Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp2077872ybb; Sun, 29 Mar 2020 21:58:53 -0700 (PDT) X-Google-Smtp-Source: ADFU+vtvPAEhYieirQ016dYauXddO8CRXz2NTY8gug9wtT4joQ5UeNOg9AIoSIF5NpnWuRrIT6TH X-Received: by 2002:a9d:6c45:: with SMTP id g5mr7894385otq.347.1585544333716; Sun, 29 Mar 2020 21:58:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1585544333; cv=none; d=google.com; s=arc-20160816; b=L2gFRi1Etb65TFjlGgRZ/9Y/4c50I1urviA1TSTRXUrZvhU8tdBWSX6Gi2ugQyLzdE 5TWtUThlNxAmkdCsZNQX9kZCZ0QXbfu8HAhYQilkteHY9KlVYEdeLUhiNl5v6jgTYfXV C32LGPn0anCUK0vD3YbkNGmUbKM7tIHII8JXWqB1b5q7aXVtzCG0aS15BZ8lCAea2z53 T0C2DVGWhTXnI6GA+mQQHw697xYdWQcvg2O+q1nNtLyHtVkPxjEIfisa7I3TLIDebLH1 3SIjOnBPqhUlIX1f6imK4DWanymV7u3jSoA50L0l2RgnuPPUO7EX7vg9FnBIP/twnPxm tWUQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:from:subject:cc:to:message-id:date; bh=+t2sJgmMHpJx89wQ9juuhUxZY1Qgnae6xjTxNLAfirg=; b=eMOQp9Eryg/9V2lumQRTxrQsvAOrEaeUS0dJYps0xAsp4R0eo5WSHEUJ5n14igE3uQ kik4OhiZUgu1Edb6uS1nH7IzG51XUxEO312zgFsJICn9VrQ5r5u1dzkMnfmlEoGdcG92 1UI4SuSs6hO0LrGlEHPBnWKnycnsbEB0EKK9Ite4egagJaagPw3oxDd9gAtQu0ncdkCr EAUxMN8/j6tWecQElu5GSpz6ZAvSQpv2KLiR/dzu3UyGfcbSc5mqGMVLCzvIkhBijFrG 1i8rzYTEtsudHJpwfz9+6hLAOaNb2ljysg5+1QtA9d9XGjm1EZDgHdU8iHnsnDwvZziS 250Q== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id l21si4518607otd.63.2020.03.29.21.58.39; Sun, 29 Mar 2020 21:58:53 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728445AbgC3E6W (ORCPT + 99 others); Mon, 30 Mar 2020 00:58:22 -0400 Received: from shards.monkeyblade.net ([23.128.96.9]:33178 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727892AbgC3E6W (ORCPT ); Mon, 30 Mar 2020 00:58:22 -0400 Received: from localhost (unknown [IPv6:2601:601:9f00:477::3d5]) (using TLSv1 with cipher AES256-SHA (256/256 bits)) (Client did not present a certificate) (Authenticated sender: davem-davemloft) by shards.monkeyblade.net (Postfix) with ESMTPSA id 52D3E15C5742A; Sun, 29 Mar 2020 21:58:21 -0700 (PDT) Date: Sun, 29 Mar 2020 21:58:20 -0700 (PDT) Message-Id: <20200329.215820.1352705339130655350.davem@davemloft.net> To: hqjagain@gmail.com Cc: marcelo.leitner@gmail.com, vyasevich@gmail.com, nhorman@tuxdriver.com, kuba@kernel.org, linux-sctp@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, anenbupt@gmail.com Subject: Re: [PATCH v6] sctp: fix refcount bug in sctp_wfree From: David Miller In-Reply-To: <20200327030751.19404-1-hqjagain@gmail.com> References: <20200327030751.19404-1-hqjagain@gmail.com> X-Mailer: Mew version 6.8 on Emacs 26.1 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.5.12 (shards.monkeyblade.net [149.20.54.216]); Sun, 29 Mar 2020 21:58:21 -0700 (PDT) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Qiujun Huang Date: Fri, 27 Mar 2020 11:07:51 +0800 > We should iterate over the datamsgs to move > all chunks(skbs) to newsk. > > The following case cause the bug: > for the trouble SKB, it was in outq->transmitted list > > sctp_outq_sack > sctp_check_transmitted > SKB was moved to outq->sacked list > then throw away the sack queue > SKB was deleted from outq->sacked > (but it was held by datamsg at sctp_datamsg_to_asoc > So, sctp_wfree was not called here) > > then migrate happened > > sctp_for_each_tx_datachunk( > sctp_clear_owner_w); > sctp_assoc_migrate(); > sctp_for_each_tx_datachunk( > sctp_set_owner_w); > SKB was not in the outq, and was not changed to newsk > > finally > > __sctp_outq_teardown > sctp_chunk_put (for another skb) > sctp_datamsg_put > __kfree_skb(msg->frag_list) > sctp_wfree (for SKB) > SKB->sk was still oldsk (skb->sk != asoc->base.sk). > > Reported-and-tested-by: syzbot+cea71eec5d6de256d54d@syzkaller.appspotmail.com > Signed-off-by: Qiujun Huang Applied and queued up for -stable, thanks.