<feed xmlns='http://www.w3.org/2005/Atom'>
<title>linux-toradex.git/net/sctp, branch v3.10.56</title>
<subtitle>Linux kernel for Apalis and Colibri modules</subtitle>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/'/>
<entry>
<title>sctp: fix possible seqlock seadlock in sctp_packet_transmit()</title>
<updated>2014-08-14T01:24:15+00:00</updated>
<author>
<name>Eric Dumazet</name>
<email>edumazet@google.com</email>
</author>
<published>2014-08-05T14:49:52+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=6e5f6266d635809c560f7fb48a710701a1d54139'/>
<id>6e5f6266d635809c560f7fb48a710701a1d54139</id>
<content type='text'>
[ Upstream commit 757efd32d5ce31f67193cc0e6a56e4dffcc42fb1 ]

Dave reported following splat, caused by improper use of
IP_INC_STATS_BH() in process context.

BUG: using __this_cpu_add() in preemptible [00000000] code: trinity-c117/14551
caller is __this_cpu_preempt_check+0x13/0x20
CPU: 3 PID: 14551 Comm: trinity-c117 Not tainted 3.16.0+ #33
 ffffffff9ec898f0 0000000047ea7e23 ffff88022d32f7f0 ffffffff9e7ee207
 0000000000000003 ffff88022d32f818 ffffffff9e397eaa ffff88023ee70b40
 ffff88022d32f970 ffff8801c026d580 ffff88022d32f828 ffffffff9e397ee3
Call Trace:
 [&lt;ffffffff9e7ee207&gt;] dump_stack+0x4e/0x7a
 [&lt;ffffffff9e397eaa&gt;] check_preemption_disabled+0xfa/0x100
 [&lt;ffffffff9e397ee3&gt;] __this_cpu_preempt_check+0x13/0x20
 [&lt;ffffffffc0839872&gt;] sctp_packet_transmit+0x692/0x710 [sctp]
 [&lt;ffffffffc082a7f2&gt;] sctp_outq_flush+0x2a2/0xc30 [sctp]
 [&lt;ffffffff9e0d985c&gt;] ? mark_held_locks+0x7c/0xb0
 [&lt;ffffffff9e7f8c6d&gt;] ? _raw_spin_unlock_irqrestore+0x5d/0x80
 [&lt;ffffffffc082b99a&gt;] sctp_outq_uncork+0x1a/0x20 [sctp]
 [&lt;ffffffffc081e112&gt;] sctp_cmd_interpreter.isra.23+0x1142/0x13f0 [sctp]
 [&lt;ffffffffc081c86b&gt;] sctp_do_sm+0xdb/0x330 [sctp]
 [&lt;ffffffff9e0b8f1b&gt;] ? preempt_count_sub+0xab/0x100
 [&lt;ffffffffc083b350&gt;] ? sctp_cname+0x70/0x70 [sctp]
 [&lt;ffffffffc08389ca&gt;] sctp_primitive_ASSOCIATE+0x3a/0x50 [sctp]
 [&lt;ffffffffc083358f&gt;] sctp_sendmsg+0x88f/0xe30 [sctp]
 [&lt;ffffffff9e0d673a&gt;] ? lock_release_holdtime.part.28+0x9a/0x160
 [&lt;ffffffff9e0d62ce&gt;] ? put_lock_stats.isra.27+0xe/0x30
 [&lt;ffffffff9e73b624&gt;] inet_sendmsg+0x104/0x220
 [&lt;ffffffff9e73b525&gt;] ? inet_sendmsg+0x5/0x220
 [&lt;ffffffff9e68ac4e&gt;] sock_sendmsg+0x9e/0xe0
 [&lt;ffffffff9e1c0c09&gt;] ? might_fault+0xb9/0xc0
 [&lt;ffffffff9e1c0bae&gt;] ? might_fault+0x5e/0xc0
 [&lt;ffffffff9e68b234&gt;] SYSC_sendto+0x124/0x1c0
 [&lt;ffffffff9e0136b0&gt;] ? syscall_trace_enter+0x250/0x330
 [&lt;ffffffff9e68c3ce&gt;] SyS_sendto+0xe/0x10
 [&lt;ffffffff9e7f9be4&gt;] tracesys+0xdd/0xe2

This is a followup of commits f1d8cba61c3c4b ("inet: fix possible
seqlock deadlocks") and 7f88c6b23afbd315 ("ipv6: fix possible seqlock
deadlock in ip6_finish_output2")

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Cc: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Reported-by: Dave Jones &lt;davej@redhat.com&gt;
Acked-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Acked-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 757efd32d5ce31f67193cc0e6a56e4dffcc42fb1 ]

Dave reported following splat, caused by improper use of
IP_INC_STATS_BH() in process context.

BUG: using __this_cpu_add() in preemptible [00000000] code: trinity-c117/14551
caller is __this_cpu_preempt_check+0x13/0x20
CPU: 3 PID: 14551 Comm: trinity-c117 Not tainted 3.16.0+ #33
 ffffffff9ec898f0 0000000047ea7e23 ffff88022d32f7f0 ffffffff9e7ee207
 0000000000000003 ffff88022d32f818 ffffffff9e397eaa ffff88023ee70b40
 ffff88022d32f970 ffff8801c026d580 ffff88022d32f828 ffffffff9e397ee3
Call Trace:
 [&lt;ffffffff9e7ee207&gt;] dump_stack+0x4e/0x7a
 [&lt;ffffffff9e397eaa&gt;] check_preemption_disabled+0xfa/0x100
 [&lt;ffffffff9e397ee3&gt;] __this_cpu_preempt_check+0x13/0x20
 [&lt;ffffffffc0839872&gt;] sctp_packet_transmit+0x692/0x710 [sctp]
 [&lt;ffffffffc082a7f2&gt;] sctp_outq_flush+0x2a2/0xc30 [sctp]
 [&lt;ffffffff9e0d985c&gt;] ? mark_held_locks+0x7c/0xb0
 [&lt;ffffffff9e7f8c6d&gt;] ? _raw_spin_unlock_irqrestore+0x5d/0x80
 [&lt;ffffffffc082b99a&gt;] sctp_outq_uncork+0x1a/0x20 [sctp]
 [&lt;ffffffffc081e112&gt;] sctp_cmd_interpreter.isra.23+0x1142/0x13f0 [sctp]
 [&lt;ffffffffc081c86b&gt;] sctp_do_sm+0xdb/0x330 [sctp]
 [&lt;ffffffff9e0b8f1b&gt;] ? preempt_count_sub+0xab/0x100
 [&lt;ffffffffc083b350&gt;] ? sctp_cname+0x70/0x70 [sctp]
 [&lt;ffffffffc08389ca&gt;] sctp_primitive_ASSOCIATE+0x3a/0x50 [sctp]
 [&lt;ffffffffc083358f&gt;] sctp_sendmsg+0x88f/0xe30 [sctp]
 [&lt;ffffffff9e0d673a&gt;] ? lock_release_holdtime.part.28+0x9a/0x160
 [&lt;ffffffff9e0d62ce&gt;] ? put_lock_stats.isra.27+0xe/0x30
 [&lt;ffffffff9e73b624&gt;] inet_sendmsg+0x104/0x220
 [&lt;ffffffff9e73b525&gt;] ? inet_sendmsg+0x5/0x220
 [&lt;ffffffff9e68ac4e&gt;] sock_sendmsg+0x9e/0xe0
 [&lt;ffffffff9e1c0c09&gt;] ? might_fault+0xb9/0xc0
 [&lt;ffffffff9e1c0bae&gt;] ? might_fault+0x5e/0xc0
 [&lt;ffffffff9e68b234&gt;] SYSC_sendto+0x124/0x1c0
 [&lt;ffffffff9e0136b0&gt;] ? syscall_trace_enter+0x250/0x330
 [&lt;ffffffff9e68c3ce&gt;] SyS_sendto+0xe/0x10
 [&lt;ffffffff9e7f9be4&gt;] tracesys+0xdd/0xe2

This is a followup of commits f1d8cba61c3c4b ("inet: fix possible
seqlock deadlocks") and 7f88c6b23afbd315 ("ipv6: fix possible seqlock
deadlock in ip6_finish_output2")

Signed-off-by: Eric Dumazet &lt;edumazet@google.com&gt;
Cc: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Reported-by: Dave Jones &lt;davej@redhat.com&gt;
Acked-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Acked-by: Hannes Frederic Sowa &lt;hannes@stressinduktion.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: sctp: inherit auth_capable on INIT collisions</title>
<updated>2014-08-14T01:24:15+00:00</updated>
<author>
<name>Daniel Borkmann</name>
<email>dborkman@redhat.com</email>
</author>
<published>2014-07-22T13:22:45+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=495d049f3e499227d28c89800bca27cc726b3bb2'/>
<id>495d049f3e499227d28c89800bca27cc726b3bb2</id>
<content type='text'>
[ Upstream commit 1be9a950c646c9092fb3618197f7b6bfb50e82aa ]

Jason reported an oops caused by SCTP on his ARM machine with
SCTP authentication enabled:

Internal error: Oops: 17 [#1] ARM
CPU: 0 PID: 104 Comm: sctp-test Not tainted 3.13.0-68744-g3632f30c9b20-dirty #1
task: c6eefa40 ti: c6f52000 task.ti: c6f52000
PC is at sctp_auth_calculate_hmac+0xc4/0x10c
LR is at sg_init_table+0x20/0x38
pc : [&lt;c024bb80&gt;]    lr : [&lt;c00f32dc&gt;]    psr: 40000013
sp : c6f538e8  ip : 00000000  fp : c6f53924
r10: c6f50d80  r9 : 00000000  r8 : 00010000
r7 : 00000000  r6 : c7be4000  r5 : 00000000  r4 : c6f56254
r3 : c00c8170  r2 : 00000001  r1 : 00000008  r0 : c6f1e660
Flags: nZcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 0005397f  Table: 06f28000  DAC: 00000015
Process sctp-test (pid: 104, stack limit = 0xc6f521c0)
Stack: (0xc6f538e8 to 0xc6f54000)
[...]
Backtrace:
[&lt;c024babc&gt;] (sctp_auth_calculate_hmac+0x0/0x10c) from [&lt;c0249af8&gt;] (sctp_packet_transmit+0x33c/0x5c8)
[&lt;c02497bc&gt;] (sctp_packet_transmit+0x0/0x5c8) from [&lt;c023e96c&gt;] (sctp_outq_flush+0x7fc/0x844)
[&lt;c023e170&gt;] (sctp_outq_flush+0x0/0x844) from [&lt;c023ef78&gt;] (sctp_outq_uncork+0x24/0x28)
[&lt;c023ef54&gt;] (sctp_outq_uncork+0x0/0x28) from [&lt;c0234364&gt;] (sctp_side_effects+0x1134/0x1220)
[&lt;c0233230&gt;] (sctp_side_effects+0x0/0x1220) from [&lt;c02330b0&gt;] (sctp_do_sm+0xac/0xd4)
[&lt;c0233004&gt;] (sctp_do_sm+0x0/0xd4) from [&lt;c023675c&gt;] (sctp_assoc_bh_rcv+0x118/0x160)
[&lt;c0236644&gt;] (sctp_assoc_bh_rcv+0x0/0x160) from [&lt;c023d5bc&gt;] (sctp_inq_push+0x6c/0x74)
[&lt;c023d550&gt;] (sctp_inq_push+0x0/0x74) from [&lt;c024a6b0&gt;] (sctp_rcv+0x7d8/0x888)

While we already had various kind of bugs in that area
ec0223ec48a9 ("net: sctp: fix sctp_sf_do_5_1D_ce to verify if
we/peer is AUTH capable") and b14878ccb7fa ("net: sctp: cache
auth_enable per endpoint"), this one is a bit of a different
kind.

Giving a bit more background on why SCTP authentication is
needed can be found in RFC4895:

  SCTP uses 32-bit verification tags to protect itself against
  blind attackers. These values are not changed during the
  lifetime of an SCTP association.

  Looking at new SCTP extensions, there is the need to have a
  method of proving that an SCTP chunk(s) was really sent by
  the original peer that started the association and not by a
  malicious attacker.

To cause this bug, we're triggering an INIT collision between
peers; normal SCTP handshake where both sides intent to
authenticate packets contains RANDOM; CHUNKS; HMAC-ALGO
parameters that are being negotiated among peers:

  ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------&gt;
  &lt;------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
  -------------------- COOKIE-ECHO --------------------&gt;
  &lt;-------------------- COOKIE-ACK ---------------------

RFC4895 says that each endpoint therefore knows its own random
number and the peer's random number *after* the association
has been established. The local and peer's random number along
with the shared key are then part of the secret used for
calculating the HMAC in the AUTH chunk.

Now, in our scenario, we have 2 threads with 1 non-blocking
SEQ_PACKET socket each, setting up common shared SCTP_AUTH_KEY
and SCTP_AUTH_ACTIVE_KEY properly, and each of them calling
sctp_bindx(3), listen(2) and connect(2) against each other,
thus the handshake looks similar to this, e.g.:

  ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------&gt;
  &lt;------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
  &lt;--------- INIT[RANDOM; CHUNKS; HMAC-ALGO] -----------
  -------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------&gt;
  ...

Since such collisions can also happen with verification tags,
the RFC4895 for AUTH rather vaguely says under section 6.1:

  In case of INIT collision, the rules governing the handling
  of this Random Number follow the same pattern as those for
  the Verification Tag, as explained in Section 5.2.4 of
  RFC 2960 [5]. Therefore, each endpoint knows its own Random
  Number and the peer's Random Number after the association
  has been established.

In RFC2960, section 5.2.4, we're eventually hitting Action B:

  B) In this case, both sides may be attempting to start an
     association at about the same time but the peer endpoint
     started its INIT after responding to the local endpoint's
     INIT. Thus it may have picked a new Verification Tag not
     being aware of the previous Tag it had sent this endpoint.
     The endpoint should stay in or enter the ESTABLISHED
     state but it MUST update its peer's Verification Tag from
     the State Cookie, stop any init or cookie timers that may
     running and send a COOKIE ACK.

In other words, the handling of the Random parameter is the
same as behavior for the Verification Tag as described in
Action B of section 5.2.4.

Looking at the code, we exactly hit the sctp_sf_do_dupcook_b()
case which triggers an SCTP_CMD_UPDATE_ASSOC command to the
side effect interpreter, and in fact it properly copies over
peer_{random, hmacs, chunks} parameters from the newly created
association to update the existing one.

Also, the old asoc_shared_key is being released and based on
the new params, sctp_auth_asoc_init_active_key() updated.
However, the issue observed in this case is that the previous
asoc-&gt;peer.auth_capable was 0, and has *not* been updated, so
that instead of creating a new secret, we're doing an early
return from the function sctp_auth_asoc_init_active_key()
leaving asoc-&gt;asoc_shared_key as NULL. However, we now have to
authenticate chunks from the updated chunk list (e.g. COOKIE-ACK).

That in fact causes the server side when responding with ...

  &lt;------------------ AUTH; COOKIE-ACK -----------------

... to trigger a NULL pointer dereference, since in
sctp_packet_transmit(), it discovers that an AUTH chunk is
being queued for xmit, and thus it calls sctp_auth_calculate_hmac().

Since the asoc-&gt;active_key_id is still inherited from the
endpoint, and the same as encoded into the chunk, it uses
asoc-&gt;asoc_shared_key, which is still NULL, as an asoc_key
and dereferences it in ...

  crypto_hash_setkey(desc.tfm, &amp;asoc_key-&gt;data[0], asoc_key-&gt;len)

... causing an oops. All this happens because sctp_make_cookie_ack()
called with the *new* association has the peer.auth_capable=1
and therefore marks the chunk with auth=1 after checking
sctp_auth_send_cid(), but it is *actually* sent later on over
the then *updated* association's transport that didn't initialize
its shared key due to peer.auth_capable=0. Since control chunks
in that case are not sent by the temporary association which
are scheduled for deletion, they are issued for xmit via
SCTP_CMD_REPLY in the interpreter with the context of the
*updated* association. peer.auth_capable was 0 in the updated
association (which went from COOKIE_WAIT into ESTABLISHED state),
since all previous processing that performed sctp_process_init()
was being done on temporary associations, that we eventually
throw away each time.

The correct fix is to update to the new peer.auth_capable
value as well in the collision case via sctp_assoc_update(),
so that in case the collision migrated from 0 -&gt; 1,
sctp_auth_asoc_init_active_key() can properly recalculate
the secret. This therefore fixes the observed server panic.

Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing")
Reported-by: Jason Gunthorpe &lt;jgunthorpe@obsidianresearch.com&gt;
Signed-off-by: Daniel Borkmann &lt;dborkman@redhat.com&gt;
Tested-by: Jason Gunthorpe &lt;jgunthorpe@obsidianresearch.com&gt;
Cc: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
Acked-by: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 1be9a950c646c9092fb3618197f7b6bfb50e82aa ]

Jason reported an oops caused by SCTP on his ARM machine with
SCTP authentication enabled:

Internal error: Oops: 17 [#1] ARM
CPU: 0 PID: 104 Comm: sctp-test Not tainted 3.13.0-68744-g3632f30c9b20-dirty #1
task: c6eefa40 ti: c6f52000 task.ti: c6f52000
PC is at sctp_auth_calculate_hmac+0xc4/0x10c
LR is at sg_init_table+0x20/0x38
pc : [&lt;c024bb80&gt;]    lr : [&lt;c00f32dc&gt;]    psr: 40000013
sp : c6f538e8  ip : 00000000  fp : c6f53924
r10: c6f50d80  r9 : 00000000  r8 : 00010000
r7 : 00000000  r6 : c7be4000  r5 : 00000000  r4 : c6f56254
r3 : c00c8170  r2 : 00000001  r1 : 00000008  r0 : c6f1e660
Flags: nZcv  IRQs on  FIQs on  Mode SVC_32  ISA ARM  Segment user
Control: 0005397f  Table: 06f28000  DAC: 00000015
Process sctp-test (pid: 104, stack limit = 0xc6f521c0)
Stack: (0xc6f538e8 to 0xc6f54000)
[...]
Backtrace:
[&lt;c024babc&gt;] (sctp_auth_calculate_hmac+0x0/0x10c) from [&lt;c0249af8&gt;] (sctp_packet_transmit+0x33c/0x5c8)
[&lt;c02497bc&gt;] (sctp_packet_transmit+0x0/0x5c8) from [&lt;c023e96c&gt;] (sctp_outq_flush+0x7fc/0x844)
[&lt;c023e170&gt;] (sctp_outq_flush+0x0/0x844) from [&lt;c023ef78&gt;] (sctp_outq_uncork+0x24/0x28)
[&lt;c023ef54&gt;] (sctp_outq_uncork+0x0/0x28) from [&lt;c0234364&gt;] (sctp_side_effects+0x1134/0x1220)
[&lt;c0233230&gt;] (sctp_side_effects+0x0/0x1220) from [&lt;c02330b0&gt;] (sctp_do_sm+0xac/0xd4)
[&lt;c0233004&gt;] (sctp_do_sm+0x0/0xd4) from [&lt;c023675c&gt;] (sctp_assoc_bh_rcv+0x118/0x160)
[&lt;c0236644&gt;] (sctp_assoc_bh_rcv+0x0/0x160) from [&lt;c023d5bc&gt;] (sctp_inq_push+0x6c/0x74)
[&lt;c023d550&gt;] (sctp_inq_push+0x0/0x74) from [&lt;c024a6b0&gt;] (sctp_rcv+0x7d8/0x888)

While we already had various kind of bugs in that area
ec0223ec48a9 ("net: sctp: fix sctp_sf_do_5_1D_ce to verify if
we/peer is AUTH capable") and b14878ccb7fa ("net: sctp: cache
auth_enable per endpoint"), this one is a bit of a different
kind.

Giving a bit more background on why SCTP authentication is
needed can be found in RFC4895:

  SCTP uses 32-bit verification tags to protect itself against
  blind attackers. These values are not changed during the
  lifetime of an SCTP association.

  Looking at new SCTP extensions, there is the need to have a
  method of proving that an SCTP chunk(s) was really sent by
  the original peer that started the association and not by a
  malicious attacker.

To cause this bug, we're triggering an INIT collision between
peers; normal SCTP handshake where both sides intent to
authenticate packets contains RANDOM; CHUNKS; HMAC-ALGO
parameters that are being negotiated among peers:

  ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------&gt;
  &lt;------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
  -------------------- COOKIE-ECHO --------------------&gt;
  &lt;-------------------- COOKIE-ACK ---------------------

RFC4895 says that each endpoint therefore knows its own random
number and the peer's random number *after* the association
has been established. The local and peer's random number along
with the shared key are then part of the secret used for
calculating the HMAC in the AUTH chunk.

Now, in our scenario, we have 2 threads with 1 non-blocking
SEQ_PACKET socket each, setting up common shared SCTP_AUTH_KEY
and SCTP_AUTH_ACTIVE_KEY properly, and each of them calling
sctp_bindx(3), listen(2) and connect(2) against each other,
thus the handshake looks similar to this, e.g.:

  ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------&gt;
  &lt;------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
  &lt;--------- INIT[RANDOM; CHUNKS; HMAC-ALGO] -----------
  -------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] --------&gt;
  ...

Since such collisions can also happen with verification tags,
the RFC4895 for AUTH rather vaguely says under section 6.1:

  In case of INIT collision, the rules governing the handling
  of this Random Number follow the same pattern as those for
  the Verification Tag, as explained in Section 5.2.4 of
  RFC 2960 [5]. Therefore, each endpoint knows its own Random
  Number and the peer's Random Number after the association
  has been established.

In RFC2960, section 5.2.4, we're eventually hitting Action B:

  B) In this case, both sides may be attempting to start an
     association at about the same time but the peer endpoint
     started its INIT after responding to the local endpoint's
     INIT. Thus it may have picked a new Verification Tag not
     being aware of the previous Tag it had sent this endpoint.
     The endpoint should stay in or enter the ESTABLISHED
     state but it MUST update its peer's Verification Tag from
     the State Cookie, stop any init or cookie timers that may
     running and send a COOKIE ACK.

In other words, the handling of the Random parameter is the
same as behavior for the Verification Tag as described in
Action B of section 5.2.4.

Looking at the code, we exactly hit the sctp_sf_do_dupcook_b()
case which triggers an SCTP_CMD_UPDATE_ASSOC command to the
side effect interpreter, and in fact it properly copies over
peer_{random, hmacs, chunks} parameters from the newly created
association to update the existing one.

Also, the old asoc_shared_key is being released and based on
the new params, sctp_auth_asoc_init_active_key() updated.
However, the issue observed in this case is that the previous
asoc-&gt;peer.auth_capable was 0, and has *not* been updated, so
that instead of creating a new secret, we're doing an early
return from the function sctp_auth_asoc_init_active_key()
leaving asoc-&gt;asoc_shared_key as NULL. However, we now have to
authenticate chunks from the updated chunk list (e.g. COOKIE-ACK).

That in fact causes the server side when responding with ...

  &lt;------------------ AUTH; COOKIE-ACK -----------------

... to trigger a NULL pointer dereference, since in
sctp_packet_transmit(), it discovers that an AUTH chunk is
being queued for xmit, and thus it calls sctp_auth_calculate_hmac().

Since the asoc-&gt;active_key_id is still inherited from the
endpoint, and the same as encoded into the chunk, it uses
asoc-&gt;asoc_shared_key, which is still NULL, as an asoc_key
and dereferences it in ...

  crypto_hash_setkey(desc.tfm, &amp;asoc_key-&gt;data[0], asoc_key-&gt;len)

... causing an oops. All this happens because sctp_make_cookie_ack()
called with the *new* association has the peer.auth_capable=1
and therefore marks the chunk with auth=1 after checking
sctp_auth_send_cid(), but it is *actually* sent later on over
the then *updated* association's transport that didn't initialize
its shared key due to peer.auth_capable=0. Since control chunks
in that case are not sent by the temporary association which
are scheduled for deletion, they are issued for xmit via
SCTP_CMD_REPLY in the interpreter with the context of the
*updated* association. peer.auth_capable was 0 in the updated
association (which went from COOKIE_WAIT into ESTABLISHED state),
since all previous processing that performed sctp_process_init()
was being done on temporary associations, that we eventually
throw away each time.

The correct fix is to update to the new peer.auth_capable
value as well in the collision case via sctp_assoc_update(),
so that in case the collision migrated from 0 -&gt; 1,
sctp_auth_asoc_init_active_key() can properly recalculate
the secret. This therefore fixes the observed server panic.

Fixes: 730fc3d05cd4 ("[SCTP]: Implete SCTP-AUTH parameter processing")
Reported-by: Jason Gunthorpe &lt;jgunthorpe@obsidianresearch.com&gt;
Signed-off-by: Daniel Borkmann &lt;dborkman@redhat.com&gt;
Tested-by: Jason Gunthorpe &lt;jgunthorpe@obsidianresearch.com&gt;
Cc: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
Acked-by: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: sctp: fix information leaks in ulpevent layer</title>
<updated>2014-07-28T15:00:05+00:00</updated>
<author>
<name>Daniel Borkmann</name>
<email>dborkman@redhat.com</email>
</author>
<published>2014-07-12T18:30:35+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=b3b3ba5714ee9f77748223a0dbcf40b90e8e0773'/>
<id>b3b3ba5714ee9f77748223a0dbcf40b90e8e0773</id>
<content type='text'>
[ Upstream commit 8f2e5ae40ec193bc0a0ed99e95315c3eebca84ea ]

While working on some other SCTP code, I noticed that some
structures shared with user space are leaking uninitialized
stack or heap buffer. In particular, struct sctp_sndrcvinfo
has a 2 bytes hole between .sinfo_flags and .sinfo_ppid that
remains unfilled by us in sctp_ulpevent_read_sndrcvinfo() when
putting this into cmsg. But also struct sctp_remote_error
contains a 2 bytes hole that we don't fill but place into a skb
through skb_copy_expand() via sctp_ulpevent_make_remote_error().

Both structures are defined by the IETF in RFC6458:

* Section 5.3.2. SCTP Header Information Structure:

  The sctp_sndrcvinfo structure is defined below:

  struct sctp_sndrcvinfo {
    uint16_t sinfo_stream;
    uint16_t sinfo_ssn;
    uint16_t sinfo_flags;
    &lt;-- 2 bytes hole  --&gt;
    uint32_t sinfo_ppid;
    uint32_t sinfo_context;
    uint32_t sinfo_timetolive;
    uint32_t sinfo_tsn;
    uint32_t sinfo_cumtsn;
    sctp_assoc_t sinfo_assoc_id;
  };

* 6.1.3. SCTP_REMOTE_ERROR:

  A remote peer may send an Operation Error message to its peer.
  This message indicates a variety of error conditions on an
  association. The entire ERROR chunk as it appears on the wire
  is included in an SCTP_REMOTE_ERROR event. Please refer to the
  SCTP specification [RFC4960] and any extensions for a list of
  possible error formats. An SCTP error notification has the
  following format:

  struct sctp_remote_error {
    uint16_t sre_type;
    uint16_t sre_flags;
    uint32_t sre_length;
    uint16_t sre_error;
    &lt;-- 2 bytes hole  --&gt;
    sctp_assoc_t sre_assoc_id;
    uint8_t  sre_data[];
  };

Fix this by setting both to 0 before filling them out. We also
have other structures shared between user and kernel space in
SCTP that contains holes (e.g. struct sctp_paddrthlds), but we
copy that buffer over from user space first and thus don't need
to care about it in that cases.

While at it, we can also remove lengthy comments copied from
the draft, instead, we update the comment with the correct RFC
number where one can look it up.

Signed-off-by: Daniel Borkmann &lt;dborkman@redhat.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 8f2e5ae40ec193bc0a0ed99e95315c3eebca84ea ]

While working on some other SCTP code, I noticed that some
structures shared with user space are leaking uninitialized
stack or heap buffer. In particular, struct sctp_sndrcvinfo
has a 2 bytes hole between .sinfo_flags and .sinfo_ppid that
remains unfilled by us in sctp_ulpevent_read_sndrcvinfo() when
putting this into cmsg. But also struct sctp_remote_error
contains a 2 bytes hole that we don't fill but place into a skb
through skb_copy_expand() via sctp_ulpevent_make_remote_error().

Both structures are defined by the IETF in RFC6458:

* Section 5.3.2. SCTP Header Information Structure:

  The sctp_sndrcvinfo structure is defined below:

  struct sctp_sndrcvinfo {
    uint16_t sinfo_stream;
    uint16_t sinfo_ssn;
    uint16_t sinfo_flags;
    &lt;-- 2 bytes hole  --&gt;
    uint32_t sinfo_ppid;
    uint32_t sinfo_context;
    uint32_t sinfo_timetolive;
    uint32_t sinfo_tsn;
    uint32_t sinfo_cumtsn;
    sctp_assoc_t sinfo_assoc_id;
  };

* 6.1.3. SCTP_REMOTE_ERROR:

  A remote peer may send an Operation Error message to its peer.
  This message indicates a variety of error conditions on an
  association. The entire ERROR chunk as it appears on the wire
  is included in an SCTP_REMOTE_ERROR event. Please refer to the
  SCTP specification [RFC4960] and any extensions for a list of
  possible error formats. An SCTP error notification has the
  following format:

  struct sctp_remote_error {
    uint16_t sre_type;
    uint16_t sre_flags;
    uint32_t sre_length;
    uint16_t sre_error;
    &lt;-- 2 bytes hole  --&gt;
    sctp_assoc_t sre_assoc_id;
    uint8_t  sre_data[];
  };

Fix this by setting both to 0 before filling them out. We also
have other structures shared between user and kernel space in
SCTP that contains holes (e.g. struct sctp_paddrthlds), but we
copy that buffer over from user space first and thus don't need
to care about it in that cases.

While at it, we can also remove lengthy comments copied from
the draft, instead, we update the comment with the correct RFC
number where one can look it up.

Signed-off-by: Daniel Borkmann &lt;dborkman@redhat.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: sctp: check proc_dointvec result in proc_sctp_do_auth</title>
<updated>2014-07-28T15:00:04+00:00</updated>
<author>
<name>Daniel Borkmann</name>
<email>dborkman@redhat.com</email>
</author>
<published>2014-06-18T21:46:31+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=e9013d0f0faef78f90f7bb30e722965fe992dc1e'/>
<id>e9013d0f0faef78f90f7bb30e722965fe992dc1e</id>
<content type='text'>
[ Upstream commit 24599e61b7552673dd85971cf5a35369cd8c119e ]

When writing to the sysctl field net.sctp.auth_enable, it can well
be that the user buffer we handed over to proc_dointvec() via
proc_sctp_do_auth() handler contains something other than integers.

In that case, we would set an uninitialized 4-byte value from the
stack to net-&gt;sctp.auth_enable that can be leaked back when reading
the sysctl variable, and it can unintentionally turn auth_enable
on/off based on the stack content since auth_enable is interpreted
as a boolean.

Fix it up by making sure proc_dointvec() returned sucessfully.

Fixes: b14878ccb7fa ("net: sctp: cache auth_enable per endpoint")
Reported-by: Florian Westphal &lt;fwestpha@redhat.com&gt;
Signed-off-by: Daniel Borkmann &lt;dborkman@redhat.com&gt;
Acked-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Acked-by: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 24599e61b7552673dd85971cf5a35369cd8c119e ]

When writing to the sysctl field net.sctp.auth_enable, it can well
be that the user buffer we handed over to proc_dointvec() via
proc_sctp_do_auth() handler contains something other than integers.

In that case, we would set an uninitialized 4-byte value from the
stack to net-&gt;sctp.auth_enable that can be leaked back when reading
the sysctl variable, and it can unintentionally turn auth_enable
on/off based on the stack content since auth_enable is interpreted
as a boolean.

Fix it up by making sure proc_dointvec() returned sucessfully.

Fixes: b14878ccb7fa ("net: sctp: cache auth_enable per endpoint")
Reported-by: Florian Westphal &lt;fwestpha@redhat.com&gt;
Signed-off-by: Daniel Borkmann &lt;dborkman@redhat.com&gt;
Acked-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Acked-by: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>sctp: Fix sk_ack_backlog wrap-around problem</title>
<updated>2014-06-26T19:12:38+00:00</updated>
<author>
<name>Xufeng Zhang</name>
<email>xufeng.zhang@windriver.com</email>
</author>
<published>2014-06-12T02:53:36+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=a6987bca8054bf0cf9e90a9b0d42486d7bc53d70'/>
<id>a6987bca8054bf0cf9e90a9b0d42486d7bc53d70</id>
<content type='text'>
[ Upstream commit d3217b15a19a4779c39b212358a5c71d725822ee ]

Consider the scenario:
For a TCP-style socket, while processing the COOKIE_ECHO chunk in
sctp_sf_do_5_1D_ce(), after it has passed a series of sanity check,
a new association would be created in sctp_unpack_cookie(), but afterwards,
some processing maybe failed, and sctp_association_free() will be called to
free the previously allocated association, in sctp_association_free(),
sk_ack_backlog value is decremented for this socket, since the initial
value for sk_ack_backlog is 0, after the decrement, it will be 65535,
a wrap-around problem happens, and if we want to establish new associations
afterward in the same socket, ABORT would be triggered since sctp deem the
accept queue as full.
Fix this issue by only decrementing sk_ack_backlog for associations in
the endpoint's list.

Fix-suggested-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Signed-off-by: Xufeng Zhang &lt;xufeng.zhang@windriver.com&gt;
Acked-by: Daniel Borkmann &lt;dborkman@redhat.com&gt;
Acked-by: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit d3217b15a19a4779c39b212358a5c71d725822ee ]

Consider the scenario:
For a TCP-style socket, while processing the COOKIE_ECHO chunk in
sctp_sf_do_5_1D_ce(), after it has passed a series of sanity check,
a new association would be created in sctp_unpack_cookie(), but afterwards,
some processing maybe failed, and sctp_association_free() will be called to
free the previously allocated association, in sctp_association_free(),
sk_ack_backlog value is decremented for this socket, since the initial
value for sk_ack_backlog is 0, after the decrement, it will be 65535,
a wrap-around problem happens, and if we want to establish new associations
afterward in the same socket, ABORT would be triggered since sctp deem the
accept queue as full.
Fix this issue by only decrementing sk_ack_backlog for associations in
the endpoint's list.

Fix-suggested-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Signed-off-by: Xufeng Zhang &lt;xufeng.zhang@windriver.com&gt;
Acked-by: Daniel Borkmann &lt;dborkman@redhat.com&gt;
Acked-by: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>sctp: reset flowi4_oif parameter on route lookup</title>
<updated>2014-05-31T04:52:16+00:00</updated>
<author>
<name>Xufeng Zhang</name>
<email>xufeng.zhang@windriver.com</email>
</author>
<published>2014-04-25T08:55:41+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=4de3e298aa5eaf1982c4068d76a2246054eed34c'/>
<id>4de3e298aa5eaf1982c4068d76a2246054eed34c</id>
<content type='text'>
[ Upstream commit 85350871317a5adb35519d9dc6fc9e80809d42ad ]

commit 813b3b5db83 (ipv4: Use caller's on-stack flowi as-is
in output route lookups.) introduces another regression which
is very similar to the problem of commit e6b45241c (ipv4: reset
flowi parameters on route connect) wants to fix:
Before we call ip_route_output_key() in sctp_v4_get_dst() to
get a dst that matches a bind address as the source address,
we have already called this function previously and the flowi
parameters have been initialized including flowi4_oif, so when
we call this function again, the process in __ip_route_output_key()
will be different because of the setting of flowi4_oif, and we'll
get a networking device which corresponds to the inputted flowi4_oif
as the output device, this is wrong because we'll never hit this
place if the previously returned source address of dst match one
of the bound addresses.

To reproduce this problem, a vlan setting is enough:
  # ifconfig eth0 up
  # route del default
  # vconfig add eth0 2
  # vconfig add eth0 3
  # ifconfig eth0.2 10.0.1.14 netmask 255.255.255.0
  # route add default gw 10.0.1.254 dev eth0.2
  # ifconfig eth0.3 10.0.0.14 netmask 255.255.255.0
  # ip rule add from 10.0.0.14 table 4
  # ip route add table 4 default via 10.0.0.254 src 10.0.0.14 dev eth0.3
  # sctp_darn -H 10.0.0.14 -P 36422 -h 10.1.4.134 -p 36422 -s -I
You'll detect that all the flow are routed to eth0.2(10.0.1.254).

Signed-off-by: Xufeng Zhang &lt;xufeng.zhang@windriver.com&gt;
Signed-off-by: Julian Anastasov &lt;ja@ssi.bg&gt;
Acked-by: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 85350871317a5adb35519d9dc6fc9e80809d42ad ]

commit 813b3b5db83 (ipv4: Use caller's on-stack flowi as-is
in output route lookups.) introduces another regression which
is very similar to the problem of commit e6b45241c (ipv4: reset
flowi parameters on route connect) wants to fix:
Before we call ip_route_output_key() in sctp_v4_get_dst() to
get a dst that matches a bind address as the source address,
we have already called this function previously and the flowi
parameters have been initialized including flowi4_oif, so when
we call this function again, the process in __ip_route_output_key()
will be different because of the setting of flowi4_oif, and we'll
get a networking device which corresponds to the inputted flowi4_oif
as the output device, this is wrong because we'll never hit this
place if the previously returned source address of dst match one
of the bound addresses.

To reproduce this problem, a vlan setting is enough:
  # ifconfig eth0 up
  # route del default
  # vconfig add eth0 2
  # vconfig add eth0 3
  # ifconfig eth0.2 10.0.1.14 netmask 255.255.255.0
  # route add default gw 10.0.1.254 dev eth0.2
  # ifconfig eth0.3 10.0.0.14 netmask 255.255.255.0
  # ip rule add from 10.0.0.14 table 4
  # ip route add table 4 default via 10.0.0.254 src 10.0.0.14 dev eth0.3
  # sctp_darn -H 10.0.0.14 -P 36422 -h 10.1.4.134 -p 36422 -s -I
You'll detect that all the flow are routed to eth0.2(10.0.1.254).

Signed-off-by: Xufeng Zhang &lt;xufeng.zhang@windriver.com&gt;
Signed-off-by: Julian Anastasov &lt;ja@ssi.bg&gt;
Acked-by: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: sctp: cache auth_enable per endpoint</title>
<updated>2014-05-31T04:52:15+00:00</updated>
<author>
<name>Vlad Yasevich</name>
<email>vyasevic@redhat.com</email>
</author>
<published>2014-04-17T15:26:50+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=e5eae4a0511241959498b180fa0df0d4f1b11b9c'/>
<id>e5eae4a0511241959498b180fa0df0d4f1b11b9c</id>
<content type='text'>
[ Upstream commit b14878ccb7fac0242db82720b784ab62c467c0dc ]

Currently, it is possible to create an SCTP socket, then switch
auth_enable via sysctl setting to 1 and crash the system on connect:

Oops[#1]:
CPU: 0 PID: 0 Comm: swapper Not tainted 3.14.1-mipsgit-20140415 #1
task: ffffffff8056ce80 ti: ffffffff8055c000 task.ti: ffffffff8055c000
[...]
Call Trace:
[&lt;ffffffff8043c4e8&gt;] sctp_auth_asoc_set_default_hmac+0x68/0x80
[&lt;ffffffff8042b300&gt;] sctp_process_init+0x5e0/0x8a4
[&lt;ffffffff8042188c&gt;] sctp_sf_do_5_1B_init+0x234/0x34c
[&lt;ffffffff804228c8&gt;] sctp_do_sm+0xb4/0x1e8
[&lt;ffffffff80425a08&gt;] sctp_endpoint_bh_rcv+0x1c4/0x214
[&lt;ffffffff8043af68&gt;] sctp_rcv+0x588/0x630
[&lt;ffffffff8043e8e8&gt;] sctp6_rcv+0x10/0x24
[&lt;ffffffff803acb50&gt;] ip6_input+0x2c0/0x440
[&lt;ffffffff8030fc00&gt;] __netif_receive_skb_core+0x4a8/0x564
[&lt;ffffffff80310650&gt;] process_backlog+0xb4/0x18c
[&lt;ffffffff80313cbc&gt;] net_rx_action+0x12c/0x210
[&lt;ffffffff80034254&gt;] __do_softirq+0x17c/0x2ac
[&lt;ffffffff800345e0&gt;] irq_exit+0x54/0xb0
[&lt;ffffffff800075a4&gt;] ret_from_irq+0x0/0x4
[&lt;ffffffff800090ec&gt;] rm7k_wait_irqoff+0x24/0x48
[&lt;ffffffff8005e388&gt;] cpu_startup_entry+0xc0/0x148
[&lt;ffffffff805a88b0&gt;] start_kernel+0x37c/0x398
Code: dd0900b8  000330f8  0126302d &lt;dcc60000&gt; 50c0fff1  0047182a  a48306a0
03e00008  00000000
---[ end trace b530b0551467f2fd ]---
Kernel panic - not syncing: Fatal exception in interrupt

What happens while auth_enable=0 in that case is, that
ep-&gt;auth_hmacs is initialized to NULL in sctp_auth_init_hmacs()
when endpoint is being created.

After that point, if an admin switches over to auth_enable=1,
the machine can crash due to NULL pointer dereference during
reception of an INIT chunk. When we enter sctp_process_init()
via sctp_sf_do_5_1B_init() in order to respond to an INIT chunk,
the INIT verification succeeds and while we walk and process
all INIT params via sctp_process_param() we find that
net-&gt;sctp.auth_enable is set, therefore do not fall through,
but invoke sctp_auth_asoc_set_default_hmac() instead, and thus,
dereference what we have set to NULL during endpoint
initialization phase.

The fix is to make auth_enable immutable by caching its value
during endpoint initialization, so that its original value is
being carried along until destruction. The bug seems to originate
from the very first days.

Fix in joint work with Daniel Borkmann.

Reported-by: Joshua Kinard &lt;kumba@gentoo.org&gt;
Signed-off-by: Vlad Yasevich &lt;vyasevic@redhat.com&gt;
Signed-off-by: Daniel Borkmann &lt;dborkman@redhat.com&gt;
Acked-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Tested-by: Joshua Kinard &lt;kumba@gentoo.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit b14878ccb7fac0242db82720b784ab62c467c0dc ]

Currently, it is possible to create an SCTP socket, then switch
auth_enable via sysctl setting to 1 and crash the system on connect:

Oops[#1]:
CPU: 0 PID: 0 Comm: swapper Not tainted 3.14.1-mipsgit-20140415 #1
task: ffffffff8056ce80 ti: ffffffff8055c000 task.ti: ffffffff8055c000
[...]
Call Trace:
[&lt;ffffffff8043c4e8&gt;] sctp_auth_asoc_set_default_hmac+0x68/0x80
[&lt;ffffffff8042b300&gt;] sctp_process_init+0x5e0/0x8a4
[&lt;ffffffff8042188c&gt;] sctp_sf_do_5_1B_init+0x234/0x34c
[&lt;ffffffff804228c8&gt;] sctp_do_sm+0xb4/0x1e8
[&lt;ffffffff80425a08&gt;] sctp_endpoint_bh_rcv+0x1c4/0x214
[&lt;ffffffff8043af68&gt;] sctp_rcv+0x588/0x630
[&lt;ffffffff8043e8e8&gt;] sctp6_rcv+0x10/0x24
[&lt;ffffffff803acb50&gt;] ip6_input+0x2c0/0x440
[&lt;ffffffff8030fc00&gt;] __netif_receive_skb_core+0x4a8/0x564
[&lt;ffffffff80310650&gt;] process_backlog+0xb4/0x18c
[&lt;ffffffff80313cbc&gt;] net_rx_action+0x12c/0x210
[&lt;ffffffff80034254&gt;] __do_softirq+0x17c/0x2ac
[&lt;ffffffff800345e0&gt;] irq_exit+0x54/0xb0
[&lt;ffffffff800075a4&gt;] ret_from_irq+0x0/0x4
[&lt;ffffffff800090ec&gt;] rm7k_wait_irqoff+0x24/0x48
[&lt;ffffffff8005e388&gt;] cpu_startup_entry+0xc0/0x148
[&lt;ffffffff805a88b0&gt;] start_kernel+0x37c/0x398
Code: dd0900b8  000330f8  0126302d &lt;dcc60000&gt; 50c0fff1  0047182a  a48306a0
03e00008  00000000
---[ end trace b530b0551467f2fd ]---
Kernel panic - not syncing: Fatal exception in interrupt

What happens while auth_enable=0 in that case is, that
ep-&gt;auth_hmacs is initialized to NULL in sctp_auth_init_hmacs()
when endpoint is being created.

After that point, if an admin switches over to auth_enable=1,
the machine can crash due to NULL pointer dereference during
reception of an INIT chunk. When we enter sctp_process_init()
via sctp_sf_do_5_1B_init() in order to respond to an INIT chunk,
the INIT verification succeeds and while we walk and process
all INIT params via sctp_process_param() we find that
net-&gt;sctp.auth_enable is set, therefore do not fall through,
but invoke sctp_auth_asoc_set_default_hmac() instead, and thus,
dereference what we have set to NULL during endpoint
initialization phase.

The fix is to make auth_enable immutable by caching its value
during endpoint initialization, so that its original value is
being carried along until destruction. The bug seems to originate
from the very first days.

Fix in joint work with Daniel Borkmann.

Reported-by: Joshua Kinard &lt;kumba@gentoo.org&gt;
Signed-off-by: Vlad Yasevich &lt;vyasevic@redhat.com&gt;
Signed-off-by: Daniel Borkmann &lt;dborkman@redhat.com&gt;
Acked-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Tested-by: Joshua Kinard &lt;kumba@gentoo.org&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: sctp: test if association is dead in sctp_wake_up_waiters</title>
<updated>2014-05-31T04:52:14+00:00</updated>
<author>
<name>Daniel Borkmann</name>
<email>dborkman@redhat.com</email>
</author>
<published>2014-04-09T14:10:20+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=3947574d9ccb493843d518fea97f92f6acdb8c8a'/>
<id>3947574d9ccb493843d518fea97f92f6acdb8c8a</id>
<content type='text'>
[ Upstream commit 1e1cdf8ac78793e0875465e98a648df64694a8d0 ]

In function sctp_wake_up_waiters(), we need to involve a test
if the association is declared dead. If so, we don't have any
reference to a possible sibling association anymore and need
to invoke sctp_write_space() instead, and normally walk the
socket's associations and notify them of new wmem space. The
reason for special casing is that otherwise, we could run
into the following issue when a sctp_primitive_SEND() call
from sctp_sendmsg() fails, and tries to flush an association's
outq, i.e. in the following way:

sctp_association_free()
`-&gt; list_del(&amp;asoc-&gt;asocs)         &lt;-- poisons list pointer
    asoc-&gt;base.dead = true
    sctp_outq_free(&amp;asoc-&gt;outqueue)
    `-&gt; __sctp_outq_teardown()
     `-&gt; sctp_chunk_free()
      `-&gt; consume_skb()
       `-&gt; sctp_wfree()
        `-&gt; sctp_wake_up_waiters() &lt;-- dereferences poisoned pointers
                                       if asoc-&gt;ep-&gt;sndbuf_policy=0

Therefore, only walk the list in an 'optimized' way if we find
that the current association is still active. We could also use
list_del_init() in addition when we call sctp_association_free(),
but as Vlad suggests, we want to trap such bugs and thus leave
it poisoned as is.

Why is it safe to resolve the issue by testing for asoc-&gt;base.dead?
Parallel calls to sctp_sendmsg() are protected under socket lock,
that is lock_sock()/release_sock(). Only within that path under
lock held, we're setting skb/chunk owner via sctp_set_owner_w().
Eventually, chunks are freed directly by an association still
under that lock. So when traversing association list on destruction
time from sctp_wake_up_waiters() via sctp_wfree(), a different
CPU can't be running sctp_wfree() while another one calls
sctp_association_free() as both happens under the same lock.
Therefore, this can also not race with setting/testing against
asoc-&gt;base.dead as we are guaranteed for this to happen in order,
under lock. Further, Vlad says: the times we check asoc-&gt;base.dead
is when we've cached an association pointer for later processing.
In between cache and processing, the association may have been
freed and is simply still around due to reference counts. We check
asoc-&gt;base.dead under a lock, so it should always be safe to check
and not race against sctp_association_free(). Stress-testing seems
fine now, too.

Fixes: cd253f9f357d ("net: sctp: wake up all assocs if sndbuf policy is per socket")
Signed-off-by: Daniel Borkmann &lt;dborkman@redhat.com&gt;
Cc: Vlad Yasevich &lt;vyasevic@redhat.com&gt;
Acked-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Acked-by: Vlad Yasevich &lt;vyasevic@redhat.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 1e1cdf8ac78793e0875465e98a648df64694a8d0 ]

In function sctp_wake_up_waiters(), we need to involve a test
if the association is declared dead. If so, we don't have any
reference to a possible sibling association anymore and need
to invoke sctp_write_space() instead, and normally walk the
socket's associations and notify them of new wmem space. The
reason for special casing is that otherwise, we could run
into the following issue when a sctp_primitive_SEND() call
from sctp_sendmsg() fails, and tries to flush an association's
outq, i.e. in the following way:

sctp_association_free()
`-&gt; list_del(&amp;asoc-&gt;asocs)         &lt;-- poisons list pointer
    asoc-&gt;base.dead = true
    sctp_outq_free(&amp;asoc-&gt;outqueue)
    `-&gt; __sctp_outq_teardown()
     `-&gt; sctp_chunk_free()
      `-&gt; consume_skb()
       `-&gt; sctp_wfree()
        `-&gt; sctp_wake_up_waiters() &lt;-- dereferences poisoned pointers
                                       if asoc-&gt;ep-&gt;sndbuf_policy=0

Therefore, only walk the list in an 'optimized' way if we find
that the current association is still active. We could also use
list_del_init() in addition when we call sctp_association_free(),
but as Vlad suggests, we want to trap such bugs and thus leave
it poisoned as is.

Why is it safe to resolve the issue by testing for asoc-&gt;base.dead?
Parallel calls to sctp_sendmsg() are protected under socket lock,
that is lock_sock()/release_sock(). Only within that path under
lock held, we're setting skb/chunk owner via sctp_set_owner_w().
Eventually, chunks are freed directly by an association still
under that lock. So when traversing association list on destruction
time from sctp_wake_up_waiters() via sctp_wfree(), a different
CPU can't be running sctp_wfree() while another one calls
sctp_association_free() as both happens under the same lock.
Therefore, this can also not race with setting/testing against
asoc-&gt;base.dead as we are guaranteed for this to happen in order,
under lock. Further, Vlad says: the times we check asoc-&gt;base.dead
is when we've cached an association pointer for later processing.
In between cache and processing, the association may have been
freed and is simply still around due to reference counts. We check
asoc-&gt;base.dead under a lock, so it should always be safe to check
and not race against sctp_association_free(). Stress-testing seems
fine now, too.

Fixes: cd253f9f357d ("net: sctp: wake up all assocs if sndbuf policy is per socket")
Signed-off-by: Daniel Borkmann &lt;dborkman@redhat.com&gt;
Cc: Vlad Yasevich &lt;vyasevic@redhat.com&gt;
Acked-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Acked-by: Vlad Yasevich &lt;vyasevic@redhat.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: sctp: wake up all assocs if sndbuf policy is per socket</title>
<updated>2014-05-31T04:52:14+00:00</updated>
<author>
<name>Daniel Borkmann</name>
<email>dborkman@redhat.com</email>
</author>
<published>2014-04-08T15:26:13+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=83bd973b675208476e2a29b159b68c6ef796b66d'/>
<id>83bd973b675208476e2a29b159b68c6ef796b66d</id>
<content type='text'>
[ Upstream commit 52c35befb69b005c3fc5afdaae3a5717ad013411 ]

SCTP charges chunks for wmem accounting via skb-&gt;truesize in
sctp_set_owner_w(), and sctp_wfree() respectively as the
reverse operation. If a sender runs out of wmem, it needs to
wait via sctp_wait_for_sndbuf(), and gets woken up by a call
to __sctp_write_space() mostly via sctp_wfree().

__sctp_write_space() is being called per association. Although
we assign sk-&gt;sk_write_space() to sctp_write_space(), which
is then being done per socket, it is only used if send space
is increased per socket option (SO_SNDBUF), as SOCK_USE_WRITE_QUEUE
is set and therefore not invoked in sock_wfree().

Commit 4c3a5bdae293 ("sctp: Don't charge for data in sndbuf
again when transmitting packet") fixed an issue where in case
sctp_packet_transmit() manages to queue up more than sndbuf
bytes, sctp_wait_for_sndbuf() will never be woken up again
unless it is interrupted by a signal. However, a still
remaining issue is that if net.sctp.sndbuf_policy=0, that is
accounting per socket, and one-to-many sockets are in use,
the reclaimed write space from sctp_wfree() is 'unfairly'
handed back on the server to the association that is the lucky
one to be woken up again via __sctp_write_space(), while
the remaining associations are never be woken up again
(unless by a signal).

The effect disappears with net.sctp.sndbuf_policy=1, that
is wmem accounting per association, as it guarantees a fair
share of wmem among associations.

Therefore, if we have reclaimed memory in case of per socket
accounting, wake all related associations to a socket in a
fair manner, that is, traverse the socket association list
starting from the current neighbour of the association and
issue a __sctp_write_space() to everyone until we end up
waking ourselves. This guarantees that no association is
preferred over another and even if more associations are
taken into the one-to-many session, all receivers will get
messages from the server and are not stalled forever on
high load. This setting still leaves the advantage of per
socket accounting in touch as an association can still use
up global limits if unused by others.

Fixes: 4eb701dfc618 ("[SCTP] Fix SCTP sendbuffer accouting.")
Signed-off-by: Daniel Borkmann &lt;dborkman@redhat.com&gt;
Cc: Thomas Graf &lt;tgraf@suug.ch&gt;
Cc: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Cc: Vlad Yasevich &lt;vyasevic@redhat.com&gt;
Acked-by: Vlad Yasevich &lt;vyasevic@redhat.com&gt;
Acked-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit 52c35befb69b005c3fc5afdaae3a5717ad013411 ]

SCTP charges chunks for wmem accounting via skb-&gt;truesize in
sctp_set_owner_w(), and sctp_wfree() respectively as the
reverse operation. If a sender runs out of wmem, it needs to
wait via sctp_wait_for_sndbuf(), and gets woken up by a call
to __sctp_write_space() mostly via sctp_wfree().

__sctp_write_space() is being called per association. Although
we assign sk-&gt;sk_write_space() to sctp_write_space(), which
is then being done per socket, it is only used if send space
is increased per socket option (SO_SNDBUF), as SOCK_USE_WRITE_QUEUE
is set and therefore not invoked in sock_wfree().

Commit 4c3a5bdae293 ("sctp: Don't charge for data in sndbuf
again when transmitting packet") fixed an issue where in case
sctp_packet_transmit() manages to queue up more than sndbuf
bytes, sctp_wait_for_sndbuf() will never be woken up again
unless it is interrupted by a signal. However, a still
remaining issue is that if net.sctp.sndbuf_policy=0, that is
accounting per socket, and one-to-many sockets are in use,
the reclaimed write space from sctp_wfree() is 'unfairly'
handed back on the server to the association that is the lucky
one to be woken up again via __sctp_write_space(), while
the remaining associations are never be woken up again
(unless by a signal).

The effect disappears with net.sctp.sndbuf_policy=1, that
is wmem accounting per association, as it guarantees a fair
share of wmem among associations.

Therefore, if we have reclaimed memory in case of per socket
accounting, wake all related associations to a socket in a
fair manner, that is, traverse the socket association list
starting from the current neighbour of the association and
issue a __sctp_write_space() to everyone until we end up
waking ourselves. This guarantees that no association is
preferred over another and even if more associations are
taken into the one-to-many session, all receivers will get
messages from the server and are not stalled forever on
high load. This setting still leaves the advantage of per
socket accounting in touch as an association can still use
up global limits if unused by others.

Fixes: 4eb701dfc618 ("[SCTP] Fix SCTP sendbuffer accouting.")
Signed-off-by: Daniel Borkmann &lt;dborkman@redhat.com&gt;
Cc: Thomas Graf &lt;tgraf@suug.ch&gt;
Cc: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Cc: Vlad Yasevich &lt;vyasevic@redhat.com&gt;
Acked-by: Vlad Yasevich &lt;vyasevic@redhat.com&gt;
Acked-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
<entry>
<title>net: sctp: fix skb leakage in COOKIE ECHO path of chunk-&gt;auth_chunk</title>
<updated>2014-04-14T13:42:15+00:00</updated>
<author>
<name>Daniel Borkmann</name>
<email>dborkman@redhat.com</email>
</author>
<published>2014-03-04T15:35:51+00:00</published>
<link rel='alternate' type='text/html' href='https://git.toradex.cn/cgit/linux-toradex.git/commit/?id=ec494e10043dc71f30b9f32a9db15a6c2a9ae051'/>
<id>ec494e10043dc71f30b9f32a9db15a6c2a9ae051</id>
<content type='text'>
[ Upstream commit c485658bae87faccd7aed540fd2ca3ab37992310 ]

While working on ec0223ec48a9 ("net: sctp: fix sctp_sf_do_5_1D_ce to
verify if we/peer is AUTH capable"), we noticed that there's a skb
memory leakage in the error path.

Running the same reproducer as in ec0223ec48a9 and by unconditionally
jumping to the error label (to simulate an error condition) in
sctp_sf_do_5_1D_ce() receive path lets kmemleak detector bark about
the unfreed chunk-&gt;auth_chunk skb clone:

Unreferenced object 0xffff8800b8f3a000 (size 256):
  comm "softirq", pid 0, jiffies 4294769856 (age 110.757s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    89 ab 75 5e d4 01 58 13 00 00 00 00 00 00 00 00  ..u^..X.........
  backtrace:
    [&lt;ffffffff816660be&gt;] kmemleak_alloc+0x4e/0xb0
    [&lt;ffffffff8119f328&gt;] kmem_cache_alloc+0xc8/0x210
    [&lt;ffffffff81566929&gt;] skb_clone+0x49/0xb0
    [&lt;ffffffffa0467459&gt;] sctp_endpoint_bh_rcv+0x1d9/0x230 [sctp]
    [&lt;ffffffffa046fdbc&gt;] sctp_inq_push+0x4c/0x70 [sctp]
    [&lt;ffffffffa047e8de&gt;] sctp_rcv+0x82e/0x9a0 [sctp]
    [&lt;ffffffff815abd38&gt;] ip_local_deliver_finish+0xa8/0x210
    [&lt;ffffffff815a64af&gt;] nf_reinject+0xbf/0x180
    [&lt;ffffffffa04b4762&gt;] nfqnl_recv_verdict+0x1d2/0x2b0 [nfnetlink_queue]
    [&lt;ffffffffa04aa40b&gt;] nfnetlink_rcv_msg+0x14b/0x250 [nfnetlink]
    [&lt;ffffffff815a3269&gt;] netlink_rcv_skb+0xa9/0xc0
    [&lt;ffffffffa04aa7cf&gt;] nfnetlink_rcv+0x23f/0x408 [nfnetlink]
    [&lt;ffffffff815a2bd8&gt;] netlink_unicast+0x168/0x250
    [&lt;ffffffff815a2fa1&gt;] netlink_sendmsg+0x2e1/0x3f0
    [&lt;ffffffff8155cc6b&gt;] sock_sendmsg+0x8b/0xc0
    [&lt;ffffffff8155d449&gt;] ___sys_sendmsg+0x369/0x380

What happens is that commit bbd0d59809f9 clones the skb containing
the AUTH chunk in sctp_endpoint_bh_rcv() when having the edge case
that an endpoint requires COOKIE-ECHO chunks to be authenticated:

  ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------&gt;
  &lt;------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
  ------------------ AUTH; COOKIE-ECHO ----------------&gt;
  &lt;-------------------- COOKIE-ACK ---------------------

When we enter sctp_sf_do_5_1D_ce() and before we actually get to
the point where we process (and subsequently free) a non-NULL
chunk-&gt;auth_chunk, we could hit the "goto nomem_init" path from
an error condition and thus leave the cloned skb around w/o
freeing it.

The fix is to centrally free such clones in sctp_chunk_destroy()
handler that is invoked from sctp_chunk_free() after all refs have
dropped; and also move both kfree_skb(chunk-&gt;auth_chunk) there,
so that chunk-&gt;auth_chunk is either NULL (since sctp_chunkify()
allocs new chunks through kmem_cache_zalloc()) or non-NULL with
a valid skb pointer. chunk-&gt;skb and chunk-&gt;auth_chunk are the
only skbs in the sctp_chunk structure that need to be handeled.

While at it, we should use consume_skb() for both. It is the same
as dev_kfree_skb() but more appropriately named as we are not
a device but a protocol. Also, this effectively replaces the
kfree_skb() from both invocations into consume_skb(). Functions
are the same only that kfree_skb() assumes that the frame was
being dropped after a failure (e.g. for tools like drop monitor),
usage of consume_skb() seems more appropriate in function
sctp_chunk_destroy() though.

Fixes: bbd0d59809f9 ("[SCTP]: Implement the receive and verification of AUTH chunk")
Signed-off-by: Daniel Borkmann &lt;dborkman@redhat.com&gt;
Cc: Vlad Yasevich &lt;yasevich@gmail.com&gt;
Cc: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Acked-by: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
Acked-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</content>
<content type='xhtml'>
<div xmlns='http://www.w3.org/1999/xhtml'>
<pre>
[ Upstream commit c485658bae87faccd7aed540fd2ca3ab37992310 ]

While working on ec0223ec48a9 ("net: sctp: fix sctp_sf_do_5_1D_ce to
verify if we/peer is AUTH capable"), we noticed that there's a skb
memory leakage in the error path.

Running the same reproducer as in ec0223ec48a9 and by unconditionally
jumping to the error label (to simulate an error condition) in
sctp_sf_do_5_1D_ce() receive path lets kmemleak detector bark about
the unfreed chunk-&gt;auth_chunk skb clone:

Unreferenced object 0xffff8800b8f3a000 (size 256):
  comm "softirq", pid 0, jiffies 4294769856 (age 110.757s)
  hex dump (first 32 bytes):
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00  ................
    89 ab 75 5e d4 01 58 13 00 00 00 00 00 00 00 00  ..u^..X.........
  backtrace:
    [&lt;ffffffff816660be&gt;] kmemleak_alloc+0x4e/0xb0
    [&lt;ffffffff8119f328&gt;] kmem_cache_alloc+0xc8/0x210
    [&lt;ffffffff81566929&gt;] skb_clone+0x49/0xb0
    [&lt;ffffffffa0467459&gt;] sctp_endpoint_bh_rcv+0x1d9/0x230 [sctp]
    [&lt;ffffffffa046fdbc&gt;] sctp_inq_push+0x4c/0x70 [sctp]
    [&lt;ffffffffa047e8de&gt;] sctp_rcv+0x82e/0x9a0 [sctp]
    [&lt;ffffffff815abd38&gt;] ip_local_deliver_finish+0xa8/0x210
    [&lt;ffffffff815a64af&gt;] nf_reinject+0xbf/0x180
    [&lt;ffffffffa04b4762&gt;] nfqnl_recv_verdict+0x1d2/0x2b0 [nfnetlink_queue]
    [&lt;ffffffffa04aa40b&gt;] nfnetlink_rcv_msg+0x14b/0x250 [nfnetlink]
    [&lt;ffffffff815a3269&gt;] netlink_rcv_skb+0xa9/0xc0
    [&lt;ffffffffa04aa7cf&gt;] nfnetlink_rcv+0x23f/0x408 [nfnetlink]
    [&lt;ffffffff815a2bd8&gt;] netlink_unicast+0x168/0x250
    [&lt;ffffffff815a2fa1&gt;] netlink_sendmsg+0x2e1/0x3f0
    [&lt;ffffffff8155cc6b&gt;] sock_sendmsg+0x8b/0xc0
    [&lt;ffffffff8155d449&gt;] ___sys_sendmsg+0x369/0x380

What happens is that commit bbd0d59809f9 clones the skb containing
the AUTH chunk in sctp_endpoint_bh_rcv() when having the edge case
that an endpoint requires COOKIE-ECHO chunks to be authenticated:

  ---------- INIT[RANDOM; CHUNKS; HMAC-ALGO] ----------&gt;
  &lt;------- INIT-ACK[RANDOM; CHUNKS; HMAC-ALGO] ---------
  ------------------ AUTH; COOKIE-ECHO ----------------&gt;
  &lt;-------------------- COOKIE-ACK ---------------------

When we enter sctp_sf_do_5_1D_ce() and before we actually get to
the point where we process (and subsequently free) a non-NULL
chunk-&gt;auth_chunk, we could hit the "goto nomem_init" path from
an error condition and thus leave the cloned skb around w/o
freeing it.

The fix is to centrally free such clones in sctp_chunk_destroy()
handler that is invoked from sctp_chunk_free() after all refs have
dropped; and also move both kfree_skb(chunk-&gt;auth_chunk) there,
so that chunk-&gt;auth_chunk is either NULL (since sctp_chunkify()
allocs new chunks through kmem_cache_zalloc()) or non-NULL with
a valid skb pointer. chunk-&gt;skb and chunk-&gt;auth_chunk are the
only skbs in the sctp_chunk structure that need to be handeled.

While at it, we should use consume_skb() for both. It is the same
as dev_kfree_skb() but more appropriately named as we are not
a device but a protocol. Also, this effectively replaces the
kfree_skb() from both invocations into consume_skb(). Functions
are the same only that kfree_skb() assumes that the frame was
being dropped after a failure (e.g. for tools like drop monitor),
usage of consume_skb() seems more appropriate in function
sctp_chunk_destroy() though.

Fixes: bbd0d59809f9 ("[SCTP]: Implement the receive and verification of AUTH chunk")
Signed-off-by: Daniel Borkmann &lt;dborkman@redhat.com&gt;
Cc: Vlad Yasevich &lt;yasevich@gmail.com&gt;
Cc: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Acked-by: Vlad Yasevich &lt;vyasevich@gmail.com&gt;
Acked-by: Neil Horman &lt;nhorman@tuxdriver.com&gt;
Signed-off-by: David S. Miller &lt;davem@davemloft.net&gt;
Signed-off-by: Greg Kroah-Hartman &lt;gregkh@linuxfoundation.org&gt;
</pre>
</div>
</content>
</entry>
</feed>
