From: Neil Horman <nhor...@tuxdriver.com> Date: Mon, 12 Mar 2018 14:15:25 -0400
> syzbot/kasan detected a double free in sctp_sendmsg_to_asoc: > BUG: KASAN: use-after-free in sctp_association_free+0x7b7/0x930 > net/sctp/associola.c:332 > Read of size 8 at addr ffff8801d8006ae0 by task syzkaller914861/4202 ... > This was introduced by commit: > f84af33 sctp: factor out sctp_sendmsg_to_asoc from sctp_sendmsg > > As the newly refactored function moved the wait_for_sndbuf call to a > point after the association was connected, allowing for peeloff events > to occur, which in turn caused wait_for_sndbuf to return -EPIPE which > was not caught by the logic that determines if an association should be > freed or not. > > Fix it the easy way by returning the ordering of > sctp_primitive_ASSOCIATE and sctp_wait_for_sndbuf to the old order, to > ensure that EPIPE will not happen. > > Tested by myself using the syzbot reproducers with positive results > > Signed-off-by: Neil Horman <nhor...@tuxdriver.com> > CC: da...@davemloft.net > CC: Xin Long <lucien....@gmail.com> > Reported-by: syzbot+a4e4112c3aff00c8c...@syzkaller.appspotmail.com Applied, thanks Neil.
