From: Eric Dumazet <eric.duma...@gmail.com> Date: Wed, 16 Aug 2017 07:03:15 -0700
> From: Eric Dumazet <eduma...@google.com> > > syszkaller team reported another problem in DCCP [1] > > Problem here is that the structure holding RTO timer > (ccid2_hc_tx_rto_expire() handler) is freed too soon. > > We can not use del_timer_sync() to cancel the timer > since this timer wants to grab socket lock (that would risk a dead lock) > > Solution is to defer the freeing of memory when all references to > the socket were released. Socket timers do own a reference, so this > should fix the issue. > > [1] > ================================================================== > BUG: KASAN: use-after-free in ccid2_hc_tx_rto_expire+0x51c/0x5c0 > net/dccp/ccids/ccid2.c:144 ... > Signed-off-by: Eric Dumazet <eduma...@google.com> > Reported-by: Dmitry Vyukov <dvyu...@google.com> Applied and queued up for -stable, thanks.
