From: Cong Wang <xiyou.wangc...@gmail.com>
Date: Mon, 4 Dec 2017 10:31:43 -0800
> In tipc_topsrv_kern_subscr() when s->tipc_conn_new() fails
> we call tipc_close_conn() to clean up, but in this case
> calling conn_put() is just enough.
>
> This fixes the folllowing crash:
...
> Fixes: 14c04493cb77 ("tipc: add ability to order and receive topology events
> in driver")
> Reported-by: syzbot <syzkal...@googlegroups.com>
> Cc: Jon Maloy <jon.ma...@ericsson.com>
> Cc: Ying Xue <ying....@windriver.com>
> Signed-off-by: Cong Wang <xiyou.wangc...@gmail.com>
...
> @@ -511,7 +511,7 @@ bool tipc_topsrv_kern_subscr(struct net *net, u32 port,
> u32 type,
> s = con->server;
> scbr = s->tipc_conn_new(*conid);
> if (!scbr) {
> - tipc_close_conn(con);
> + conn_put(con);
> return false;
> }
>
> --
> 2.13.0
>
It looks like tipc_accept_from_sock() has a similar problem? The
tipc_close_conn() will get invoked indirectly from the sock_release()
path right?
