Message ID | 20170301193508.25760-1-acme@kernel.org |
---|---|
State | Accepted, archived |
Delegated to: | David Miller |
Headers | show |
From: Arnaldo Carvalho de Melo <acme@kernel.org> Date: Wed, 1 Mar 2017 16:35:07 -0300 > From: Arnaldo Carvalho de Melo <acme@redhat.com> > > The code where sk_clone() came from created a new socket and locked it, > but then, on the error path didn't unlock it. > > This problem stayed there for a long while, till b0691c8ee7c2 ("net: > Unlock sock before calling sk_free()") fixed it, but unfortunately the > callers of sk_clone() (now sk_clone_locked()) were not audited and the > one in dccp_create_openreq_child() remained. > > Now in the age of the syskaller fuzzer, this was finally uncovered, as > reported by Dmitry: ... > Fix it just like was done by b0691c8ee7c2 ("net: Unlock sock before calling > sk_free()"). > > Reported-by: Dmitry Vyukov <dvyukov@google.com> > Cc: Cong Wang <xiyou.wangcong@gmail.com> > Cc: Eric Dumazet <edumazet@google.com> > Cc: Gerrit Renker <gerrit@erg.abdn.ac.uk> > Cc: Thomas Gleixner <tglx@linutronix.de> > Link: http://lkml.kernel.org/r/20170301153510.GE15145@kernel.org > Signed-off-by: Arnaldo Carvalho de Melo <acme@redhat.com> Applied and queued up for -stable.
diff --git a/net/dccp/minisocks.c b/net/dccp/minisocks.c index 53eddf99e4f6..d20d948a98ed 100644 --- a/net/dccp/minisocks.c +++ b/net/dccp/minisocks.c @@ -122,6 +122,7 @@ struct sock *dccp_create_openreq_child(const struct sock *sk, /* It is still raw copy of parent, so invalidate * destructor and make plain sk_free() */ newsk->sk_destruct = NULL; + bh_unlock_sock(newsk); sk_free(newsk); return NULL; }