diff options
author | Paolo Abeni <pabeni@redhat.com> | 2021-05-07 02:16:38 +0200 |
---|---|---|
committer | Jakub Kicinski <kuba@kernel.org> | 2021-05-08 00:53:40 +0200 |
commit | 578c18eff1627d6a911f08f4cf351eca41fdcc7d (patch) | |
tree | 1bb5df2788d0050e312c619a82cf9081df1b1da4 /net/mptcp/subflow.c | |
parent | tcp: Specify cmsgbuf is user pointer for receive zerocopy. (diff) | |
download | linux-578c18eff1627d6a911f08f4cf351eca41fdcc7d.tar.xz linux-578c18eff1627d6a911f08f4cf351eca41fdcc7d.zip |
mptcp: fix splat when closing unaccepted socket
If userspace exits before calling accept() on a listener that had at least
one new connection ready, we get:
Attempt to release TCP socket in state 8
This happens because the mptcp socket gets cloned when the TCP connection
is ready, but the socket is never exposed to userspace.
The client additionally sends a DATA_FIN, which brings connection into
CLOSE_WAIT state. This in turn prevents the orphan+state reset fixup
in mptcp_sock_destruct() from doing its job.
Fixes: 3721b9b64676b ("mptcp: Track received DATA_FIN sequence number and add related helpers")
Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/185
Tested-by: Florian Westphal <fw@strlen.de>
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Signed-off-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Link: https://lore.kernel.org/r/20210507001638.225468-1-mathew.j.martineau@linux.intel.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'net/mptcp/subflow.c')
-rw-r--r-- | net/mptcp/subflow.c | 3 |
1 files changed, 1 insertions, 2 deletions
diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c index 82e91b00ad39..a5ede357cfbc 100644 --- a/net/mptcp/subflow.c +++ b/net/mptcp/subflow.c @@ -546,8 +546,7 @@ static void mptcp_sock_destruct(struct sock *sk) * ESTABLISHED state and will not have the SOCK_DEAD flag. * Both result in warnings from inet_sock_destruct. */ - - if (sk->sk_state == TCP_ESTABLISHED) { + if ((1 << sk->sk_state) & (TCPF_ESTABLISHED | TCPF_CLOSE_WAIT)) { sk->sk_state = TCP_CLOSE; WARN_ON_ONCE(sk->sk_socket); sock_orphan(sk); |