Acked. Thank you. ///jon
> -----Original Message----- > From: Cong Wang [mailto:[email protected]] > Sent: Wednesday, October 25, 2017 00:45 > To: [email protected] > Cc: Cong Wang <[email protected]>; Jon Maloy > <[email protected]>; Ying Xue <[email protected]> > Subject: [Patch net-next] tipc: fix a dangling pointer > > tsk->group is set to grp earlier, but we forget to unset it > after grp is freed. > > Fixes: 75da2163dbb6 ("tipc: introduce communication groups") > Reported-by: syzkaller bot > Cc: Jon Maloy <[email protected]> > Cc: Ying Xue <[email protected]> > Signed-off-by: Cong Wang <[email protected]> > --- > net/tipc/socket.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/net/tipc/socket.c b/net/tipc/socket.c index > b3b72d8e9543..ea61c32f6b80 100644 > --- a/net/tipc/socket.c > +++ b/net/tipc/socket.c > @@ -2756,8 +2756,10 @@ static int tipc_sk_join(struct tipc_sock *tsk, struct > tipc_group_req *mreq) > seq.upper = seq.lower; > tipc_nametbl_build_group(net, grp, mreq->type, domain); > rc = tipc_sk_publish(tsk, mreq->scope, &seq); > - if (rc) > + if (rc) { > tipc_group_delete(net, grp); > + tsk->group = NULL; > + } > > /* Eliminate any risk that a broadcast overtakes the sent JOIN */ > tsk->mc_method.rcast = true; > -- > 2.13.0
