Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp479721pxj; Tue, 18 May 2021 07:39:22 -0700 (PDT) X-Google-Smtp-Source: ABdhPJwsmIvAV2KgqCSSxtAGF/PI4Gy5dIXILk/uw8QHTCUdlXRdO1EkWnMpCtlIQ3Wia0LUtTU9 X-Received: by 2002:a05:6402:752:: with SMTP id p18mr7550868edy.127.1621348761991; Tue, 18 May 2021 07:39:21 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1621348761; cv=none; d=google.com; s=arc-20160816; b=qfN0GZpP2pMYR68HIsrksFkfhrec4a3nFQHWKRB0pWELxf4oRn/UuxAcTyIyfq22ky g//tHUuZ32Vf8V4CjFfKkVYqLUSnbeWMsAjLQH0yFbCR+cPQnTaGyaSrUywXfBbLJ7uX dLR3nS3eRiJewoODzwL4wjZMQGjc0HgBomaOuk4JhR7KelHo2FlrtMIdCoQmbVivVgF3 0YdoCXjcHeeHooETLr0bH6vJegXKpRLQKd7TpCYzIzr3fz3skXyuEC+MdrwT3/IahUPD tvG3wtCWYZ2N9Srp0iEoJxzz7Ed36UHLrmNyGnnqd+56MCiW0jtvfE83NluZB82SHKEg LqEg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=xbbnkpu+QgibYzXQqzST8YQuEtBEUqMNd1BLOLc/nZo=; b=Rv24owZLO/bmpfNJ3HBEVl5bD8gXlKnnIMsFck7M5X0EqTEFxjEnghVZM56US8f26Q A/ghvg585OKYGr1vACZKiVnLjorvUQZhmBxUBlVRMSTflhQaYGRFZ8dpMKUUcTqPjJrj A7+HWzmRHJvW6oD9PBHx2k7wl3Gm11V/sl7rFOlsoyOJuU+/MDNG6E7hmBYKC+Ne3ikO 5qIRwn47sl7+Z9EhMr5TV9/qhO7/MBAW2wE0O42BUDOTzuAQK9ke8afgiVV9pOvLRjIa mDCpUWNgmJ62B4reSCLuBH4yM7wDZyCOOEsNudqVgYnLbDSKYfUVtHrwBVboKSsw4zqq hL0Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=qffwrYGv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id jo3si15039010ejb.468.2021.05.18.07.38.57; Tue, 18 May 2021 07:39:21 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=qffwrYGv; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1345012AbhEQPqN (ORCPT + 99 others); Mon, 17 May 2021 11:46:13 -0400 Received: from mail.kernel.org ([198.145.29.99]:55328 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S245711AbhEQPak (ORCPT ); Mon, 17 May 2021 11:30:40 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 827B261CC6; Mon, 17 May 2021 14:37:55 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1621262276; bh=LZCEnm9NB9U9B4/KYQpKAs87+dvRddvV2u9Natqp5cg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=qffwrYGvMqTmcoeLm56H/G5i8FoXtg2oQnfihIY/OJkWmrk9ANXgFl4/lZynZlY9f ZmvU7rjZwQr6WA8tyH/0g3A78OMo6MfQVdV9AEkXqb/Sl/JuB+LpVXFQUNq2tN/j3y Ig1AdAsBmrvqPRzkjpecN/9yWT8E1PShJk8Of4j8= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Alexander Sverdlin , syzbot+bbe538efd1046586f587@syzkaller.appspotmail.com, Michal Tesar , Xin Long , Marcelo Ricardo Leitner , "David S. Miller" , Sasha Levin Subject: [PATCH 5.10 151/289] sctp: do asoc update earlier in sctp_sf_do_dupcook_a Date: Mon, 17 May 2021 16:01:16 +0200 Message-Id: <20210517140310.229724665@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210517140305.140529752@linuxfoundation.org> References: <20210517140305.140529752@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Xin Long [ Upstream commit 35b4f24415c854cd718ccdf38dbea6297f010aae ] There's a panic that occurs in a few of envs, the call trace is as below: [] general protection fault, ... 0x29acd70f1000a: 0000 [#1] SMP PTI [] RIP: 0010:sctp_ulpevent_notify_peer_addr_change+0x4b/0x1fa [sctp] [] sctp_assoc_control_transport+0x1b9/0x210 [sctp] [] sctp_do_8_2_transport_strike.isra.16+0x15c/0x220 [sctp] [] sctp_cmd_interpreter.isra.21+0x1231/0x1a10 [sctp] [] sctp_do_sm+0xc3/0x2a0 [sctp] [] sctp_generate_timeout_event+0x81/0xf0 [sctp] This is caused by a transport use-after-free issue. When processing a duplicate COOKIE-ECHO chunk in sctp_sf_do_dupcook_a(), both COOKIE-ACK and SHUTDOWN chunks are allocated with the transort from the new asoc. However, later in the sideeffect machine, the old asoc is used to send them out and old asoc's shutdown_last_sent_to is set to the transport that SHUTDOWN chunk attached to in sctp_cmd_setup_t2(), which actually belongs to the new asoc. After the new_asoc is freed and the old asoc T2 timeout, the old asoc's shutdown_last_sent_to that is already freed would be accessed in sctp_sf_t2_timer_expire(). Thanks Alexander and Jere for helping dig into this issue. To fix it, this patch is to do the asoc update first, then allocate the COOKIE-ACK and SHUTDOWN chunks with the 'updated' old asoc. This would make more sense, as a chunk from an asoc shouldn't be sent out with another asoc. We had fixed quite a few issues caused by this. Fixes: 145cb2f7177d ("sctp: Fix bundling of SHUTDOWN with COOKIE-ACK") Reported-by: Alexander Sverdlin Reported-by: syzbot+bbe538efd1046586f587@syzkaller.appspotmail.com Reported-by: Michal Tesar Signed-off-by: Xin Long Acked-by: Marcelo Ricardo Leitner Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/sctp/sm_statefuns.c | 25 ++++++++++++++++++++----- 1 file changed, 20 insertions(+), 5 deletions(-) diff --git a/net/sctp/sm_statefuns.c b/net/sctp/sm_statefuns.c index c669f8bd1eab..d4d268b8b8aa 100644 --- a/net/sctp/sm_statefuns.c +++ b/net/sctp/sm_statefuns.c @@ -1841,20 +1841,35 @@ static enum sctp_disposition sctp_sf_do_dupcook_a( SCTP_TO(SCTP_EVENT_TIMEOUT_T4_RTO)); sctp_add_cmd_sf(commands, SCTP_CMD_PURGE_ASCONF_QUEUE, SCTP_NULL()); - repl = sctp_make_cookie_ack(new_asoc, chunk); + /* Update the content of current association. */ + if (sctp_assoc_update((struct sctp_association *)asoc, new_asoc)) { + struct sctp_chunk *abort; + + abort = sctp_make_abort(asoc, NULL, sizeof(struct sctp_errhdr)); + if (abort) { + sctp_init_cause(abort, SCTP_ERROR_RSRC_LOW, 0); + sctp_add_cmd_sf(commands, SCTP_CMD_REPLY, SCTP_CHUNK(abort)); + } + sctp_add_cmd_sf(commands, SCTP_CMD_SET_SK_ERR, SCTP_ERROR(ECONNABORTED)); + sctp_add_cmd_sf(commands, SCTP_CMD_ASSOC_FAILED, + SCTP_PERR(SCTP_ERROR_RSRC_LOW)); + SCTP_INC_STATS(net, SCTP_MIB_ABORTEDS); + SCTP_DEC_STATS(net, SCTP_MIB_CURRESTAB); + goto nomem; + } + + repl = sctp_make_cookie_ack(asoc, chunk); if (!repl) goto nomem; /* Report association restart to upper layer. */ ev = sctp_ulpevent_make_assoc_change(asoc, 0, SCTP_RESTART, 0, - new_asoc->c.sinit_num_ostreams, - new_asoc->c.sinit_max_instreams, + asoc->c.sinit_num_ostreams, + asoc->c.sinit_max_instreams, NULL, GFP_ATOMIC); if (!ev) goto nomem_ev; - /* Update the content of current association. */ - sctp_add_cmd_sf(commands, SCTP_CMD_UPDATE_ASSOC, SCTP_ASOC(new_asoc)); sctp_add_cmd_sf(commands, SCTP_CMD_EVENT_ULP, SCTP_ULPEVENT(ev)); if ((sctp_state(asoc, SHUTDOWN_PENDING) || sctp_state(asoc, SHUTDOWN_SENT)) && -- 2.30.2