sctp: hold transport instead of assoc in sctp_diag

In sctp_transport_lookup_process(), Commit 1cceda78 ("sctp: fix the issue sctp_diag uses lock_sock in rcu_read_lock") moved cb() out of rcu lock, but it put transport and hold assoc instead, and ignore that cb() still uses transport. It may cause a use-after-free issue. This patch is to hold transport instead of assoc there. Fixes: 1cceda78 ("sctp: fix the issue sctp_diag uses lock_sock in rcu_read_lock") Signed-off-by: N Xin Long <lucien.xin@gmail.com> Acked-by: N Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Signed-off-by: N David S. Miller <davem@davemloft.net>

sctp: hold transport instead of assoc in sctp_diag
In sctp_transport_lookup_process(), Commit 1cceda78 ("sctp: fix the issue sctp_diag uses lock_sock in rcu_read_lock") moved cb() out of rcu lock, but it put transport and hold assoc instead, and ignore that cb() still uses transport. It may cause a use-after-free issue. This patch is to hold transport instead of assoc there. Fixes: 1cceda78 ("sctp: fix the issue sctp_diag uses lock_sock in rcu_read_lock") Signed-off-by: N Xin Long <lucien.xin@gmail.com> Acked-by: N Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Signed-off-by: N David S. Miller <davem@davemloft.net>
cd26da4f · Xin Long · David S. Miller · 87557efc · cd26da4f
隐藏空白更改
内联并排

Showing with 1 addition and 4 deletion

net/sctp/socket.c net/sctp/socket.c +1 -4

未找到文件。
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -4480,12 +4480,9 @@ int sctp_transport_lookup_process(int (*cb)(struct sctp_transport *, void *),
 	if (!transport || !sctp_transport_hold(transport))
 		goto out;

-	sctp_association_hold(transport->asoc);
-	sctp_transport_put(transport);
-
 	rcu_read_unlock();
 	err = cb(transport, p);
-	sctp_association_put(transport->asoc);
+	sctp_transport_put(transport);

 out:
 	return err;