On Mon, Feb 13, 2017 at 7:17 AM, Dmitry Vyukov <dvyu...@google.com> wrote: > > Another similar one: >
The other possibility is: __fanout_link() is called twice on the same packet sock for some reason, but __fanout_unlink() only unlinks the first one, which led to this use-after-free. However, the po->running and po->fanout seem enough to guarantee this should not happen. I still want to point this out in case I miss anything here so that other people could figure it out.