sctp: hold transport instead of assoc in sctp_diag
In sctp_transport_lookup_process(), Commit1cceda7849
("sctp: fix the issue sctp_diag uses lock_sock in rcu_read_lock") moved cb() out of rcu lock, but it put transport and hold assoc instead, and ignore that cb() still uses transport. It may cause a use-after-free issue. This patch is to hold transport instead of assoc there. Fixes:1cceda7849
("sctp: fix the issue sctp_diag uses lock_sock in rcu_read_lock") Signed-off-by: Xin Long <lucien.xin@gmail.com> Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>
This commit is contained in:
Родитель
87557efc27
Коммит
cd26da4ff4
|
@ -4480,12 +4480,9 @@ int sctp_transport_lookup_process(int (*cb)(struct sctp_transport *, void *),
|
||||||
if (!transport || !sctp_transport_hold(transport))
|
if (!transport || !sctp_transport_hold(transport))
|
||||||
goto out;
|
goto out;
|
||||||
|
|
||||||
sctp_association_hold(transport->asoc);
|
|
||||||
sctp_transport_put(transport);
|
|
||||||
|
|
||||||
rcu_read_unlock();
|
rcu_read_unlock();
|
||||||
err = cb(transport, p);
|
err = cb(transport, p);
|
||||||
sctp_association_put(transport->asoc);
|
sctp_transport_put(transport);
|
||||||
|
|
||||||
out:
|
out:
|
||||||
return err;
|
return err;
|
||||||
|
|
Загрузка…
Ссылка в новой задаче