From: Arnaldo Carvalho de Melo <a...@kernel.org>
Date: Wed, 1 Mar 2017 16:35:07 -0300
> From: Arnaldo Carvalho de Melo <a...@redhat.com>
>
> The code where sk_clone() came from created a new socket and locked it,
> but then, on the error path didn't unlock it.
>
> This problem stayed there for a long while, till b0691c8ee7c2 ("net:
> Unlock sock before calling sk_free()") fixed it, but unfortunately the
> callers of sk_clone() (now sk_clone_locked()) were not audited and the
> one in dccp_create_openreq_child() remained.
>
> Now in the age of the syskaller fuzzer, this was finally uncovered, as
> reported by Dmitry:
...
> Fix it just like was done by b0691c8ee7c2 ("net: Unlock sock before calling
> sk_free()").
>
> Reported-by: Dmitry Vyukov <dvyu...@google.com>
> Cc: Cong Wang <xiyou.wangc...@gmail.com>
> Cc: Eric Dumazet <eduma...@google.com>
> Cc: Gerrit Renker <ger...@erg.abdn.ac.uk>
> Cc: Thomas Gleixner <t...@linutronix.de>
> Link: http://lkml.kernel.org/r/20170301153510.ge15...@kernel.org
> Signed-off-by: Arnaldo Carvalho de Melo <a...@redhat.com>
Applied and queued up for -stable.
