4.9-stable patches

added patches:
	sctp-deny-peeloff-operation-on-asocs-with-threads-sleeping-on-it.patch

diff --git a/queue-4.9/sctp-deny-peeloff-operation-on-asocs-with-threads-sleeping-on-it.patch b/queue-4.9/sctp-deny-peeloff-operation-on-asocs-with-threads-sleeping-on-it.patch
new file mode 100644 (file)
index 0000000..ef2619a
--- /dev/null
+++ b/queue-4.9/sctp-deny-peeloff-operation-on-asocs-with-threads-sleeping-on-it.patch
@@ -0,0 +1,66 @@
+From dfcb9f4f99f1e9a49e43398a7bfbf56927544af1 Mon Sep 17 00:00:00 2001
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Date: Thu, 23 Feb 2017 09:31:18 -0300
+Subject: sctp: deny peeloff operation on asocs with threads sleeping on it
+
+From: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+
+commit dfcb9f4f99f1e9a49e43398a7bfbf56927544af1 upstream.
+
+commit 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
+attempted to avoid a BUG_ON call when the association being used for a
+sendmsg() is blocked waiting for more sndbuf and another thread did a
+peeloff operation on such asoc, moving it to another socket.
+
+As Ben Hutchings noticed, then in such case it would return without
+locking back the socket and would cause two unlocks in a row.
+
+Further analysis also revealed that it could allow a double free if the
+application managed to peeloff the asoc that is created during the
+sendmsg call, because then sctp_sendmsg() would try to free the asoc
+that was created only for that call.
+
+This patch takes another approach. It will deny the peeloff operation
+if there is a thread sleeping on the asoc, so this situation doesn't
+exist anymore. This avoids the issues described above and also honors
+the syscalls that are already being handled (it can be multiple sendmsg
+calls).
+
+Joint work with Xin Long.
+
+Fixes: 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf")
+Cc: Alexander Popov <alex.popov@linux.com>
+Cc: Ben Hutchings <ben@decadent.org.uk>
+Signed-off-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
+Signed-off-by: Xin Long <lucien.xin@gmail.com>
+Signed-off-by: David S. Miller <davem@davemloft.net>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+
+---
+ net/sctp/socket.c |    8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+--- a/net/sctp/socket.c
++++ b/net/sctp/socket.c
+@@ -4735,6 +4735,12 @@ int sctp_do_peeloff(struct sock *sk, sct
+       if (!asoc)
+               return -EINVAL;
+ 
++      /* If there is a thread waiting on more sndbuf space for
++       * sending on this asoc, it cannot be peeled.
++       */
++      if (waitqueue_active(&asoc->wait))
++              return -EBUSY;
++
+       /* An association cannot be branched off from an already peeled-off
+        * socket, nor is this supported for tcp style sockets.
+        */
+@@ -7427,8 +7433,6 @@ static int sctp_wait_for_sndbuf(struct s
+                */
+               release_sock(sk);
+               current_timeo = schedule_timeout(current_timeo);
+-              if (sk != asoc->base.sk)
+-                      goto do_error;
+               lock_sock(sk);
+ 
+               *timeo_p = current_timeo;

diff --git a/queue-4.9/series b/queue-4.9/series
index d320749ace4f6d66f331a77872c6a8ff0113c126..9e2b4b30390a8314de5832df40969d41d6fa1a9c 100644 (file)
--- a/queue-4.9/series
+++ b/queue-4.9/series
@@ -66,3 +66,4 @@ dvb-usb-firmware-don-t-do-dma-on-stack.patch
 cxusb-use-a-dma-capable-buffer-also-for-reading.patch
 virtio-console-avoid-dma-from-stack.patch
 net-ipv6-check-route-protocol-when-deleting-routes.patch
+sctp-deny-peeloff-operation-on-asocs-with-threads-sleeping-on-it.patch