CVE-2026-46227

In the Linux kernel, the following vulnerability has been resolved:

sctp: revalidate list cursor after sctpsendmsgtoasoc() in SCTPSENDALL

The SCTPSENDALL path in sctpsendmsg() iterates ep->asocs with listforeachentrysafe(), which caches the next entry in @tmp before the loop body runs. The body calls sctpsendmsgtoasoc(), which may drop the socket lock inside sctpwaitforsndbuf().

While the lock is dropped, another thread can SCTPSOCKOPTPEELOFF the association cached in @tmp, migrating it to a new endpoint via sctpsockmigrate() (listdelinit() + listaddtail() to newep->asocs), and optionally close the new socket which frees the association via kfree_rcu(). The cached @tmp can also be freed by a network ABORT for that association, processed in softirq while the lock is dropped.

sctpwaitforsndbuf() revalidates @asoc (the current entry) on re-lock via the "sk != asoc->base.sk" and "asoc->base.dead" checks, but nothing revalidates @tmp. After a successful return, the iterator advances to the stale @tmp, yielding either a use-after-free (if the peeled socket was closed) or a list-walk onto the new endpoint's list head (type confusion of &newep->asocs as a struct sctpassociation *).

Both are reachable from CapEff=0; the type-confusion path gives controlled indirect call via the outqueue.sched->init_sid pointer.

Fix by re-deriving @tmp from @asoc after sctpsendmsgtoasoc() returns. @asoc is known to still be on ep->asocs at that point: the only callers that listdel an association from ep->asocs are sctpassociationfree() (which sets asoc->base.dead) and sctpassocmigrate() (which changes asoc->base.sk), and sctpwaitfor_sndbuf() checks both under the lock before any successful return; a tripped check propagates as err < 0 and the loop bails before the re-derive.

The SCTPABORT path in sctpsendmsgchecksflags() returns 0 and the loop hits 'continue' before sctpsendmsgtoasoc() is ever called, so the @tmp cached by listforeachentry_safe() still covers the lock-held free that ba59fb027307 ("sctp: walk the list of asoc safely") was added for.