Xin Long 6910e25de2 sctp: remove sctp_chunk_put from fail_mark err path in sctp_ulpevent_make_rcvmsg ...

In Commit 1f45f78f8e51 ("sctp: allow GSO frags to access the chunk too"),
it held the chunk in sctp_ulpevent_make_rcvmsg to access it safely later
in recvmsg. However, it also added sctp_chunk_put in fail_mark err path,
which is only triggered before holding the chunk.

syzbot reported a use-after-free crash happened on this err path, where
it shouldn't call sctp_chunk_put.

This patch simply removes this call.

Fixes: 1f45f78f8e51 ("sctp: allow GSO frags to access the chunk too")
Reported-by: syzbot+141d898c5f24489db4aa@syzkaller.appspotmail.com
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Neil Horman <nhorman@tuxdriver.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

2018-05-10 17:48:36 -04:00

..

associola.c

sctp: delay the authentication for the duplicated cookie-echo chunk

2018-05-07 23:39:10 -04:00

auth.c

sctp: add SCTP_AUTH_FREE_KEY type for AUTHENTICATION_EVENT

2018-03-14 13:48:27 -04:00

bind_addr.c

sctp: remove the typedef sctp_scope_t

2017-08-06 21:33:41 -07:00

chunk.c

selinux/stable-4.17 PR 20180403

2018-04-06 15:39:26 -07:00

debug.c

sctp: add SCTP_CID_I_DATA and SCTP_CID_I_FWD_TSN conversion in sctp_cname

2018-02-12 11:40:01 -05:00

diag.c

sctp: add file comments in diag.c

2018-02-13 13:56:31 -05:00

endpointola.c

sctp: remove unnecessary asoc in sctp_has_association

2018-03-27 10:22:11 -04:00

input.c

sctp: remove unnecessary asoc in sctp_has_association

2018-03-27 10:22:11 -04:00

inqueue.c

sctp: fix the issue that the cookie-ack with auth can't get processed

2018-05-02 11:15:33 -04:00

ipv6.c

sctp: handle two v4 addrs comparison in sctp_inet6_cmp_addr

2018-04-27 13:21:50 -04:00

Kconfig

net: sctp: Remove debug SCTP probe module

2018-01-02 14:27:29 -05:00

Makefile

sctp: rename sctp_diag.c as diag.c

2018-02-13 13:56:31 -05:00

objcnt.c

sctp: use proc_remove_subtree()

2018-03-17 20:11:22 -04:00

offload.c

net: use skb_is_gso_sctp() instead of open-coding

2018-03-09 11:41:47 -05:00

output.c

selinux/stable-4.17 PR 20180403

2018-04-06 15:39:26 -07:00

outqueue.c

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

2018-01-17 00:10:42 -05:00

primitive.c

sctp: remove the typedef sctp_subtype_t

2017-08-06 21:33:42 -07:00

proc.c

net: Use octal not symbolic permissions

2018-03-26 12:07:48 -04:00

protocol.c

selinux/stable-4.17 PR 20180403

2018-04-06 15:39:26 -07:00

sm_make_chunk.c

sctp: fix spelling mistake: "max_retans" -> "max_retrans"

2018-05-10 15:23:50 -04:00

sm_sideeffect.c

sctp: add SCTP_AUTH_NO_AUTH type for AUTHENTICATION_EVENT

2018-03-14 13:48:27 -04:00

sm_statefuns.c

sctp: delay the authentication for the duplicated cookie-echo chunk

2018-05-07 23:39:10 -04:00

sm_statetable.c

sctp: implement validate_ftsn for sctp_stream_interleave

2017-12-15 13:52:22 -05:00

socket.c

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

2018-04-09 17:04:10 -07:00

stream_interleave.c

sctp: remove the left unnecessary check for chunk in sctp_renege_events

2018-02-16 16:32:37 -05:00

stream_sched_prio.c

sctp: remove extern from stream sched

2017-11-28 11:00:13 -05:00

stream_sched_rr.c

sctp: remove extern from stream sched

2017-11-28 11:00:13 -05:00

stream_sched.c

sctp: add stream interleave support in stream scheduler

2017-12-15 13:52:22 -05:00

stream.c

sctp: clear the new asoc's stream outcnt in sctp_stream_update

2018-04-27 13:34:34 -04:00

sysctl.c

sctp: support sysctl to allow users to use stream interleave

2017-12-15 13:52:22 -05:00

transport.c

sctp: fix the handling of ICMP Frag Needed for too small MTUs

2018-01-08 14:19:13 -05:00

tsnmap.c

sctp: Fix FSF address in file headers

2013-12-06 12:37:56 -05:00

ulpevent.c

sctp: remove sctp_chunk_put from fail_mark err path in sctp_ulpevent_make_rcvmsg

2018-05-10 17:48:36 -04:00

ulpqueue.c

Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net

2017-12-22 11:16:31 -05:00