On Thu, 2016-02-11 at 15:55 +0000, Rainer Weikusat wrote: > Philipp Hahn writes: > > [...] > > > Probably the same bug was also reported to samba-technical by Karolin > > Seeger; she filed the bug for 3.19-ckt with Ubuntu: > > > > > > > > Running the Samba test suite reproduces the problem; see bug for > > details. > > > JFTR: The oops in this bug report is for 3.13.0-77 and the patch you > reverted for 4.1 is not part of that (at least not of the upstream 3.13). [...] It is in 3.13-ckt and basically all the stable branches. Does the patch below fix this bug? Ben. --- unix: Fix potential double-unlock in unix_dgram_sendmsg() A datagram socket may be peered with itself, so that sk == other.  We use unix_state_double_lock() to lock sk and other in the right order, which also guards against this and only locks the socket once, but we then end up trying to unlock it twice.  Add the check for sk != other. Reported-by: Philipp Hahn Fixes: 7d267278a9ec ("unix: avoid use-after-free in ep_remove_wait_queue") Cc: stable Signed-off-by: Ben Hutchings ---  net/unix/af_unix.c | 4 ++--  1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/net/unix/af_unix.c b/net/unix/af_unix.c index c5bf5ef2bf89..b4320d3e3a25 100644 --- a/net/unix/af_unix.c +++ b/net/unix/af_unix.c @@ -1810,7 +1810,7 @@ restart_locked:   }   }   - if (unlikely(sk_locked)) + if (unlikely(sk_locked) && sk != other)   unix_state_unlock(sk);     if (sock_flag(other, SOCK_RCVTSTAMP)) @@ -1826,7 +1826,7 @@ restart_locked:   return len;    out_unlock: - if (sk_locked) + if (sk_locked && sk != other)   unix_state_unlock(sk);   unix_state_unlock(other);  out_free: -- Ben Hutchings Who are all these weirdos? - David Bowie, reading IRC for the first time