[Devel] [PATCH RHEL7 COMMIT] ms/dccp: Unlock sock before calling sk_free()

Konstantin Khorenko khorenko at virtuozzo.com
Wed Jan 31 16:02:46 MSK 2018 

The commit is pushed to "branch-rh7-3.10.0-693.11.6.vz7.42.x-ovz" and will appear at https://src.openvz.org/scm/ovz/vzkernel.git
after rh7-3.10.0-693.11.6.vz7.42.3
------>
commit 24ba5a5c1ecf524a1a216409617741142caa848e
Author: Arnaldo Carvalho de Melo <acme at redhat.com>
Date:   Wed Jan 31 16:02:46 2018 +0300

    ms/dccp: Unlock sock before calling sk_free()
    
    Backport of ms commit d5afb6f9b6bb
    
    The code where sk_clone() came from created a new socket and locked it,
    but then, on the error path didn't unlock it.
    
    This problem stayed there for a long while, till b0691c8ee7c2 ("net:
    Unlock sock before calling sk_free()") fixed it, but unfortunately the
    callers of sk_clone() (now sk_clone_locked()) were not audited and the
    one in dccp_create_openreq_child() remained.
    
    Now in the age of the syskaller fuzzer, this was finally uncovered, as
    reported by Dmitry:
    
    ---- 8< ----
    
    I've got the following report while running syzkaller fuzzer on
    86292b33d4b7 ("Merge branch 'akpm' (patches from Andrew)")
    
    [ BUG: held lock freed! ]
    4.10.0+ #234 Not tainted
    Fix it just like was done by b0691c8ee7c2 ("net: Unlock sock before calling
    sk_free()").
    
    Reported-by: Dmitry Vyukov <dvyukov at google.com>
    Cc: Cong Wang <xiyou.wangcong at gmail.com>
    Cc: Eric Dumazet <edumazet at google.com>
    Cc: Gerrit Renker <gerrit at erg.abdn.ac.uk>
    Cc: Thomas Gleixner <tglx at linutronix.de>
    Link: http://lkml.kernel.org/r/20170301153510.GE15145@kernel.org
    Signed-off-by: Arnaldo Carvalho de Melo <acme at redhat.com>
    Signed-off-by: David S. Miller <davem at davemloft.net>
    
    https://jira.sw.ru/browse/PSBM-80708
    Signed-off-by: Kirill Tkhai <ktkhai at virtuozzo.com>
---
 net/dccp/minisocks.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/dccp/minisocks.c b/net/dccp/minisocks.c
index 7b004a58cb33..c62a89e27b81 100644
--- a/net/dccp/minisocks.c
+++ b/net/dccp/minisocks.c
@@ -137,6 +137,7 @@ struct sock *dccp_create_openreq_child(struct sock *sk,
 			/* It is still raw copy of parent, so invalidate
 			 * destructor and make plain sk_free() */
 			newsk->sk_destruct = NULL;
+			bh_unlock_sock(newsk);
 			sk_free(newsk);
 			return NULL;
 		}

More information about the Devel mailing list