58:52 -07:00
unix	Revert "net: simplify sock_poll_wait"	2018-10-23 10:57:06 -07:00
vmw_vsock
wimax
wireless
x25	net/x25: handle call collisions	2018-11-29 14:25:36 -08:00
xdp
xfrm	Merge branch 'x86-urgent-for-linus' of git://git.kernel.org/pub/scm/linux/kernel/git/tip/tip	2018-11-03 18:25:17 -07:00
compat.c
Kconfig
Makefile
socket.c	socket: do a generic_file_splice_read when proto_ops has no splice_read	2018-11-17 21:34:11 -08:00
sysctl_net.c