diff options
author | Florian Westphal <fw@strlen.de> | 2021-03-04 22:32:09 +0100 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2021-03-04 23:30:13 +0100 |
commit | f07157792c633b528de5fc1dbe2e4ea54f8e09d4 (patch) | |
tree | 173ab80478f09385958653b8391cb6490d435355 | |
parent | mptcp: reset last_snd on subflow close (diff) | |
download | linux-f07157792c633b528de5fc1dbe2e4ea54f8e09d4.tar.xz linux-f07157792c633b528de5fc1dbe2e4ea54f8e09d4.zip |
mptcp: put subflow sock on connect error
mptcp_add_pending_subflow() performs a sock_hold() on the subflow,
then adds the subflow to the join list.
Without a sock_put the subflow sk won't be freed in case connect() fails.
unreferenced object 0xffff88810c03b100 (size 3000):
[..]
sk_prot_alloc.isra.0+0x2f/0x110
sk_alloc+0x5d/0xc20
inet6_create+0x2b7/0xd30
__sock_create+0x17f/0x410
mptcp_subflow_create_socket+0xff/0x9c0
__mptcp_subflow_connect+0x1da/0xaf0
mptcp_pm_nl_work+0x6e0/0x1120
mptcp_worker+0x508/0x9a0
Fixes: 5b950ff4331ddda ("mptcp: link MPC subflow into msk only after accept")
Signed-off-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
-rw-r--r-- | net/mptcp/subflow.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c index e1fbcab257e6..41695e26c374 100644 --- a/net/mptcp/subflow.c +++ b/net/mptcp/subflow.c @@ -1297,6 +1297,7 @@ failed_unlink: spin_lock_bh(&msk->join_list_lock); list_del(&subflow->node); spin_unlock_bh(&msk->join_list_lock); + sock_put(mptcp_subflow_tcp_sock(subflow)); failed: subflow->disposable = 1; |