From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <netdev-owner@vger.kernel.org>
Received: from shards.monkeyblade.net ([184.105.139.130]:55526 "EHLO
        shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1754039AbeCGSjv (ORCPT
        <rfc822;netdev@vger.kernel.org>); Wed, 7 Mar 2018 13:39:51 -0500
Date: Wed, 07 Mar 2018 13:39:49 -0500 (EST)
Message-Id: <20180307.133949.1744894683110217494.davem@davemloft.net>
To: alexey.kodanev@oracle.com
Cc: netdev@vger.kernel.org, edumazet@google.com
Subject: Re: [PATCH net] dccp: check sk for closed state in dccp_sendmsg()
From: David Miller <davem@davemloft.net>
In-Reply-To: <1520366221-12350-1-git-send-email-alexey.kodanev@oracle.com>
References: <1520366221-12350-1-git-send-email-alexey.kodanev@oracle.com>
Mime-Version: 1.0
Content-Type: Text/Plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

From: Alexey Kodanev <alexey.kodanev@oracle.com>
Date: Tue,  6 Mar 2018 22:57:01 +0300

> dccp_disconnect() sets 'dp->dccps_hc_tx_ccid' tx handler to NULL,
> therefore if DCCP socket is disconnected and dccp_sendmsg() is
> called after it, it will cause a NULL pointer dereference in
> dccp_write_xmit().
> 
> This crash and the reproducer was reported by syzbot. Looks like
> it is reproduced if commit 69c64866ce07 ("dccp: CVE-2017-8824:
> use-after-free in DCCP code") is applied.
> 
> Reported-by: syzbot+f99ab3887ab65d70f816@syzkaller.appspotmail.com
> Signed-off-by: Alexey Kodanev <alexey.kodanev@oracle.com>

Applied and queued up for -stable, thanks!