On Sat, Mar 16, 2019 at 10:09 PM syzbot <syzbot+85e0b422ff140b03672a@xxxxxxxxxxxxxxxxxxxxxxxxx> wrote: > > syzbot has bisected this bug to: > > commit 89664c623617b1d34447a927ac7871ddf3db29d3 > Author: Xin Long <lucien.xin@xxxxxxxxx> > Date: Sun Mar 3 09:54:53 2019 +0000 > > sctp: sctp_sock_migrate() returns error if sctp_bind_addr_dup() fails > > bisection log: https://syzkaller.appspot.com/x/bisect.txt?x=17b17777200000 > start commit: 89664c62 sctp: sctp_sock_migrate() returns error if sctp_b.. > git tree: upstream > final crash: https://syzkaller.appspot.com/x/report.txt?x=14717777200000 > console output: https://syzkaller.appspot.com/x/log.txt?x=10717777200000 > kernel config: https://syzkaller.appspot.com/x/.config?x=b613f0327d980b6b > dashboard link: https://syzkaller.appspot.com/bug?extid=85e0b422ff140b03672a > syz repro: https://syzkaller.appspot.com/x/repro.syz?x=12613b13200000 > C reproducer: https://syzkaller.appspot.com/x/repro.c?x=10f1884d200000 > > Reported-by: syzbot+85e0b422ff140b03672a@xxxxxxxxxxxxxxxxxxxxxxxxx > Fixes: 89664c62 ("sctp: sctp_sock_migrate() returns error if > sctp_bind_addr_dup() fails") sctp_copy_descendant() coplied sctp_sock->pd_lobby. we should fix it with: diff --git a/net/sctp/socket.c b/net/sctp/socket.c index 06c6f4a..e0857dd 100644 --- a/net/sctp/socket.c +++ b/net/sctp/socket.c @@ -9175,7 +9175,7 @@ static inline void sctp_copy_descendant(struct sock *sk_to, { int ancestor_size = sizeof(struct inet_sock) + sizeof(struct sctp_sock) - - offsetof(struct sctp_sock, auto_asconf_list); + offsetof(struct sctp_sock, pd_lobby); if (sk_from->sk_family == PF_INET6) ancestor_size += sizeof(struct ipv6_pinfo);
