Commit 71c299c7 authored by Jakub Kicinski's avatar Jakub Kicinski

net: tcp: fix crashes trying to free half-baked MTU probes

tcp_stream_alloc_skb() initializes the skb to use tcp_tsorted_anchor
which is a union with the destructor. We need to clean that
TCP-iness up before freeing.

Fixes: 73601329 ("tcp: let tcp_mtu_probe() build headless packets")
Reviewed-by: default avatarEric Dumazet <edumazet@google.com>
Link: https://lore.kernel.org/r/20231010173651.3990234-1-kuba@kernel.orgSigned-off-by: default avatarJakub Kicinski <kuba@kernel.org>
parent 8bcfc9de
...@@ -2456,6 +2456,7 @@ static int tcp_mtu_probe(struct sock *sk) ...@@ -2456,6 +2456,7 @@ static int tcp_mtu_probe(struct sock *sk)
/* build the payload, and be prepared to abort if this fails. */ /* build the payload, and be prepared to abort if this fails. */
if (tcp_clone_payload(sk, nskb, probe_size)) { if (tcp_clone_payload(sk, nskb, probe_size)) {
tcp_skb_tsorted_anchor_cleanup(nskb);
consume_skb(nskb); consume_skb(nskb);
return -1; return -1;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment