syzkaller found a bug in the BBR code. On an error path, the socket buffer was not unlocked. Free also on this path the allocated mbuf.
- Group Reviewers
- rS362846: Fix the cleanup handling in a error path for TCP BBR.
syzkaller triggered the condition. I looked for other cases, but did not spot any. That doesn't mean that they don't exist... Maybe syzkaller will find other issue, I don't know. That is the reason why it it constantly running...