Xin Long af98c5a785 sctp: set stream ext to NULL after freeing it in sctp_stream_outq_migrate ... In sctp_stream_init(), after sctp_stream_outq_migrate() freed the surplus streams' ext, but sctp_stream_alloc_out() returns -ENOMEM, stream->outcnt will not be set to 'outcnt'. With the bigger value on stream->outcnt, when closing the assoc and freeing its streams, the ext of those surplus streams will be freed again since those stream exts were not set to NULL after freeing in sctp_stream_outq_migrate(). Then the invalid-free issue reported by syzbot would be triggered. We fix it by simply setting them to NULL after freeing. Fixes: 5bbbbe32a4 ("sctp: introduce stream scheduler foundations") Reported-by: syzbot+58e480e7b28f2d890bfd@syzkaller.appspotmail.com Signed-off-by: Xin Long <lucien.xin@gmail.com> Acked-by: Neil Horman <nhorman@tuxdriver.com> Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com> Signed-off-by: David S. Miller <davem@davemloft.net>		2019-02-13 19:33:44 -05:00
..
6lowpan
9p
802
8021q
appletalk
atm
ax25	ax25: fix possible use-after-free	2019-01-23 11:18:00 -08:00
batman-adv	batman-adv: fix uninit-value in batadv_interface_tx()	2019-02-12 13:30:43 -05:00
bluetooth
bpf
bpfilter	net: bpfilter: change section name of bpfilter UMH blob.	2019-01-16 15:46:46 -08:00
bridge	Merge git://git.kernel.org/pub/scm/linux/kernel/git/pablo/nf	2019-01-28 10:51:51 -08:00
caif
can	can: bcm: check timer values before ktime conversion	2019-01-22 11:33:46 +01:00
ceph	libceph: avoid KEEPALIVE_PENDING races in ceph_con_keepalive()	2019-01-21 14:53:12 +01:00
core	Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf	2019-02-01 15:28:07 -08:00
dcb
dccp	dccp: fool proof ccid_hc_[rt]x_parse_options()	2019-02-01 14:49:10 -08:00
decnet	decnet: fix DN_IFREQ_SIZE	2019-01-27 23:11:55 -08:00
dns_resolver
dsa	net: dsa: Fix NULL checking in dsa_slave_set_eee()	2019-02-06 13:42:54 -08:00
ethernet
hsr
ieee802154
ife
ipv4	inet_diag: fix reporting cgroup classid and fallback to priority	2019-02-12 13:35:57 -05:00
ipv6	ipv6: propagate genlmsg_reply return code	2019-02-12 12:36:02 -05:00
iucv
kcm
key
l2tp	l2tp: copy 4 more bytes to linear part if necessary	2019-01-31 08:58:46 -08:00
l3mdev
lapb
llc
mac80211	mac80211: Fix Tx aggregation session tear down with ITXQs	2019-02-11 15:50:56 +01:00
mac802154
mpls
ncsi
netfilter	netfilter: nft_compat: use-after-free when deleting targets	2019-02-13 18:14:54 +01:00
netlabel
netlink
netrom	netrom: switch to sock timer API	2019-01-27 10:38:04 -08:00
nfc
nsh
openvswitch	openvswitch: Avoid OOB read when parsing flow nlattrs	2019-01-16 13:35:21 -08:00
packet	net/packet: fix 4gb buffer limit due to overflow check	2019-02-12 13:37:23 -05:00
phonet
psample
qrtr
rds	rds: fix refcount bug in rds_sock_addref	2019-01-31 09:43:27 -08:00
rfkill
rose	net/rose: fix NULL ax25_cb kernel panic	2019-01-27 10:40:01 -08:00
rxrpc	rxrpc: bad unlock balance in rxrpc_recvmsg	2019-02-06 10:54:07 -08:00
sched	net_sched: fix two more memory leaks in cls_tcindex	2019-02-12 14:10:56 -05:00
sctp	sctp: set stream ext to NULL after freeing it in sctp_stream_outq_migrate	2019-02-13 19:33:44 -05:00
smc	net/smc: fix byte_order for rx_curs_confirmed	2019-02-08 22:33:25 -08:00
strparser
sunrpc	svcrdma: Remove max_sge check at connect time	2019-02-06 15:32:34 -05:00
switchdev
tipc	tipc: fix link session and re-establish issues	2019-02-11 21:26:20 -08:00
tls	net: tls: Fix deadlock in free_resources tx	2019-01-28 23:07:08 -08:00
unix
vmw_vsock	vsock: cope with memory allocation failure at socket creation time	2019-02-08 22:32:05 -08:00
wimax
wireless	cfg80211: prevent speculation on cfg80211_classify8021d() return	2019-02-11 15:50:56 +01:00
x25	net/x25: do not hold the cpu too long in x25_new_lci()	2019-02-11 13:20:14 -08:00
xdp	xsk: Check if a queue exists during umem setup	2019-01-15 20:51:57 +01:00
xfrm	xfrm: Make set-mark default behavior backward compatible	2019-01-16 13:10:55 +01:00
compat.c
Kconfig
Makefile
socket.c	net: socket: make bond ioctls go through compat_ifreq_ioctl()	2019-01-30 10:19:31 -08:00
sysctl_net.c