On (12/30/17 11:36), Santosh Shilimkar wrote:
>
> socket buffer can get freed as part of sock_close
> callback so before adding reference check underneath
> socket validity.
I'm not sure I understand this fix-
struct rds_sock is:
struct rds_sock {
struct sock rs_sk;
:
}
How can rs be non-null but rds_rs_to_sk() is null? (Note that
rds_rs_to_sk just returns &rs->rs_sk) so the changed line is
identical to the original line.
> - if (rs && !sock_flag(rds_rs_to_sk(rs), SOCK_DEAD))
> + if (rs && rds_rs_to_sk(rs) && !sock_flag(rds_rs_to_sk(rs), SOCK_DEAD))
I think the real issue is refcount bug somewhere,
Was the syzbot test run with http://patchwork.ozlabs.org/patch/852492/
this sounds like that type of bug.
--Sowmini
