diff options
| author | Xin Long <lucien.xin@gmail.com> | 2016-10-31 08:32:31 -0400 |
|---|---|---|
| committer | David S. Miller <davem@davemloft.net> | 2016-10-31 16:20:32 -0400 |
| commit | cd26da4ff4eb7189921d4e7ad87e8adebb7b416b (patch) | |
| tree | 15e1db16d4528e66c85ede29ffc844cda7607aed /net | |
| parent | 87557efc27f6a50140fb20df06a917f368ce3c66 (diff) | |
sctp: hold transport instead of assoc in sctp_diag
In sctp_transport_lookup_process(), Commit 1cceda784980 ("sctp: fix
the issue sctp_diag uses lock_sock in rcu_read_lock") moved cb() out
of rcu lock, but it put transport and hold assoc instead, and ignore
that cb() still uses transport. It may cause a use-after-free issue.
This patch is to hold transport instead of assoc there.
Fixes: 1cceda784980 ("sctp: fix the issue sctp_diag uses lock_sock in rcu_read_lock")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
| -rw-r--r-- | net/sctp/socket.c | 5 |
1 files changed, 1 insertions, 4 deletions
diff --git a/net/sctp/socket.c b/net/sctp/socket.c index 9fbb6feb8c27..71b75f9d9c1b 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c | |||
| @@ -4480,12 +4480,9 @@ int sctp_transport_lookup_process(int (*cb)(struct sctp_transport *, void *), | |||
| 4480 | if (!transport || !sctp_transport_hold(transport)) | 4480 | if (!transport || !sctp_transport_hold(transport)) |
| 4481 | goto out; | 4481 | goto out; |
| 4482 | 4482 | ||
| 4483 | sctp_association_hold(transport->asoc); | ||
| 4484 | sctp_transport_put(transport); | ||
| 4485 | |||
| 4486 | rcu_read_unlock(); | 4483 | rcu_read_unlock(); |
| 4487 | err = cb(transport, p); | 4484 | err = cb(transport, p); |
| 4488 | sctp_association_put(transport->asoc); | 4485 | sctp_transport_put(transport); |
| 4489 | 4486 | ||
| 4490 | out: | 4487 | out: |
| 4491 | return err; | 4488 | return err; |