Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp3975183imj;
        Tue, 12 Feb 2019 07:48:08 -0800 (PST)
X-Google-Smtp-Source: AHgI3IbVfDd7zCUVT9xAk2CKPVqk36LFQ70wFLfcWGxdteoaVarpwDBJ7ClDXY9TzmizUOSfI6XB
X-Received: by 2002:a62:2bc4:: with SMTP id r187mr3722811pfr.25.1549986488608;
        Tue, 12 Feb 2019 07:48:08 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1549986488; cv=none;
        d=google.com; s=arc-20160816;
        b=kyehq6vWr2Epq83ng3lh/2FRsWbMuoaVINbPIEFZ4KJ3I9jwF69lecoCgDWw7SOmqo
         DBMPjAg/ZYLf5v8YH10dgiwilN1ibuQFOeIVEXew7OgoNV4IkycJm1WyZP2p8A80o3sv
         Rj6Y94NcWkWmtrzzxDEU0otmwypPf4T4H5FlzBxz6wAEjzPgXpNN/BKY4vq9nJ67/sD3
         3Jte1UWv9Y3SCYL5b/DE0/KEIwnjVc6v830iIUa3HY1MoCQA7okxTH6ufRkjAoDVmdKu
         AdL6P5JD9fgpgrNtT+BFeQ0msxjCIq1a9SQ+jnplwyNEH9bQN79cDomuz4ToGlyNqkWv
         v0ZA==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:user-agent:in-reply-to
         :content-disposition:mime-version:references:message-id:subject:cc
         :to:from:date;
        bh=fydxYTf8afzNxjc2TGMGZyL0wo2q5FjRXoLO2j4rFtk=;
        b=e2C8bYzAzCwsiqW4CENJ1oFMSaAWofxyaxZNmWa0r5ZHHoZgM5jFEjki6gF5NUgk0f
         m87+fW7IxjvfBiHpWlEI2UFWWlHMrGuGEoIh1IMeBrp8yU99d7r3gEV28Ote7A/1zVk+
         QYzIrIFt1E2wKLvZEAYKR1c+N7mxQZaJFvLZTRJFkBV8xf/Hatys0qAXXrOl37cSUrLH
         qbkukwF5edAWL8I4LK/W/jwh8G1yew5dBBa7b0Y/jp4/W/m9IWEeZEEFBOJAlnjuKOCw
         13zbvrsRJvs1achAsr+qNuU65MxYz1xtHtZpROQ44VyW1d84FqM12+1WqPERqpTzkXvQ
         qaWw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d65si12214828pgc.213.2019.02.12.07.47.52;
        Tue, 12 Feb 2019 07:48:08 -0800 (PST)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730714AbfBLPri (ORCPT <rfc822;peterpeng024@gmail.com>
        + 99 others); Tue, 12 Feb 2019 10:47:38 -0500
Received: from charlotte.tuxdriver.com ([70.61.120.58]:36817 "EHLO
        smtp.tuxdriver.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726238AbfBLPri (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 12 Feb 2019 10:47:38 -0500
Received: from cpe-2606-a000-111b-405a-9816-2c85-c514-8f7a.dyn6.twc.com ([2606:a000:111b:405a:9816:2c85:c514:8f7a] helo=localhost)
        by smtp.tuxdriver.com with esmtpsa (TLSv1:AES256-SHA:256)
        (Exim 4.63)
        (envelope-from <nhorman@tuxdriver.com>)
        id 1gtaHP-0001D5-Q8; Tue, 12 Feb 2019 10:47:35 -0500
Date:   Tue, 12 Feb 2019 10:46:55 -0500
From:   Neil Horman <nhorman@tuxdriver.com>
To:     Xin Long <lucien.xin@gmail.com>
Cc:     linux-kernel@vger.kernel.org, network dev <netdev@vger.kernel.org>,
        linux-sctp@vger.kernel.org, davem@davemloft.net,
        Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Subject: Re: [PATCH net] sctp: set stream ext to NULL after freeing it in
 sctp_stream_outq_migrate
Message-ID: <20190212154655.GA2151@hmswarspite.think-freely.org>
References: <0cb9e543c21495df48c3723044d6c9f64f238eca.1549968661.git.lucien.xin@gmail.com>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <0cb9e543c21495df48c3723044d6c9f64f238eca.1549968661.git.lucien.xin@gmail.com>
User-Agent: Mutt/1.10.1 (2018-07-13)
X-Spam-Score: -1.0 (-)
X-Spam-Status: No
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

On Tue, Feb 12, 2019 at 06:51:01PM +0800, Xin Long wrote:
> In sctp_stream_init(), after sctp_stream_outq_migrate() freed the
> surplus streams' ext, but sctp_stream_alloc_out() returns -ENOMEM,
> stream->outcnt will not be set to 'outcnt'.
> 
> With the bigger value on stream->outcnt, when closing the assoc and
> freeing its streams, the ext of those surplus streams will be freed
> again since those stream exts were not set to NULL after freeing in
> sctp_stream_outq_migrate(). Then the invalid-free issue reported by
> syzbot would be triggered.
> 
> We fix it by simply setting them to NULL after freeing.
> 
> Fixes: 5bbbbe32a431 ("sctp: introduce stream scheduler foundations")
> Reported-by: syzbot+58e480e7b28f2d890bfd@syzkaller.appspotmail.com
> Signed-off-by: Xin Long <lucien.xin@gmail.com>
> ---
>  net/sctp/stream.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/net/sctp/stream.c b/net/sctp/stream.c
> index f246331..2936ed1 100644
> --- a/net/sctp/stream.c
> +++ b/net/sctp/stream.c
> @@ -144,8 +144,10 @@ static void sctp_stream_outq_migrate(struct sctp_stream *stream,
>  		}
>  	}
>  
> -	for (i = outcnt; i < stream->outcnt; i++)
> +	for (i = outcnt; i < stream->outcnt; i++) {
>  		kfree(SCTP_SO(stream, i)->ext);
> +		SCTP_SO(stream, i)->ext = NULL;
> +	}
>  }
>  
>  static int sctp_stream_alloc_out(struct sctp_stream *stream, __u16 outcnt,
> -- 
> 2.1.0
> 
> 
Acked-by: Neil Horman <nhorman@tuxdriver.com>