From: Paolo Abeni Date: Fri, 8 Jul 2022 23:36:09 +0000 (-0700) Subject: mptcp: fix subflow traversal at disconnect time X-Git-Tag: baikal/mips/sdk6.1~5324^2~22^2~1 X-Git-Url: https://git.baikalelectronics.ru/sdk/?a=commitdiff_plain;h=7f4db0ec1554a8c6410b043dd975975ea80b603c;p=kernel.git mptcp: fix subflow traversal at disconnect time At disconnect time the MPTCP protocol traverse the subflows list closing each of them. In some circumstances - MPJ subflow, passive MPTCP socket, the latter operation can remove the subflow from the list, invalidating the current iterator. Address the issue using the safe list traversing helper variant. Reported-by: van fantasy Fixes: 7cc40ad9c3de ("mptcp: full disconnect implementation") Tested-by: Matthieu Baerts Reviewed-by: Mat Martineau Signed-off-by: Paolo Abeni Signed-off-by: Mat Martineau Signed-off-by: David S. Miller --- diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c index cc21fafd97265..21a3ed64226e5 100644 --- a/net/mptcp/protocol.c +++ b/net/mptcp/protocol.c @@ -2919,12 +2919,12 @@ static void mptcp_copy_inaddrs(struct sock *msk, const struct sock *ssk) static int mptcp_disconnect(struct sock *sk, int flags) { - struct mptcp_subflow_context *subflow; + struct mptcp_subflow_context *subflow, *tmp; struct mptcp_sock *msk = mptcp_sk(sk); inet_sk_state_store(sk, TCP_CLOSE); - mptcp_for_each_subflow(msk, subflow) { + list_for_each_entry_safe(subflow, tmp, &msk->conn_list, node) { struct sock *ssk = mptcp_subflow_tcp_sock(subflow); __mptcp_close_ssk(sk, ssk, subflow, MPTCP_CF_FASTCLOSE);