| From foo@baz Wed May 31 09:13:34 JST 2017 |
| From: Eric Dumazet <edumazet@google.com> |
| Date: Tue, 9 May 2017 06:29:19 -0700 |
| Subject: dccp/tcp: do not inherit mc_list from parent |
| |
| From: Eric Dumazet <edumazet@google.com> |
| |
| |
| [ Upstream commit 657831ffc38e30092a2d5f03d385d710eb88b09a ] |
| |
| syzkaller found a way to trigger double frees from ip_mc_drop_socket() |
| |
| It turns out that leave a copy of parent mc_list at accept() time, |
| which is very bad. |
| |
| Very similar to commit 8b485ce69876 ("tcp: do not inherit |
| fastopen_req from parent") |
| |
| Initial report from Pray3r, completed by Andrey one. |
| Thanks a lot to them ! |
| |
| Signed-off-by: Eric Dumazet <edumazet@google.com> |
| Reported-by: Pray3r <pray3r.z@gmail.com> |
| Reported-by: Andrey Konovalov <andreyknvl@google.com> |
| Tested-by: Andrey Konovalov <andreyknvl@google.com> |
| Signed-off-by: David S. Miller <davem@davemloft.net> |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| --- |
| net/ipv4/inet_connection_sock.c | 2 ++ |
| 1 file changed, 2 insertions(+) |
| |
| --- a/net/ipv4/inet_connection_sock.c |
| +++ b/net/ipv4/inet_connection_sock.c |
| @@ -665,6 +665,8 @@ struct sock *inet_csk_clone_lock(const s |
| /* listeners have SOCK_RCU_FREE, not the children */ |
| sock_reset_flag(newsk, SOCK_RCU_FREE); |
| |
| + inet_sk(newsk)->mc_list = NULL; |
| + |
| newsk->sk_mark = inet_rsk(req)->ir_mark; |
| atomic64_set(&newsk->sk_cookie, |
| atomic64_read(&inet_rsk(req)->ir_cookie)); |
