Received: by 2002:ac0:946b:0:0:0:0:0 with SMTP id j40csp1154507imj; Thu, 14 Feb 2019 02:05:08 -0800 (PST) X-Google-Smtp-Source: AHgI3IbliNRB0bXUEfyPK1kyeqMQhmk15yLMt8XlSAvE2kGKi0+IF+ZtM6IC5uwaoPERwlQTTrlz X-Received: by 2002:aa7:81d0:: with SMTP id c16mr3113354pfn.153.1550138708774; Thu, 14 Feb 2019 02:05:08 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1550138708; cv=none; d=google.com; s=arc-20160816; b=vpZwZQRUf/j/Vd4B6Gwlpm7ERvVC+lIB/3+iYZ2SQE/VIGy9QEyrCHS7xAqnv+3GBx BdgrB0UTaNDG5muU5vC6NhXaI+jUK24LJ1JFSmid9sNJgJoyNppDAoEIijHf9HsEmbey XG9cMtjPzNOubW6Lu5TIjD0J12909Wsio9GNkBT7JpxgX2JPxN7Hi/HQ2Qovzq6gMxim uJdN+lVvPzeklaS9W/TAnrrhn70eHc9SOJY1HiOIFtXQ+lNSv/UcGHsK2uCQPKHtqDek mRco50DwFX6pyyhtTxRLhGaC/rDH7OrqifjRv1bx5hfPVFTqqVnzBf7z826oOvSb/6lj Zezw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:from:subject:cc:to:message-id:date; bh=Vtp0nU+njYgqywWTVLi9JN1So+alehOBh/k6UHUKh4w=; b=KwqnxdJNp05bV3F+85znbq9GCC92nyk5MHkdU6oxOvs67IdoQ12X8gHAIIsmIrt0BF mAAHJrz97PUsKvHBNrbX97mw+KH41nagSHBR1S3m+QG0wsyA/Ej7vpd8+GEfu9RJndHT D+F723SO/WMIzTCKKDiWb4PxLus6x9MlYyF4cQ6IgYd/0DpyjvOol7KwwQUexNUj41W4 62OyLv7j4YWqqn8STFyYiSV62Yv0Ba0zFk52JPFffUhEj7xOjzVgrDRjMnaY8dOOKLMA wburVgTnCVk6b50POAPbXbrzRaGFz+5v0dWIUHKjsqgjFDf1SAi0g4GTrOYQhm7rjIQ9 7j6Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id az1si2015833plb.54.2019.02.14.02.04.52; Thu, 14 Feb 2019 02:05:08 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726250AbfBNAe2 (ORCPT + 99 others); Wed, 13 Feb 2019 19:34:28 -0500 Received: from shards.monkeyblade.net ([23.128.96.9]:46676 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726130AbfBNAe2 (ORCPT ); Wed, 13 Feb 2019 19:34:28 -0500 Received: from localhost (96-89-128-221-static.hfc.comcastbusiness.net [96.89.128.221]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: davem-davemloft) by shards.monkeyblade.net (Postfix) with ESMTPSA id 291C414CEC643; Wed, 13 Feb 2019 16:34:27 -0800 (PST) Date: Wed, 13 Feb 2019 16:34:26 -0800 (PST) Message-Id: <20190213.163426.603453137542648612.davem@davemloft.net> To: lucien.xin@gmail.com Cc: linux-kernel@vger.kernel.org, netdev@vger.kernel.org, linux-sctp@vger.kernel.org, marcelo.leitner@gmail.com, nhorman@tuxdriver.com Subject: Re: [PATCH net] sctp: set stream ext to NULL after freeing it in sctp_stream_outq_migrate From: David Miller In-Reply-To: <0cb9e543c21495df48c3723044d6c9f64f238eca.1549968661.git.lucien.xin@gmail.com> References: <0cb9e543c21495df48c3723044d6c9f64f238eca.1549968661.git.lucien.xin@gmail.com> X-Mailer: Mew version 6.8 on Emacs 26.1 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Wed, 13 Feb 2019 16:34:27 -0800 (PST) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Xin Long Date: Tue, 12 Feb 2019 18:51:01 +0800 > In sctp_stream_init(), after sctp_stream_outq_migrate() freed the > surplus streams' ext, but sctp_stream_alloc_out() returns -ENOMEM, > stream->outcnt will not be set to 'outcnt'. > > With the bigger value on stream->outcnt, when closing the assoc and > freeing its streams, the ext of those surplus streams will be freed > again since those stream exts were not set to NULL after freeing in > sctp_stream_outq_migrate(). Then the invalid-free issue reported by > syzbot would be triggered. > > We fix it by simply setting them to NULL after freeing. > > Fixes: 5bbbbe32a431 ("sctp: introduce stream scheduler foundations") > Reported-by: syzbot+58e480e7b28f2d890bfd@syzkaller.appspotmail.com > Signed-off-by: Xin Long Also applied and queued up for -stable, thanks.