From: Arnaldo Carvalho de Melo <[email protected]> Date: Wed, 1 Mar 2017 16:35:07 -0300
> From: Arnaldo Carvalho de Melo <[email protected]> > > The code where sk_clone() came from created a new socket and locked it, > but then, on the error path didn't unlock it. > > This problem stayed there for a long while, till b0691c8ee7c2 ("net: > Unlock sock before calling sk_free()") fixed it, but unfortunately the > callers of sk_clone() (now sk_clone_locked()) were not audited and the > one in dccp_create_openreq_child() remained. > > Now in the age of the syskaller fuzzer, this was finally uncovered, as > reported by Dmitry: ... > Fix it just like was done by b0691c8ee7c2 ("net: Unlock sock before calling > sk_free()"). > > Reported-by: Dmitry Vyukov <[email protected]> > Cc: Cong Wang <[email protected]> > Cc: Eric Dumazet <[email protected]> > Cc: Gerrit Renker <[email protected]> > Cc: Thomas Gleixner <[email protected]> > Link: http://lkml.kernel.org/r/[email protected] > Signed-off-by: Arnaldo Carvalho de Melo <[email protected]> Applied and queued up for -stable.
