linux/net
Xin Long d04adf1b35 sctp: reset owner sk for data chunks on out queues when migrating a sock
Now when migrating sock to another one in sctp_sock_migrate(), it only
resets owner sk for the data in receive queues, not the chunks on out
queues.

It would cause that data chunks length on the sock is not consistent
with sk sk_wmem_alloc. When closing the sock or freeing these chunks,
the old sk would never be freed, and the new sock may crash due to
the overflow sk_wmem_alloc.

syzbot found this issue with this series:

  r0 = socket$inet_sctp()
  sendto$inet(r0)
  listen(r0)
  accept4(r0)
  close(r0)

Although listen() should have returned error when one TCP-style socket
is in connecting (I may fix this one in another patch), it could also
be reproduced by peeling off an assoc.

This issue is there since very beginning.

This patch is to reset owner sk for the chunks on out queues so that
sk sk_wmem_alloc has correct value after accept one sock or peeloff
an assoc to one sock.

Note that when resetting owner sk for chunks on outqueue, it has to
sctp_clear_owner_w/skb_orphan chunks before changing assoc->base.sk
first and then sctp_set_owner_w them after changing assoc->base.sk,
due to that sctp_wfree and it's callees are using assoc->base.sk.

Reported-by: Dmitry Vyukov <dvyukov@google.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-10-29 12:06:57 +09:00
..
6lowpan
9p net/9p: switch p9_fd_read to kernel_write 2017-09-04 19:05:16 -04:00
802 net: introduce __skb_put_[zero, data, u8] 2017-06-20 13:30:14 -04:00
8021q net: 8021q: skip packets if the vlan is down 2017-10-04 18:16:48 -07:00
appletalk networking: make skb_push & __skb_push return void pointers 2017-06-16 11:48:40 -04:00
atm net: atm: make atmdev_ops const 2017-08-09 22:43:50 -07:00
ax25 net, ax25: convert ax25_cb.refcount from atomic_t to refcount_t 2017-07-04 22:35:19 +01:00
batman-adv Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-08-09 16:28:45 -07:00
bluetooth Revert "Bluetooth: Add option for disabling legacy ioctl interfaces" 2017-09-28 13:20:32 -07:00
bpf bpf: Align packet data properly in program testing framework. 2017-05-02 11:46:28 -04:00
bridge net: bridge: fix returning of vlan range op errors 2017-10-22 01:46:32 +01:00
caif net: convert sock.sk_wmem_alloc from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
can can: af_can: can_pernet_init(): add missing error handling for kzalloc returning NULL 2017-10-19 13:05:54 +02:00
ceph libceph: don't allow bidirectional swap of pg-upmap-items 2017-09-19 20:34:29 +02:00
core bpf: rename sk_actions to align with bpf infrastructure 2017-10-29 11:18:48 +09:00
dcb rtnetlink: make rtnl_register accept a flags parameter 2017-08-09 16:57:38 -07:00
dccp tcp/dccp: fix other lockdep splats accessing ireq_opt 2017-10-26 17:41:32 +09:00
decnet Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf-next 2017-09-03 17:08:42 -07:00
dns_resolver KEYS: Fix race between updating and finding a negative key 2017-10-18 09:12:40 +01:00
dsa net: dsa: check master device before put 2017-10-25 10:49:14 +09:00
ethernet networking: make skb_push & __skb_push return void pointers 2017-06-16 11:48:40 -04:00
hsr net/hsr: Check skb_put_padto() return value 2017-08-22 13:40:23 -07:00
ieee802154 Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-09-05 20:03:35 -07:00
ife
ipv4 tcp: refresh tp timestamp before tcp_mtu_probe() 2017-10-28 19:08:04 +09:00
ipv6 ip6_gre: update dst pmtu if dev mtu has been updated by toobig in __gre6_xmit 2017-10-27 23:45:42 +09:00
ipx net, ipx: convert ipx_route.refcnt from atomic_t to refcount_t 2017-07-04 22:35:17 +01:00
iucv iucv: Convert sk_wmem_alloc accesses to refcount_t. 2017-07-03 02:31:22 -07:00
kcm Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-09-01 17:42:05 -07:00
key Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-08-15 20:23:23 -07:00
l2tp l2tp: check ps->sock before running pppol2tp_session_ioctl() 2017-10-14 18:38:56 -07:00
l3mdev
lapb net, lapb: convert lapb_cb.refcnt from atomic_t to refcount_t 2017-07-04 22:35:16 +01:00
llc net, llc: convert llc_sap.refcnt from atomic_t to refcount_t 2017-07-04 22:35:15 +01:00
mac80211 mac80211: don't compare TKIP TX MIC key in reinstall prevention 2017-10-25 11:04:45 +02:00
mac802154 net: Fix inconsistent teardown and release of private netdev state. 2017-06-07 15:53:24 -04:00
mpls rtnetlink: make rtnl_register accept a flags parameter 2017-08-09 16:57:38 -07:00
ncsi net/ncsi: Fix length of GVI response packet 2017-10-21 01:56:38 +01:00
netfilter netfilter: xt_bpf: Fix XT_BPF_MODE_FD_PINNED mode of 'xt_bpf_info_v1' 2017-10-09 15:18:04 +02:00
netlabel
netlink netlink: fix netlink_ack() extack race 2017-10-18 12:22:28 +01:00
netrom net, netrom: convert nr_node.refcount from atomic_t to refcount_t 2017-07-04 22:35:17 +01:00
nfc NFC: Add sockaddr length checks before accessing sa_family in bind handlers 2017-06-23 00:38:31 +02:00
nsh nsh: add GSO support 2017-08-29 15:16:52 -07:00
openvswitch openvswitch: Fix an error handling path in 'ovs_nla_init_match_and_action()' 2017-09-12 20:37:31 -07:00
packet packet: avoid panic in packet_getsockopt() 2017-10-21 01:51:34 +01:00
phonet rtnetlink: make rtnl_register accept a flags parameter 2017-08-09 16:57:38 -07:00
psample networking: make skb_put & friends return void pointers 2017-06-16 11:48:39 -04:00
qrtr rtnetlink: make rtnl_register accept a flags parameter 2017-08-09 16:57:38 -07:00
rds rds: Fix inaccurate accounting of unsignaled wrs 2017-10-26 17:35:57 +09:00
rfkill net: rfkill: gpio: Switch to devm_acpi_dev_add_driver_gpios() 2017-06-13 11:07:51 +02:00
rose
rxrpc rxrpc: Don't release call mutex on error pointer 2017-10-22 03:05:39 +01:00
sched net/sched: cls_flower: Set egress_dev mark when calling into the HW driver 2017-10-16 21:18:59 +01:00
sctp sctp: reset owner sk for data chunks on out queues when migrating a sock 2017-10-29 12:06:57 +09:00
smc net/smc: no close wait in case of process shut down 2017-09-21 15:31:03 -07:00
strparser strparser: Use delayed work instead of timer for msg timeout 2017-10-25 10:37:11 +09:00
sunrpc sunrpc: remove redundant initialization of sock 2017-10-01 18:51:30 -04:00
switchdev net: switchdev: Remove bridge bypass support from switchdev 2017-08-07 14:48:48 -07:00
tipc tipc: Unclone message at secondary destination lookup 2017-10-08 21:13:23 -07:00
tls tls: make tls_sw_free_resources static 2017-09-14 09:55:21 -07:00
unix net/unix: don't show information about sockets from other namespaces 2017-10-26 10:05:59 +09:00
vmw_vsock hv_sock: add locking in the open/close/release code paths 2017-10-21 02:21:08 +01:00
wimax
wireless cfg80211: fix connect/disconnect edge cases 2017-10-18 09:39:44 +02:00
x25 X25: constify null_x25_address 2017-08-03 09:13:51 -07:00
xfrm ipsec: Fix aborted xfrm policy dump crash 2017-10-23 09:35:48 +02:00
Kconfig net: Remove CONFIG_NETFILTER_DEBUG and _ASSERT() macros. 2017-09-04 13:25:20 +02:00
Makefile nsh: add GSO support 2017-08-29 15:16:52 -07:00
compat.c net: compat: assert the size of cmsg copied in is as expected 2017-09-20 15:36:18 -07:00
socket.c net: fixes for skb_send_sock 2017-08-16 11:27:52 -07:00
sysctl_net.c