linux/net/sctp
Jacek Luczak c182f90bc1 SCTP: fix race between sctp_bind_addr_free() and sctp_bind_addr_conflict()
During the sctp_close() call, we do not use rcu primitives to
destroy the address list attached to the endpoint.  At the same
time, we do the removal of addresses from this list before
attempting to remove the socket from the port hash

As a result, it is possible for another process to find the socket
in the port hash that is in the process of being closed.  It then
proceeds to traverse the address list to find the conflict, only
to have that address list suddenly disappear without rcu() critical
section.

Fix issue by closing address list removal inside RCU critical
section.

Race can result in a kernel crash with general protection fault or
kernel NULL pointer dereference:

kernel: general protection fault: 0000 [#1] SMP
kernel: RIP: 0010:[<ffffffffa02f3dde>]  [<ffffffffa02f3dde>] sctp_bind_addr_conflict+0x64/0x82 [sctp]
kernel: Call Trace:
kernel:  [<ffffffffa02f415f>] ? sctp_get_port_local+0x17b/0x2a3 [sctp]
kernel:  [<ffffffffa02f3d45>] ? sctp_bind_addr_match+0x33/0x68 [sctp]
kernel:  [<ffffffffa02f4416>] ? sctp_do_bind+0xd3/0x141 [sctp]
kernel:  [<ffffffffa02f5030>] ? sctp_bindx_add+0x4d/0x8e [sctp]
kernel:  [<ffffffffa02f5183>] ? sctp_setsockopt_bindx+0x112/0x4a4 [sctp]
kernel:  [<ffffffff81089e82>] ? generic_file_aio_write+0x7f/0x9b
kernel:  [<ffffffffa02f763e>] ? sctp_setsockopt+0x14f/0xfee [sctp]
kernel:  [<ffffffff810c11fb>] ? do_sync_write+0xab/0xeb
kernel:  [<ffffffff810e82ab>] ? fsnotify+0x239/0x282
kernel:  [<ffffffff810c2462>] ? alloc_file+0x18/0xb1
kernel:  [<ffffffff8134a0b1>] ? compat_sys_setsockopt+0x1a5/0x1d9
kernel:  [<ffffffff8134aaf1>] ? compat_sys_socketcall+0x143/0x1a4
kernel:  [<ffffffff810467dc>] ? sysenter_dispatch+0x7/0x32

Signed-off-by: Jacek Luczak <luczak.jacek@gmail.com>
Acked-by: Vlad Yasevich <vladislav.yasevich@hp.com>
CC: Eric Dumazet <eric.dumazet@gmail.com>
Reviewed-by: Eric Dumazet <eric.dumazet@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2011-05-19 17:13:04 -04:00
..
associola.c sctp: fix oops while removed transport still using as retran path 2011-04-12 19:33:51 -07:00
auth.c Fix common misspellings 2011-03-31 11:26:23 -03:00
bind_addr.c SCTP: fix race between sctp_bind_addr_free() and sctp_bind_addr_conflict() 2011-05-19 17:13:04 -04:00
chunk.c net/sctp: Use pr_fmt and pr_<level> 2010-08-26 14:11:48 -07:00
command.c [SCTP]: Remove sctp_add_cmd_sf wrapper bloat 2008-03-27 17:54:29 -07:00
debug.c sctp: remove completely unsed EMPTY state 2011-04-20 01:51:03 -07:00
endpointola.c sctp: bail from sctp_endpoint_lookup_assoc() if not bound 2011-04-20 01:51:03 -07:00
input.c inet: constify ip headers and in6_addr 2011-04-22 11:04:14 -07:00
inqueue.c net/sctp: Use pr_fmt and pr_<level> 2010-08-26 14:11:48 -07:00
ipv6.c sctp: clean up route lookup calls 2011-04-27 13:14:06 -07:00
Kconfig sctp: implement sctp association probing module 2010-04-30 22:41:09 -04:00
Makefile sctp: implement sctp association probing module 2010-04-30 22:41:09 -04:00
objcnt.c net/sctp: Use pr_fmt and pr_<level> 2010-08-26 14:11:48 -07:00
output.c Fix common misspellings 2011-03-31 11:26:23 -03:00
outqueue.c sctp: move chunk from retransmit queue to abandoned list 2011-04-20 01:51:06 -07:00
primitive.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
probe.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net-next-2.6 2010-10-23 11:47:02 -07:00
proc.c net: Remove unnecessary returns from void function()s 2010-05-17 23:23:14 -07:00
protocol.c sctp: Remove rt->rt_src usage in sctp_v4_get_saddr() 2011-05-10 13:32:47 -07:00
sm_make_chunk.c sctp: make heartbeat information in sctp_make_heartbeat() 2011-04-20 01:51:05 -07:00
sm_sideeffect.c sctp: fix to check the source address of COOKIE-ECHO chunk 2011-04-20 01:51:05 -07:00
sm_statefuns.c sctp: implement event notification SCTP_SENDER_DRY_EVENT 2011-04-21 10:35:44 -07:00
sm_statetable.c sctp: implement event notification SCTP_SENDER_DRY_EVENT 2011-04-21 10:35:44 -07:00
socket.c sctp: sctp_sendmsg: Don't test known non-null sinfo 2011-05-12 17:30:50 -04:00
ssnmap.c include cleanup: Update gfp.h and slab.h includes to prepare for breaking implicit slab.h inclusion from percpu.h 2010-03-30 22:02:32 +09:00
sysctl.c net: avoid limits overflow 2010-11-10 12:12:00 -08:00
transport.c sctp: Store a flowi in transports to provide persistent keying. 2011-05-08 14:05:14 -07:00
tsnmap.c sctp: fix compile warnings in sctp_tsnmap_num_gabs 2011-02-20 11:10:15 -08:00
ulpevent.c sctp: implement event notification SCTP_SENDER_DRY_EVENT 2011-04-21 10:35:44 -07:00
ulpqueue.c Fix common misspellings 2011-03-31 11:26:23 -03:00