Received: by 2002:ac0:b08d:0:0:0:0:0 with SMTP id l13csp4917127imc; Mon, 25 Feb 2019 13:35:11 -0800 (PST) X-Google-Smtp-Source: AHgI3IbzcByJP+pMbNrN0Dw8At2Dnh3GOoLE6qR+5T8Mw2Vd/MUKjJy/I1BOwiYGKl5j3t+OlFo0 X-Received: by 2002:a17:902:aa01:: with SMTP id be1mr22208070plb.60.1551130511047; Mon, 25 Feb 2019 13:35:11 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1551130511; cv=none; d=google.com; s=arc-20160816; b=yZd6HpcX9j2EJcLDzBp425LjhTkz84UVudicF6XMQgsWN1C6mwhXfjEwSA4wIVgjDp P9zEO43QCPktvyUCNhWFfVAILsla3202pQFlSTsIo8AiRlZxrXElvKd8lObdHlu7Qqar SHPbHIqzt7M85IGUVe5H9No0KnRwj05VlNNZkc8Jc4ympy34Ftc0b1PzpHqNoE+oZH4X cEYU2AN7ePwcOvtZIczRTmIL/qlKNn10sxOc3rAg11bHXY4w4kZBMGuxH/WrF+EzDnIE O+xHagk32lPO3ZH6Xc76AmfMS8/EaLSuttebmcOdFHp+I8pRjjgCIBbbqj0D8bpmTJxe v1ug== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=AUCK1XPsaG97aG0Qf02fY1hmTJpc7vCAmRTRvo3A03I=; b=FKTqkj3FKcGWvRXpt0xpcaqWPUilJYhL02n88PMOChZpla5YMtk+ZHa7Ba1/iGyYON K2txYpmniR6hgD9x1aITKA5wM3yizn7YZ/VOstjagY/eqZBzYWAmFTpguzlVE2p72YCu k6JW0Sk5kCEOamcpQfKA4By7fJQ0jb0PEVzFFq6Gv01rMnpi7lSP2I5FJFPKcVuYw56r b5U3sED47gf+TQRUH14ApQVD3NdPa9ZJP2eeSfVXgqRBn4bm6Uoy44yU2NKY9Bhy2uUR 7FxD4R9xewPCyGP9+ylZL4AxD64CfKj4p/rJWKvuXMDLk0ZDg7W9wwe7uFKb4xrFcqLR GgyA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=mYKnJKre; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id 130si10974057pfy.262.2019.02.25.13.34.55; Mon, 25 Feb 2019 13:35:11 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=mYKnJKre; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732668AbfBYVeh (ORCPT + 99 others); Mon, 25 Feb 2019 16:34:37 -0500 Received: from mail.kernel.org ([198.145.29.99]:40748 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732842AbfBYVed (ORCPT ); Mon, 25 Feb 2019 16:34:33 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 6DD1620578; Mon, 25 Feb 2019 21:34:32 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1551130472; bh=uOEQX978tudZFHHnTTUDKSbQmu9e8XqWdfpsvOsVgtY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=mYKnJKreM7GAZPRX0M+zooZZAnXUx8DtohivNyZx0ML+WYdXKZcUHAXOFrOUutnex jrIwga9ykoLYkES3O8OJ/G/QaEcJ0k2lU+jxf+cNgM9+nHORPrzikZKVZ2V//IeKuK OePGaHk+KcwOTjFrDqXMCqLOitVuDlE/vEao0mek= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+58e480e7b28f2d890bfd@syzkaller.appspotmail.com, Xin Long , Neil Horman , Marcelo Ricardo Leitner , "David S. Miller" Subject: [PATCH 4.20 131/183] sctp: set stream ext to NULL after freeing it in sctp_stream_outq_migrate Date: Mon, 25 Feb 2019 22:11:44 +0100 Message-Id: <20190225195116.902590879@linuxfoundation.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190225195054.748060397@linuxfoundation.org> References: <20190225195054.748060397@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.20-stable review patch. If anyone has any objections, please let me know. ------------------ From: Xin Long [ Upstream commit af98c5a78517c04adb5fd68bb64b1ad6fe3d473f ] In sctp_stream_init(), after sctp_stream_outq_migrate() freed the surplus streams' ext, but sctp_stream_alloc_out() returns -ENOMEM, stream->outcnt will not be set to 'outcnt'. With the bigger value on stream->outcnt, when closing the assoc and freeing its streams, the ext of those surplus streams will be freed again since those stream exts were not set to NULL after freeing in sctp_stream_outq_migrate(). Then the invalid-free issue reported by syzbot would be triggered. We fix it by simply setting them to NULL after freeing. Fixes: 5bbbbe32a431 ("sctp: introduce stream scheduler foundations") Reported-by: syzbot+58e480e7b28f2d890bfd@syzkaller.appspotmail.com Signed-off-by: Xin Long Acked-by: Neil Horman Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller Signed-off-by: Greg Kroah-Hartman --- net/sctp/stream.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) --- a/net/sctp/stream.c +++ b/net/sctp/stream.c @@ -144,8 +144,10 @@ static void sctp_stream_outq_migrate(str } } - for (i = outcnt; i < stream->outcnt; i++) + for (i = outcnt; i < stream->outcnt; i++) { kfree(SCTP_SO(stream, i)->ext); + SCTP_SO(stream, i)->ext = NULL; + } } static int sctp_stream_alloc_out(struct sctp_stream *stream, __u16 outcnt,