Arnaldo Carvalho de Melo
unread,Mar 1, 2017, 10:35:16 AM3/1/17Sign in to reply to author
Sign in to forward
You do not have permission to delete messages in this group
Either email addresses are anonymous for this group or you need the view member email addresses permission to view the original message
to Dmitry Vyukov, Gerrit Renker, David Miller, dc...@vger.kernel.org, netdev, LKML, Eric Dumazet, Cong Wang, syzkaller
Em Wed, Mar 01, 2017 at 10:38:54AM +0100, Dmitry Vyukov escreveu:
> Hello,
>
> I've got the following report while running syzkaller fuzzer on
> 86292b33d4b79ee03e2f43ea0381ef85f077c760:
>
>
> It seems that dccp_create_openreq_child needs to unlock the sock if
> dccp_feat_activate_values fails.
Yeah, can you please use the patch below, that mimics the error paths in
sk_clone_new(), from where I think even the comment about it being a raw
copy came, but the bh_unlock_sock() didn't?
- Arnaldo
diff --git a/net/dccp/minisocks.c b/net/dccp/minisocks.c
index 53eddf99e4f6..d20d948a98ed 100644
--- a/net/dccp/minisocks.c
+++ b/net/dccp/minisocks.c
@@ -122,6 +122,7 @@ struct sock *dccp_create_openreq_child(const struct sock *sk,
/* It is still raw copy of parent, so invalidate
* destructor and make plain sk_free() */
newsk->sk_destruct = NULL;
+ bh_unlock_sock(newsk);
sk_free(newsk);
return NULL;
}