diff options
author | Jakub Kicinski <kuba@kernel.org> | 2022-11-07 19:59:05 -0800 |
---|---|---|
committer | Jakub Kicinski <kuba@kernel.org> | 2022-11-07 19:59:29 -0800 |
commit | 89bbe785b4d196cc3d00056adc58da8484a824a1 (patch) | |
tree | d6373d9144841d41e2288b5440adc01e4bd2fab9 | |
parent | tipc: fix the msg->req tlv len check in tipc_nl_compat_name_table_dump_header (diff) | |
parent | sctp: clear out_curr if all frag chunks of current msg are pruned (diff) | |
download | linux-dev-89bbe785b4d196cc3d00056adc58da8484a824a1.tar.xz linux-dev-89bbe785b4d196cc3d00056adc58da8484a824a1.zip |
Merge branch 'sctp-fix-a-null-pointer-dereference-in-sctp_sched_dequeue_common'
Xin Long says:
====================
sctp: fix a NULL pointer dereference in sctp_sched_dequeue_common
This issue was triggered with SCTP_PR_SCTP_PRIO in sctp,
and caused by not checking and fixing stream->out_curr
after removing a chunk from this stream.
Patch 1 removes an unnecessary check and makes the real
fix easier to add in Patch 2.
====================
Link: https://lore.kernel.org/r/cover.1667598261.git.lucien.xin@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
-rw-r--r-- | net/sctp/outqueue.c | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/net/sctp/outqueue.c b/net/sctp/outqueue.c index e213aaf45d67..20831079fb09 100644 --- a/net/sctp/outqueue.c +++ b/net/sctp/outqueue.c @@ -384,6 +384,7 @@ static int sctp_prsctp_prune_unsent(struct sctp_association *asoc, { struct sctp_outq *q = &asoc->outqueue; struct sctp_chunk *chk, *temp; + struct sctp_stream_out *sout; q->sched->unsched_all(&asoc->stream); @@ -398,12 +399,14 @@ static int sctp_prsctp_prune_unsent(struct sctp_association *asoc, sctp_sched_dequeue_common(q, chk); asoc->sent_cnt_removable--; asoc->abandoned_unsent[SCTP_PR_INDEX(PRIO)]++; - if (chk->sinfo.sinfo_stream < asoc->stream.outcnt) { - struct sctp_stream_out *streamout = - SCTP_SO(&asoc->stream, chk->sinfo.sinfo_stream); - streamout->ext->abandoned_unsent[SCTP_PR_INDEX(PRIO)]++; - } + sout = SCTP_SO(&asoc->stream, chk->sinfo.sinfo_stream); + sout->ext->abandoned_unsent[SCTP_PR_INDEX(PRIO)]++; + + /* clear out_curr if all frag chunks are pruned */ + if (asoc->stream.out_curr == sout && + list_is_last(&chk->frag_list, &chk->msg->chunks)) + asoc->stream.out_curr = NULL; msg_len -= chk->skb->truesize + sizeof(struct sctp_chunk); sctp_chunk_free(chk); |