From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-cys01nam02on0097.outbound.protection.outlook.com ([104.47.37.97]:28800 "EHLO NAM02-CY1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1752874AbeDIAQw (ORCPT ); Sun, 8 Apr 2018 20:16:52 -0400 From: Sasha Levin To: "stable@vger.kernel.org" , "linux-kernel@vger.kernel.org" CC: Jon Maloy , "David S . Miller" , Sasha Levin Subject: [PATCH AUTOSEL for 4.15 007/189] tipc: fix a potental access after delete in tipc_sk_join() Date: Mon, 9 Apr 2018 00:16:49 +0000 Message-ID: <20180409001637.162453-7-alexander.levin@microsoft.com> References: <20180409001637.162453-1-alexander.levin@microsoft.com> In-Reply-To: <20180409001637.162453-1-alexander.levin@microsoft.com> Content-Language: en-US Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 Sender: stable-owner@vger.kernel.org List-ID: From: Jon Maloy [ Upstream commit febafc8455fdbb0ba53d596075068a683b75f355 ] In commit d12d2e12cec2 "tipc: send out join messages as soon as new member is discovered") we added a call to the function tipc_group_join() without considering the case that the preceding tipc_sk_publish() might have failed, and the group item already deleted. We fix this by returning from tipc_sk_join() directly after the failed tipc_sk_publish. Reported-by: syzbot+e3eeae78ea88b8d6d858@syzkaller.appspotmail.com Signed-off-by: Jon Maloy Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/tipc/socket.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/tipc/socket.c b/net/tipc/socket.c index 3b4084480377..8efd2e42de30 100644 --- a/net/tipc/socket.c +++ b/net/tipc/socket.c @@ -2759,6 +2759,7 @@ static int tipc_sk_join(struct tipc_sock *tsk, struct= tipc_group_req *mreq) if (rc) { tipc_group_delete(net, grp); tsk->group =3D NULL; + return rc; } =20 /* Eliminate any risk that a broadcast overtakes the sent JOIN */ --=20 2.15.1