Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp373679pxj; Tue, 18 May 2021 05:28:53 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwzyNKuHModw/eDilycgCiHXEmDB6Z92lnUSUGYnp2ZAcF2vPAUHtxYcCCK0BORe2qXPVr5 X-Received: by 2002:aa7:d801:: with SMTP id v1mr6778988edq.349.1621340933552; Tue, 18 May 2021 05:28:53 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621340933; cv=none; d=google.com; s=arc-20160816; b=hLSsflFmZQodJ3MAUve3UP3TpLa6b8l/Chs0jlRNfROKtP3nLwW5Tg0lfk0lpN34sC mx1guwONDoOFPartmKA2kmbpzT1L3KNoi8h7Ui212g1euMvxQucmYz7zszbE1/8LyXQW FqfgCDsf+MUqdJ95OkImQmhxee6d98yA4PctWqbG2PObteD98pw5W7RfR98r+hjbk0OW KdlzYAYFGxu7vqj2XZAe7fwA+U1hPitxSzxP9AucBkbGn4wId0go/jukikya7362do1J 6m9S7a1fSzXVPM/9FfhRPEENh8/qufK7slGb7lJbsfq+SH/FmF/QemerCYqQ4nJLdiPn 9uvw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=ZnaHIze/dHRuuZUYS9Vogg5laukwCIhjvhoZTjc58Gg=; b=OIlbtlNm+Qd53NwoBgbbWXnmA/oGfMIHqPxC4LR+Gbr7uSLvoDP3RFN/JOorZoUyPj +GUB5Z/JiSPhQM8iPk8/wYSkvR1k/jdCxd5I3X3GJzRDcLNJJtx8j3zkQBitt15DrjED 8s8Uk91ix8RvZ2BrW8Xq+9v2Otv4h5BvTQeyVpjA2Qu2ASkgLFVRqyAZb5xdRdPVp8NU aHpRybT+dfOY9LPLOnzK7HI5aZBkIY8wmtZ/1N0qP+3Ke+V+RbnHzci8LWeMqDE1o59R 3FNgGYMIN4cySQts5QJSJQ/du98z7ITu0+z4g8aoKxh2VHxQ4gSjKaSp5mNVcyBjYbO3 Krfg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=uwYuN3zE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id i2si20264535ejp.181.2021.05.18.05.28.03; Tue, 18 May 2021 05:28:53 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=uwYuN3zE; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S244242AbhEQP10 (ORCPT + 99 others); Mon, 17 May 2021 11:27:26 -0400 Received: from mail.kernel.org ([198.145.29.99]:39786 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S243123AbhEQPNP (ORCPT ); Mon, 17 May 2021 11:13:15 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id D4E9D61263; Mon, 17 May 2021 14:31:38 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1621261899; bh=XRbHs93sm3GJ7gPHs6x49J65cQWND6a7iJjf3IL7raU=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=uwYuN3zECVK0WCXW61MvoMPrx6ZMbqO0c3920iQ2N5eX156tIYB10dWNIiSNdgGrn 0fQ6F7ruMuFARMEhzwp5Q0gMVeL3m9gxgT1r6cyTCqjFgBcR+56j/M5qKul6WsFBoa z++6xrcpIW3YP6RznxQ9WlpzRcIYNkUBbO3KrcLo= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alexander Sverdlin , syzbot+bbe538efd1046586f587@syzkaller.appspotmail.com, Michal Tesar , Xin Long , Marcelo Ricardo Leitner , "David S. Miller" , Sasha Levin Subject: [PATCH 5.11 184/329] sctp: do asoc update earlier in sctp_sf_do_dupcook_a Date: Mon, 17 May 2021 16:01:35 +0200 Message-Id: <20210517140308.349782793@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210517140302.043055203@linuxfoundation.org> References: <20210517140302.043055203@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Xin Long [ Upstream commit 35b4f24415c854cd718ccdf38dbea6297f010aae ] There's a panic that occurs in a few of envs, the call trace is as below: [] general protection fault, ... 0x29acd70f1000a: 0000 [#1] SMP PTI [] RIP: 0010:sctp_ulpevent_notify_peer_addr_change+0x4b/0x1fa [sctp] [] sctp_assoc_control_transport+0x1b9/0x210 [sctp] [] sctp_do_8_2_transport_strike.isra.16+0x15c/0x220 [sctp] [] sctp_cmd_interpreter.isra.21+0x1231/0x1a10 [sctp] [] sctp_do_sm+0xc3/0x2a0 [sctp] [] sctp_generate_timeout_event+0x81/0xf0 [sctp] This is caused by a transport use-after-free issue. When processing a duplicate COOKIE-ECHO chunk in sctp_sf_do_dupcook_a(), both COOKIE-ACK and SHUTDOWN chunks are allocated with the transort from the new asoc. However, later in the sideeffect machine, the old asoc is used to send them out and old asoc's shutdown_last_sent_to is set to the transport that SHUTDOWN chunk attached to in sctp_cmd_setup_t2(), which actually belongs to the new asoc. After the new_asoc is freed and the old asoc T2 timeout, the old asoc's shutdown_last_sent_to that is already freed would be accessed in sctp_sf_t2_timer_expire(). Thanks Alexander and Jere for helping dig into this issue. To fix it, this patch is to do the asoc update first, then allocate the COOKIE-ACK and SHUTDOWN chunks with the 'updated' old asoc. This would make more sense, as a chunk from an asoc shouldn't be sent out with another asoc. We had fixed quite a few issues caused by this. Fixes: 145cb2f7177d ("sctp: Fix bundling of SHUTDOWN with COOKIE-ACK") Reported-by: Alexander Sverdlin Reported-by: syzbot+bbe538efd1046586f587@syzkaller.appspotmail.com Reported-by: Michal Tesar Signed-off-by: Xin Long Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/sctp/sm_statefuns.c | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index af2b7041fa4e..c7138f85f18f 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -1852,20 +1852,35 @@ static enum sctp_disposition sctp_sf_do_dupcook_a( SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_ASCONF_QUEUE, SCTP_NULL()); - repl = sctp_make_cookie_ack(new_asoc, chunk); + /* Update the content of current association. */ + if (sctp_assoc_update((struct sctp_association *)asoc, new_asoc)) { + struct sctp_chunk *abort; + + abort = sctp_make_abort(asoc, NULL, sizeof(struct sctp_errhdr)); + if (abort) { + sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0); + sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); + } + sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNABORTED)); + sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, + SCTP_PERR(SCTP_ERROR_RSRC_LOW)); + SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); + SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); + goto nomem; + } + + repl = sctp_make_cookie_ack(asoc, chunk); if (!repl) goto nomem; /* Report association restart to upper layer. */ ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0, - new_asoc->c.sinit_num_ostreams, - new_asoc->c.sinit_max_instreams, + asoc->c.sinit_num_ostreams, + asoc->c.sinit_max_instreams, NULL, GFP_ATOMIC); if (!ev) goto nomem_ev; - /* Update the content of current association. */ - sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); if ((sctp_state(asoc, SHUTDOWN_PENDING) || sctp_state(asoc, SHUTDOWN_SENT)) && -- 2.30.2