Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp274727pxj; Tue, 18 May 2021 03:08:19 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyo977Y7BpRtRsBQ/tn+Pk4BZqitXYd2L2ommDQAa7R6GUR+VMu1kYP0XqHxZaIorKXvw6M X-Received: by 2002:a5e:8c11:: with SMTP id n17mr3490496ioj.53.1621332499259; Tue, 18 May 2021 03:08:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621332499; cv=none; d=google.com; s=arc-20160816; b=T+LiUYQRRbE9vP5g4gcLcunwjXp16Vxi1C+YkRWSfVFJjCnGYh3Dn98TS+s6oV8RKl TudRXGfPP7IGsiO+rAr3MXEgV4Tcc4LEiWGmE8YyvPFm2FrSAAq64e4iLUvBB75ed1DW sVjRDQZMwzm60uTJnioiLyeT5OcxprVxyjDq6vXul1IZq3hVHpF9OH302ddtRotGyErm 9krgVeDtxPoBr6k8qIXhaKCDa/piPwM+en043ibtf3UYyhvIoLvrTcQRZXyyOa86Sp3d yq8D9Hypbznl42oa/3EwNXVakD/wjWgO7yby/RixeBZnkVsw/VBtNzBghR/kqdgfY6pz nWcQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=aj9H5mIWW6RquA8YIZuM0oBSMTKjQl1rEXgt+UUWeoM=; b=mHiV53Ej+jO39mBdFgfh2u0BZc9Aa5zqcfO203Lb5opvQk2GBD6lV3WKtuuhzq3mCD y1rGuNtGRt6F3T1S/4Glqhh6PZ+1IoBcFBFX2ZWH0xLjAzg7h/qFlj9NQ1QBaZ6D2WGM +VuRqrSHlui3miobUy/4zyVsfaeKlvR3WqyDq4pdlC6o6I2Sf30EeRWLEZ0yoa06qThx UkUMTlBRlTzoOB9BmlrqetpjwzRkpSNw1KbATSDwSgwmRGWS/SY/3SXgopsjU+85NRja GlnU3NcQtunYrIaqgj1oaD7NAZW7LsyrdBz1pl0Ep7GXPgEsiKP6yBIx1DyP31143Lx0 2AQQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=SFa1PcJs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q13si19270643ilj.21.2021.05.18.03.08.06; Tue, 18 May 2021 03:08:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=SFa1PcJs; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S240897AbhEQPLz (ORCPT + 99 others); Mon, 17 May 2021 11:11:55 -0400 Received: from mail.kernel.org ([198.145.29.99]:59930 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S241553AbhEQPCa (ORCPT ); Mon, 17 May 2021 11:02:30 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 98209616EA; Mon, 17 May 2021 14:27:35 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1621261656; bh=pUWGoNeo9BHCRf7uSSE77Tgyy0YOuSCKUGbfrkfoDCY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=SFa1PcJsEPpEV3744RNToqLBS1wPJVetzOa9udfFKmyh6WXOiRntSPmiRtS5BOgx+ jGiyYJWUZt3xOGT7uv/J348ahH8rDitkIv5pagdi3mbnO1j1MeqR8d+0xGuWh4bdMR cRrs3/FwVCrwsdNmEXWmGd5rdif8qbFGXVS8G6JI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alexander Sverdlin , syzbot+bbe538efd1046586f587@syzkaller.appspotmail.com, Michal Tesar , Xin Long , Marcelo Ricardo Leitner , "David S. Miller" , Sasha Levin Subject: [PATCH 5.4 072/141] sctp: do asoc update earlier in sctp_sf_do_dupcook_a Date: Mon, 17 May 2021 16:02:04 +0200 Message-Id: <20210517140245.205150788@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210517140242.729269392@linuxfoundation.org> References: <20210517140242.729269392@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Xin Long [ Upstream commit 35b4f24415c854cd718ccdf38dbea6297f010aae ] There's a panic that occurs in a few of envs, the call trace is as below: [] general protection fault, ... 0x29acd70f1000a: 0000 [#1] SMP PTI [] RIP: 0010:sctp_ulpevent_notify_peer_addr_change+0x4b/0x1fa [sctp] [] sctp_assoc_control_transport+0x1b9/0x210 [sctp] [] sctp_do_8_2_transport_strike.isra.16+0x15c/0x220 [sctp] [] sctp_cmd_interpreter.isra.21+0x1231/0x1a10 [sctp] [] sctp_do_sm+0xc3/0x2a0 [sctp] [] sctp_generate_timeout_event+0x81/0xf0 [sctp] This is caused by a transport use-after-free issue. When processing a duplicate COOKIE-ECHO chunk in sctp_sf_do_dupcook_a(), both COOKIE-ACK and SHUTDOWN chunks are allocated with the transort from the new asoc. However, later in the sideeffect machine, the old asoc is used to send them out and old asoc's shutdown_last_sent_to is set to the transport that SHUTDOWN chunk attached to in sctp_cmd_setup_t2(), which actually belongs to the new asoc. After the new_asoc is freed and the old asoc T2 timeout, the old asoc's shutdown_last_sent_to that is already freed would be accessed in sctp_sf_t2_timer_expire(). Thanks Alexander and Jere for helping dig into this issue. To fix it, this patch is to do the asoc update first, then allocate the COOKIE-ACK and SHUTDOWN chunks with the 'updated' old asoc. This would make more sense, as a chunk from an asoc shouldn't be sent out with another asoc. We had fixed quite a few issues caused by this. Fixes: 145cb2f7177d ("sctp: Fix bundling of SHUTDOWN with COOKIE-ACK") Reported-by: Alexander Sverdlin Reported-by: syzbot+bbe538efd1046586f587@syzkaller.appspotmail.com Reported-by: Michal Tesar Signed-off-by: Xin Long Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/sctp/sm_statefuns.c | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index 84138a07e936..72e4eaffacdb 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -1841,20 +1841,35 @@ static enum sctp_disposition sctp_sf_do_dupcook_a( SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_ASCONF_QUEUE, SCTP_NULL()); - repl = sctp_make_cookie_ack(new_asoc, chunk); + /* Update the content of current association. */ + if (sctp_assoc_update((struct sctp_association *)asoc, new_asoc)) { + struct sctp_chunk *abort; + + abort = sctp_make_abort(asoc, NULL, sizeof(struct sctp_errhdr)); + if (abort) { + sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0); + sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); + } + sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNABORTED)); + sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, + SCTP_PERR(SCTP_ERROR_RSRC_LOW)); + SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); + SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); + goto nomem; + } + + repl = sctp_make_cookie_ack(asoc, chunk); if (!repl) goto nomem; /* Report association restart to upper layer. */ ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0, - new_asoc->c.sinit_num_ostreams, - new_asoc->c.sinit_max_instreams, + asoc->c.sinit_num_ostreams, + asoc->c.sinit_max_instreams, NULL, GFP_ATOMIC); if (!ev) goto nomem_ev; - /* Update the content of current association. */ - sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); if ((sctp_state(asoc, SHUTDOWN_PENDING) || sctp_state(asoc, SHUTDOWN_SENT)) && -- 2.30.2