Or Cohen b166a20b07 net/sctp: fix race condition in sctp_destroy_sock ... If sctp_destroy_sock is called without sock_net(sk)->sctp.addr_wq_lock held and sp->do_auto_asconf is true, then an element is removed from the auto_asconf_splist without any proper locking. This can happen in the following functions: 1. In sctp_accept, if sctp_sock_migrate fails. 2. In inet_create or inet6_create, if there is a bpf program attached to BPF_CGROUP_INET_SOCK_CREATE which denies creation of the sctp socket. The bug is fixed by acquiring addr_wq_lock in sctp_destroy_sock instead of sctp_close. This addresses CVE-2021-23133. Reported-by: Or Cohen <orcohen@paloaltonetworks.com> Reviewed-by: Xin Long <lucien.xin@gmail.com> Fixes: 6102365876 ("bpf: Add new cgroup attach type to enable sock modifications") Signed-off-by: Or Cohen <orcohen@paloaltonetworks.com> Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>		2021-04-13 14:59:46 -07:00
..
associola.c
auth.c
bind_addr.c
chunk.c
debug.c
diag.c
endpointola.c
input.c
inqueue.c
ipv6.c	net-ipv6: bugfix - raw & sctp - switch to ipv6_can_nonlocal_bind()	2021-04-05 12:56:52 -07:00
Kconfig
Makefile
objcnt.c
offload.c
output.c	sctp: move sk_route_caps check and set into sctp_outq_flush_transports	2021-03-19 11:34:49 -07:00
outqueue.c	sctp: move sk_route_caps check and set into sctp_outq_flush_transports	2021-03-19 11:34:49 -07:00
primitive.c
proc.c
protocol.c
sm_make_chunk.c
sm_sideeffect.c
sm_statefuns.c
sm_statetable.c
socket.c	net/sctp: fix race condition in sctp_destroy_sock	2021-04-13 14:59:46 -07:00
stream_interleave.c
stream_sched_prio.c
stream_sched_rr.c
stream_sched.c
stream.c
sysctl.c
transport.c
tsnmap.c	net: sctp: trivial: fix typo in comment	2021-03-04 13:48:32 -08:00
ulpevent.c
ulpqueue.c