sctp: hold transport instead of assoc in sctp_diag

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

In sctp_transport_lookup_process(), Commit 1cceda784980 ("sctp: fix
the issue sctp_diag uses lock_sock in rcu_read_lock") moved cb() out
of rcu lock, but it put transport and hold assoc instead, and ignore
that cb() still uses transport. It may cause a use-after-free issue.

This patch is to hold transport instead of assoc there.

Fixes: 1cceda784980 ("sctp: fix the issue sctp_diag uses lock_sock in rcu_read_lock")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

authored by

Xin Long and committed by

David S. Miller 9 years ago cd26da4f 87557efc

+1 -4

1 changed file

expand all

net

sctp

socket.c

+1 -4

net/sctp/socket.c

··· 4480 4480 if (!transport || !sctp_transport_hold(transport)) 4481 4481 goto out; 4482 4482 4483 - sctp_association_hold(transport->asoc); 4484 - sctp_transport_put(transport); 4485 - 4486 4483 rcu_read_unlock(); 4487 4484 err = cb(transport, p); 4488 - sctp_association_put(transport->asoc); 4485 + sctp_transport_put(transport); 4489 4486 4490 4487 out: 4491 4488 return err;