1 From fa0ad0349d68f7e86419922266aa48de3eb2c507 Mon Sep 17 00:00:00 2001
2 From: Eric Dumazet <edumazet@google.com>
3 Date: Tue, 6 Jun 2017 18:16:00 +0200
4 Subject: [PATCH] dccp/tcp: do not inherit mc_list from parent
6 Content-Type: text/plain; charset=UTF-8
7 Content-Transfer-Encoding: 8bit
9 syzkaller found a way to trigger double frees from ip_mc_drop_socket()
11 It turns out that leave a copy of parent mc_list at accept() time,
14 Very similar to commit 8b485ce69876 ("tcp: do not inherit
15 fastopen_req from parent")
17 Initial report from Pray3r, completed by Andrey one.
18 Thanks a lot to them !
20 Signed-off-by: Eric Dumazet <edumazet@google.com>
21 Reported-by: Pray3r <pray3r.z@gmail.com>
22 Reported-by: Andrey Konovalov <andreyknvl@google.com>
23 Tested-by: Andrey Konovalov <andreyknvl@google.com>
24 Signed-off-by: David S. Miller <davem@davemloft.net>
28 (cherry-picked from 657831ffc38e30092a2d5f03d385d710eb88b09a)
29 Signed-off-by: Stefan Bader <stefan.bader@canonical.com>
30 Acked-by: Colin Ian King <colin.king@canonical.com>
31 Acked-by: Andy Whitcroft <apw@canonical.com>
32 Signed-off-by: Thadeu Lima de Souza Cascardo <cascardo@canonical.com>
34 Signed-off-by: Fabian Grünbichler <f.gruenbichler@proxmox.com>
36 net/ipv4/inet_connection_sock.c | 2 ++
37 1 file changed, 2 insertions(+)
39 diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
40 index 19ea045c50ed..d952cfa15737 100644
41 --- a/net/ipv4/inet_connection_sock.c
42 +++ b/net/ipv4/inet_connection_sock.c
43 @@ -669,6 +669,8 @@ struct sock *inet_csk_clone_lock(const struct sock *sk,
44 /* listeners have SOCK_RCU_FREE, not the children */
45 sock_reset_flag(newsk, SOCK_RCU_FREE);
47 + inet_sk(newsk)->mc_list = NULL;
49 newsk->sk_mark = inet_rsk(req)->ir_mark;
50 atomic64_set(&newsk->sk_cookie,
51 atomic64_read(&inet_rsk(req)->ir_cookie));
projects / pve-kernel.git / blob