• Florian Westphal's avatar
    mptcp: fix splat when incoming connection is never accepted before exit/close · df1036da
    Florian Westphal authored
    Following snippet (replicated from syzkaller reproducer) generates
    warning: "IPv4: Attempt to release TCP socket in state 1".
    
    int main(void) {
     struct sockaddr_in sin1 = { .sin_family = 2, .sin_port = 0x4e20,
                                 .sin_addr.s_addr = 0x010000e0, };
     struct sockaddr_in sin2 = { .sin_family = 2,
    	                     .sin_addr.s_addr = 0x0100007f, };
     struct sockaddr_in sin3 = { .sin_family = 2, .sin_port = 0x4e20,
    	                     .sin_addr.s_addr = 0x0100007f, };
     int r0 = socket(0x2, 0x1, 0x106);
     int r1 = socket(0x2, 0x1, 0x106);
    
     bind(r1, (void *)&sin1, sizeof(sin1));
     connect(r1, (void *)&sin2, sizeof(sin2));
     listen(r1, 3);
     return connect(r0, (void *)&sin3, 0x4d);
    }
    
    Reason is that the newly generated mptcp socket is closed via the ulp
    release of the tcp listener socket when its accept backlog gets purged.
    
    To fix this, delay setting the ESTABLISHED state until after userspace
    calls accept and via mptcp specific destructor.
    
    Fixes: 58b09919 ("mptcp: create msk early")
    Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/9Signed-off-by: default avatarFlorian Westphal <fw@strlen.de>
    Signed-off-by: default avatarDavid S. Miller <davem@davemloft.net>
    df1036da
subflow.c 31.1 KB