From: Greg Kroah-Hartman Date: Wed, 19 Apr 2017 13:17:55 +0000 (+0200) Subject: 3.18 patch X-Git-Tag: v4.4.63~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d5c35481ad9a7869854af97d2aebd183a70c7d30;p=thirdparty%2Fkernel%2Fstable-queue.git 3.18 patch --- diff --git a/queue-3.18/sctp-deny-peeloff-operation-on-asocs-with-threads-sleeping-on-it.patch b/queue-3.18/sctp-deny-peeloff-operation-on-asocs-with-threads-sleeping-on-it.patch new file mode 100644 index 00000000000..f8df6c0ae05 --- /dev/null +++ b/queue-3.18/sctp-deny-peeloff-operation-on-asocs-with-threads-sleeping-on-it.patch @@ -0,0 +1,66 @@ +From dfcb9f4f99f1e9a49e43398a7bfbf56927544af1 Mon Sep 17 00:00:00 2001 +From: Marcelo Ricardo Leitner +Date: Thu, 23 Feb 2017 09:31:18 -0300 +Subject: sctp: deny peeloff operation on asocs with threads sleeping on it + +From: Marcelo Ricardo Leitner + +commit dfcb9f4f99f1e9a49e43398a7bfbf56927544af1 upstream. + +commit 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf") +attempted to avoid a BUG_ON call when the association being used for a +sendmsg() is blocked waiting for more sndbuf and another thread did a +peeloff operation on such asoc, moving it to another socket. + +As Ben Hutchings noticed, then in such case it would return without +locking back the socket and would cause two unlocks in a row. + +Further analysis also revealed that it could allow a double free if the +application managed to peeloff the asoc that is created during the +sendmsg call, because then sctp_sendmsg() would try to free the asoc +that was created only for that call. + +This patch takes another approach. It will deny the peeloff operation +if there is a thread sleeping on the asoc, so this situation doesn't +exist anymore. This avoids the issues described above and also honors +the syscalls that are already being handled (it can be multiple sendmsg +calls). + +Joint work with Xin Long. + +Fixes: 2dcab5984841 ("sctp: avoid BUG_ON on sctp_wait_for_sndbuf") +Cc: Alexander Popov +Cc: Ben Hutchings +Signed-off-by: Marcelo Ricardo Leitner +Signed-off-by: Xin Long +Signed-off-by: David S. Miller +Signed-off-by: Greg Kroah-Hartman + +--- + net/sctp/socket.c | 8 ++++++-- + 1 file changed, 6 insertions(+), 2 deletions(-) + +--- a/net/sctp/socket.c ++++ b/net/sctp/socket.c +@@ -4433,6 +4433,12 @@ int sctp_do_peeloff(struct sock *sk, sct + if (!asoc) + return -EINVAL; + ++ /* If there is a thread waiting on more sndbuf space for ++ * sending on this asoc, it cannot be peeled. ++ */ ++ if (waitqueue_active(&asoc->wait)) ++ return -EBUSY; ++ + /* An association cannot be branched off from an already peeled-off + * socket, nor is this supported for tcp style sockets. + */ +@@ -6965,8 +6971,6 @@ static int sctp_wait_for_sndbuf(struct s + */ + release_sock(sk); + current_timeo = schedule_timeout(current_timeo); +- if (sk != asoc->base.sk) +- goto do_error; + lock_sock(sk); + + *timeo_p = current_timeo; diff --git a/queue-3.18/series b/queue-3.18/series index d1703d83b0e..56a9e951bfd 100644 --- a/queue-3.18/series +++ b/queue-3.18/series @@ -62,3 +62,4 @@ rtl8150-use-heap-buffers-for-all-register-access.patch catc-combine-failure-cleanup-code-in-catc_probe.patch catc-use-heap-buffer-for-memory-size-test.patch net-ipv6-check-route-protocol-when-deleting-routes.patch +sctp-deny-peeloff-operation-on-asocs-with-threads-sleeping-on-it.patch