From: Xin Long <lucien.xin@gmail.com>

Subject: sctp: change sctp_prot .no_autobind with true

Patch-mainline: v5.4-rc4

Git-commit: 63dfb7938b13fa2c2fbcb45f34d065769eb09414

References: networking-stable-19_10_24 bsc#1158082

syzbot reported a memory leak:

  BUG: memory leak, unreferenced object 0xffff888120b3d380 (size 64):

  backtrace:

    [...] slab_alloc mm/slab.c:3319 [inline]

    [...] kmem_cache_alloc+0x13f/0x2c0 mm/slab.c:3483

    [...] sctp_bucket_create net/sctp/socket.c:8523 [inline]

    [...] sctp_get_port_local+0x189/0x5a0 net/sctp/socket.c:8270

    [...] sctp_do_bind+0xcc/0x200 net/sctp/socket.c:402

    [...] sctp_bindx_add+0x4b/0xd0 net/sctp/socket.c:497

    [...] sctp_setsockopt_bindx+0x156/0x1b0 net/sctp/socket.c:1022

    [...] sctp_setsockopt net/sctp/socket.c:4641 [inline]

    [...] sctp_setsockopt+0xaea/0x2dc0 net/sctp/socket.c:4611

    [...] sock_common_setsockopt+0x38/0x50 net/core/sock.c:3147

    [...] __sys_setsockopt+0x10f/0x220 net/socket.c:2084

    [...] __do_sys_setsockopt net/socket.c:2100 [inline]

It was caused by when sending msgs without binding a port, in the path:

inet_sendmsg() -> inet_send_prepare() -> inet_autobind() ->

.get_port/sctp_get_port(), sp->bind_hash will be set while bp->port is

not. Later when binding another port by sctp_setsockopt_bindx(), a new

bucket will be created as bp->port is not set.

sctp's autobind is supposed to call sctp_autobind() where it does all

things including setting bp->port. Since sctp_autobind() is called in

sctp_sendmsg() if the sk is not yet bound, it should have skipped the

auto bind.

THis patch is to avoid calling inet_autobind() in inet_send_prepare()

by changing sctp_prot .no_autobind with true, also remove the unused

.get_port.

Reported-by: syzbot+d44f7bbebdea49dbc84a@syzkaller.appspotmail.com

Signed-off-by: Xin Long <lucien.xin@gmail.com>

Acked-by: Marcelo Ricardo Leitner <marcelo.leitner@gmail.com>

Signed-off-by: David S. Miller <davem@davemloft.net>

Signed-off-by: Jiri Slaby <jslaby@suse.cz>

Signed-off-by: Michal Kubecek <mkubecek@suse.cz>

SLE15: we need to check no_autobind socket flag in inet_dgram_connect() as,

unlike in mainline, SCTP still uses this function.

---

 net/ipv4/af_inet.c | 3 ++-

 net/sctp/socket.c  | 4 ++--

 2 files changed, 4 insertions(+), 3 deletions(-)

--- a/net/ipv4/af_inet.c

+++ b/net/ipv4/af_inet.c

@@ -535,7 +535,8 @@ int inet_dgram_connect(struct socket *sock, struct sockaddr *uaddr,

 	if (uaddr->sa_family == AF_UNSPEC)

 		return sk->sk_prot->disconnect(sk, flags);

-	if (!inet_sk(sk)->inet_num && inet_autobind(sk))

+	if (!inet_sk(sk)->inet_num && !sk->sk_prot->no_autobind &&

+	    inet_autobind(sk))

 		return -EAGAIN;

 	return sk->sk_prot->connect(sk, uaddr, addr_len);

 }

--- a/net/sctp/socket.c

+++ b/net/sctp/socket.c

@@ -8240,7 +8240,7 @@ struct proto sctp_prot = {

 	.backlog_rcv =	sctp_backlog_rcv,

 	.hash        =	sctp_hash,

 	.unhash      =	sctp_unhash,

-	.get_port    =	sctp_get_port,

+	.no_autobind =	true,

 	.obj_size    =  sizeof(struct sctp_sock),

 	.sysctl_mem  =  sysctl_sctp_mem,

 	.sysctl_rmem =  sysctl_sctp_rmem,

@@ -8279,7 +8279,7 @@ struct proto sctpv6_prot = {

 	.backlog_rcv	= sctp_backlog_rcv,

 	.hash		= sctp_hash,

 	.unhash		= sctp_unhash,

-	.get_port	= sctp_get_port,

+	.no_autobind	= true,

 	.obj_size	= sizeof(struct sctp6_sock),

 	.sysctl_mem	= sysctl_sctp_mem,

 	.sysctl_rmem	= sysctl_sctp_rmem,