From patchwork Tue May 9 13:29:19 2017 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Eric Dumazet X-Patchwork-Id: 760121 X-Patchwork-Delegate: davem@davemloft.net Return-Path: X-Original-To: patchwork-incoming@ozlabs.org Delivered-To: patchwork-incoming@ozlabs.org Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 3wMgFf37Yqz9s65 for ; Tue, 9 May 2017 23:29:26 +1000 (AEST) Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="QQJ8NN38"; dkim-atps=neutral Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1753661AbdEIN3Y (ORCPT ); Tue, 9 May 2017 09:29:24 -0400 Received: from mail-pf0-f196.google.com ([209.85.192.196]:33967 "EHLO mail-pf0-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752541AbdEIN3X (ORCPT ); Tue, 9 May 2017 09:29:23 -0400 Received: by mail-pf0-f196.google.com with SMTP id w69so47594pfk.1 for ; Tue, 09 May 2017 06:29:22 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=message-id:subject:from:to:cc:date:in-reply-to:references :mime-version:content-transfer-encoding; bh=3/a7KLotAg4jDAaPsy+PvHzg1Mt1oU5WNTB8BvHzN9c=; b=QQJ8NN38rGoxFvEsjt97K/FsrqdhNmZ7R1+6mOjlqh5yMiAhO4BV9crgaQ4VtDCcYt VMfP89Hl8WPSmLsdGvHCYoeJPfHEapZhFS0xS5bjIlSU5gDBnhopJUS5KhSU3Nf3frbH AiWPeMjRCtowEwjIdpl/nbXfitRO53uWL9ZzCTwbTiaFQPlZ+tRYEQX17n5+TxyGoNUe vBpNbwOQ44UDFGB+8+uXQg+PsQI8sA87jepUl5gIpCVCpfaOXOFN+l6JLQR2hhwloEZc LiLFvHPX54I2SSH2p5kjKKLLJ12gwg+ZdrsAjTlq9Su/YY3UmeiTx1fHtXf/cMPpMEwC jzow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:message-id:subject:from:to:cc:date:in-reply-to :references:mime-version:content-transfer-encoding; bh=3/a7KLotAg4jDAaPsy+PvHzg1Mt1oU5WNTB8BvHzN9c=; b=QVbtOiKvS4bwnQQ7mpLDB+QQFmDoz2g0+DVKpQWnBKPa883PrVaSJVpXo/W1CaYHjv i523XrMZg0L8+bZIsYadQynKrcyews9B+LK4m9calx2esVvQh0JTcs2UplkPaxVzdRz3 b2CetAoBksGZj4hWsDoz/3hyaUF/x5+SvsUr6kZSQNwqZtHTlWeqaDw0CGP99LjZ8kGF eQcWJ7QLB0ogoKJNykTFXEDSrMUnw76ZnWIw42ApBS2bISyCeLUfhMpBDsFWJMnew6Hk keg9UMccnHiBt7WX6xC8wezYrbwb/wQqzT7DdX4Oqliad8avK7Ff3ddZ9kZOUtqF6IiU w4aw== X-Gm-Message-State: AODbwcBuZJ7xx96xJ2GUp7TBX2UtNZGNEpiDHIAsFDSz/b3f9J64OuCH yE1+8m0o66ePXg== X-Received: by 10.99.189.2 with SMTP id a2mr25460pgf.85.1494336562224; Tue, 09 May 2017 06:29:22 -0700 (PDT) Received: from [192.168.86.171] (c-73-231-122-98.hsd1.ca.comcast.net. [73.231.122.98]) by smtp.googlemail.com with ESMTPSA id 26sm53516pfn.43.2017.05.09.06.29.20 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Tue, 09 May 2017 06:29:21 -0700 (PDT) Message-ID: <1494336559.7796.78.camel@edumazet-glaptop3.roam.corp.google.com> Subject: [PATCH v2 net] dccp/tcp: do not inherit mc_list from parent From: Eric Dumazet To: David Miller Cc: netdev , Pray3r , Andrey Konovalov Date: Tue, 09 May 2017 06:29:19 -0700 In-Reply-To: <1494332235.7796.70.camel@edumazet-glaptop3.roam.corp.google.com> References: <1494332235.7796.70.camel@edumazet-glaptop3.roam.corp.google.com> X-Mailer: Evolution 3.10.4-0ubuntu2 Mime-Version: 1.0 Sender: netdev-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netdev@vger.kernel.org From: Eric Dumazet syzkaller found a way to trigger double frees from ip_mc_drop_socket() It turns out that leave a copy of parent mc_list at accept() time, which is very bad. Very similar to commit 8b485ce69876 ("tcp: do not inherit fastopen_req from parent") Initial report from Pray3r, completed by Andrey one. Thanks a lot to them ! Signed-off-by: Eric Dumazet Reported-by: Pray3r Reported-by: Andrey Konovalov Tested-by: Andrey Konovalov --- v2: fix moved into inet_csk_clone_lock() to fix both DCCP and TCP net/ipv4/inet_connection_sock.c | 2 ++ 1 file changed, 2 insertions(+) diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c index 5e313c1ac94fc88eca5fe3a0e9e46e551e955ff0..1054d330bf9df3189a21dbb08e27c0e6ad136775 100644 --- a/net/ipv4/inet_connection_sock.c +++ b/net/ipv4/inet_connection_sock.c @@ -794,6 +794,8 @@ struct sock *inet_csk_clone_lock(const struct sock *sk, /* listeners have SOCK_RCU_FREE, not the children */ sock_reset_flag(newsk, SOCK_RCU_FREE); + inet_sk(newsk)->mc_list = NULL; + newsk->sk_mark = inet_rsk(req)->ir_mark; atomic64_set(&newsk->sk_cookie, atomic64_read(&inet_rsk(req)->ir_cookie));