sctp: hold transport instead of assoc in sctp_diag

In sctp_transport_lookup_process(), Commit 1cceda7849 ("sctp: fix
the issue sctp_diag uses lock_sock in rcu_read_lock") moved cb() out
of rcu lock, but it put transport and hold assoc instead, and ignore
that cb() still uses transport. It may cause a use-after-free issue.

This patch is to hold transport instead of assoc there.

Fixes: 1cceda7849 ("sctp: fix the issue sctp_diag uses lock_sock in rcu_read_lock")
Signed-off-by: Xin Long <lucien.xin@gmail.com>
Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Xin Long 2016-10-31 20:32:31 +08:00 коммит произвёл David S. Miller
Родитель 87557efc27
Коммит cd26da4ff4
1 изменённых файлов: 1 добавлений и 4 удалений

Просмотреть файл

@ -4480,12 +4480,9 @@ int sctp_transport_lookup_process(int (*cb)(struct sctp_transport *, void *),
if (!transport || !sctp_transport_hold(transport)) if (!transport || !sctp_transport_hold(transport))
goto out; goto out;
sctp_association_hold(transport->asoc);
sctp_transport_put(transport);
rcu_read_unlock(); rcu_read_unlock();
err = cb(transport, p); err = cb(transport, p);
sctp_association_put(transport->asoc); sctp_transport_put(transport);
out: out:
return err; return err;