AcoSail/kernel_optimize_test
8
0
Fork 0
forked from luck/tmp_suning_uos_patched
Code Pull Requests Activity
fccb35bbf7
kernel_optimize_test/net/sctp
History
Xin Long 42f1b8653f sctp: delay auto_asconf init until binding the first addr 
commit 34e5b01186858b36c4d7c87e1a025071e8e2401f upstream.

As Or Cohen described:

  If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock
  held and sp->do_auto_asconf is true, then an element is removed
  from the auto_asconf_splist without any proper locking.

  This can happen in the following functions:
  1. In sctp_accept, if sctp_sock_migrate fails.
  2. In inet_create or inet6_create, if there is a bpf program
     attached to BPF_CGROUP_INET_SOCK_CREATE which denies
     creation of the sctp socket.

This patch is to fix it by moving the auto_asconf init out of
sctp_init_sock(), by which inet_create()/inet6_create() won't
need to operate it in sctp_destroy_sock() when calling
sk_common_release().

It also makes more sense to do auto_asconf init while binding the
first addr, as auto_asconf actually requires an ANY addr bind,
see it in sctp_addr_wq_timeout_handler().

This addresses CVE-2021-23133.

Fixes: 6102365876 ("bpf: Add new cgroup attach type to enable sock modifications")
Reported-by: Or Cohen <orcohen@paloaltonetworks.com>
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2021-05-14 09:50:46 +02:00
..
associola.c net: sctp: associola.c: delete duplicated words 2020-08-24 16:21:43 -07:00
auth.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-10-08 15:44:50 -07:00
bind_addr.c net: sctp: bind_addr.c: delete duplicated word 2020-08-24 16:21:43 -07:00
chunk.c net: sctp: chunk.c: delete duplicated word 2020-08-24 16:21:43 -07:00
debug.c
diag.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-03-12 22:34:48 -07:00
endpointola.c sctp: get netns from asoc and ep base 2019-12-09 20:14:01 -08:00
input.c sctp: change to hold/put transport for proto_unreach_timer 2020-11-14 11:57:12 -08:00
inqueue.c
ipv6.c net-ipv6: bugfix - raw & sctp - switch to ipv6_can_nonlocal_bind() 2021-04-14 08:42:02 +02:00
Kconfig treewide: replace '---help---' in Kconfig files with 'help' 2020-06-14 01:57:21 +09:00
Makefile
objcnt.c
offload.c
output.c sctp: get netns from asoc and ep base 2019-12-09 20:14:01 -08:00
outqueue.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
primitive.c
proc.c net: fix iteration for sctp transport seq_files 2021-02-17 11:02:29 +01:00
protocol.c net: sctp: protocol.c: delete duplicated words + punctuation 2020-08-24 16:21:43 -07:00
sm_make_chunk.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-09-04 21:28:59 -07:00
sm_sideeffect.c sctp: change to hold/put transport for proto_unreach_timer 2020-11-14 11:57:12 -08:00
sm_statefuns.c treewide: Use fallthrough pseudo-keyword 2020-08-23 17:36:59 -05:00
sm_statetable.c
socket.c sctp: delay auto_asconf init until binding the first addr 2021-05-14 09:50:46 +02:00
stream_interleave.c sctp: get netns from asoc and ep base 2019-12-09 20:14:01 -08:00
stream_sched_prio.c
stream_sched_rr.c
stream_sched.c
stream.c net: sctp: Fix negotiation of the number of data streams. 2020-08-20 16:37:37 -07:00
sysctl.c sysctl: pass kernel pointers to ->proc_handler 2020-04-27 02:07:40 -04:00
transport.c sctp: change to hold/put transport for proto_unreach_timer 2020-11-14 11:57:12 -08:00
tsnmap.c
ulpevent.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-05-31 17:48:46 -07:00
ulpqueue.c net: sctp: ulpqueue.c: delete duplicated word 2020-08-24 16:21:43 -07:00