| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CADvbK_d92g+ZxyyB1QECp=ONxzsgJn-FD1HXz1NAzRGYMG-Kxw@mail.gmail.com>
Date: Fri, 24 Oct 2025 09:47:27 -0400
From: Xin Long <lucien.xin@...il.com>
To: Kuniyuki Iwashima <kuniyu@...gle.com>
Cc: Marcelo Ricardo Leitner <marcelo.leitner@...il.com>, "David S. Miller" <davem@...emloft.net>,
Eric Dumazet <edumazet@...gle.com>, Jakub Kicinski <kuba@...nel.org>, Paolo Abeni <pabeni@...hat.com>,
Simon Horman <horms@...nel.org>, Kuniyuki Iwashima <kuni1840@...il.com>, netdev@...r.kernel.org,
linux-sctp@...r.kernel.org
Subject: Re: [PATCH v3 net-next 1/8] sctp: Defer SCTP_DBG_OBJCNT_DEC() to sctp_destroy_sock().
On Thu, Oct 23, 2025 at 7:17 PM Kuniyuki Iwashima <kuniyu@...gle.com> wrote:
>
> SCTP_DBG_OBJCNT_INC() is called only when sctp_init_sock()
> returns 0 after successfully allocating sctp_sk(sk)->ep.
>
> OTOH, SCTP_DBG_OBJCNT_DEC() is called in sctp_close().
>
> The code seems to expect that the socket is always exposed
> to userspace once SCTP_DBG_OBJCNT_INC() is incremented, but
> there is a path where the assumption is not true.
>
> In sctp_accept(), sctp_sock_migrate() could fail after
> sctp_init_sock().
>
> Then, sk_common_release() does not call inet_release() nor
> sctp_close(). Instead, it calls sk->sk_prot->destroy().
>
> Let's move SCTP_DBG_OBJCNT_DEC() from sctp_close() to
> sctp_destroy_sock().
>
> Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
> Signed-off-by: Kuniyuki Iwashima <kuniyu@...gle.com>
Acked-by: Xin Long <lucien.xin@...il.com>
Powered by blists - more mailing lists