summaryrefslogtreecommitdiffstats
path: root/net/sctp
diff options
context:
space:
mode:
authorXin Long <lucien.xin@gmail.com>2016-10-31 20:32:31 +0800
committerDavid S. Miller <davem@davemloft.net>2016-10-31 16:20:32 -0400
commitcd26da4ff4eb7189921d4e7ad87e8adebb7b416b (patch)
tree15e1db16d4528e66c85ede29ffc844cda7607aed /net/sctp
parent87557efc27f6a50140fb20df06a917f368ce3c66 (diff)
downloadlinux-cd26da4ff4eb7189921d4e7ad87e8adebb7b416b.tar.gz
linux-cd26da4ff4eb7189921d4e7ad87e8adebb7b416b.tar.bz2
linux-cd26da4ff4eb7189921d4e7ad87e8adebb7b416b.zip
sctp: hold transport instead of assoc in sctp_diag
In sctp_transport_lookup_process(), Commit 1cceda784980 ("sctp: fix the issue sctp_diag uses lock_sock in rcu_read_lock") moved cb() out of rcu lock, but it put transport and hold assoc instead, and ignore that cb() still uses transport. It may cause a use-after-free issue. This patch is to hold transport instead of assoc there. Fixes: 1cceda784980 ("sctp: fix the issue sctp_diag uses lock_sock in rcu_read_lock") Signed-off-by: Xin Long <lucien.xin@gmail.com> Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net/sctp')
-rw-r--r--net/sctp/socket.c5
1 files changed, 1 insertions, 4 deletions
diff --git a/net/sctp/socket.c b/net/sctp/socket.c
index 9fbb6feb8c27..71b75f9d9c1b 100644
--- a/net/sctp/socket.c
+++ b/net/sctp/socket.c
@@ -4480,12 +4480,9 @@ int sctp_transport_lookup_process(int (*cb)(struct sctp_transport *, void *),
if (!transport || !sctp_transport_hold(transport))
goto out;
- sctp_association_hold(transport->asoc);
- sctp_transport_put(transport);
-
rcu_read_unlock();
err = cb(transport, p);
- sctp_association_put(transport->asoc);
+ sctp_transport_put(transport);
out:
return err;