On Tue, 2017-05-09 at 05:17 -0700, Eric Dumazet wrote:
> From: Eric Dumazet <eduma...@google.com>
>
> syzkaller found a way to trigger double frees from ip_mc_drop_socket()
>
> It turns out that leave a copy of parent mc_list at accept() time,
> which is very bad.
>
> Very similar to commit 8b485ce69876 ("tcp: do not inherit
> fastopen_req from parent")
>
> Initial report from Pray3r, completed by Andrey one.
> Thanks a lot to them !
>
> Signed-off-by: Eric Dumazet <eduma...@google.com>
> Reported-by: Pray3r <pray3...@gmail.com>
> Reported-by: Andrey Konovalov <andreyk...@google.com>
> Tested-by: Andrey Konovalov <andreyk...@google.com>
> ---
> Notes:
> - day-0 bug.
> - Not sure if it makes sense for TCP socket to be able to join MC
> group ?
I will send a V2, putting the fix in inet_csk_clone_lock() so that DCCP
is also fixed ;)
