git.baikalelectronics.ru Git - kernel.git/commit

author	Florian Westphal <fw@strlen.de>
	Fri, 17 Apr 2020 07:28:22 +0000 (09:28 +0200)
committer	David S. Miller <davem@davemloft.net>
	Sat, 18 Apr 2020 22:43:20 +0000 (15:43 -0700)
commit	c1f9b213e4e51165f045804fc85257d9c45329d7
tree	cb661c0c9eced47d8af51bc080956fa987b5d7b9	tree \| snapshot
parent	4d485d44173e7fa775ea8a3d0812330a0abded78	commit \| diff

mptcp: fix splat when incoming connection is never accepted before exit/close

Following snippet (replicated from syzkaller reproducer) generates
warning: "IPv4: Attempt to release TCP socket in state 1".

int main(void) {
struct sockaddr_in sin1 = { .sin_family = 2, .sin_port = 0x4e20,
                             .sin_addr.s_addr = 0x010000e0, };
struct sockaddr_in sin2 = { .sin_family = 2,
                     .sin_addr.s_addr = 0x0100007f, };
struct sockaddr_in sin3 = { .sin_family = 2, .sin_port = 0x4e20,
                     .sin_addr.s_addr = 0x0100007f, };
int r0 = socket(0x2, 0x1, 0x106);
int r1 = socket(0x2, 0x1, 0x106);

bind(r1, (void *)&sin1, sizeof(sin1));
connect(r1, (void *)&sin2, sizeof(sin2));
listen(r1, 3);
return connect(r0, (void *)&sin3, 0x4d);
}

Reason is that the newly generated mptcp socket is closed via the ulp
release of the tcp listener socket when its accept backlog gets purged.

To fix this, delay setting the ESTABLISHED state until after userspace
calls accept and via mptcp specific destructor.

Fixes: 69d37e5b4a775 ("mptcp: create msk early")
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/9
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: David S. Miller <davem@davemloft.net>

net/mptcp/protocol.c		diff \| blob \| history
net/mptcp/subflow.c		diff \| blob \| history