diff options
author | Paolo Abeni <pabeni@redhat.com> | 2020-04-24 14:15:21 +0300 |
---|---|---|
committer | David S. Miller <davem@davemloft.net> | 2020-04-26 06:38:54 +0300 |
commit | 1200832c6e850a17f36631f6492f953a1b39e6b8 (patch) | |
tree | ac7289c7ae0723ae43b97911c830be0efcac2cab /net | |
parent | b2768df24ec400dd4f7fa79542f797e904812053 (diff) | |
download | linux-1200832c6e850a17f36631f6492f953a1b39e6b8.tar.xz |
mptcp: fix race in msk status update
Currently subflow_finish_connect() changes unconditionally
any msk socket status other than TCP_ESTABLISHED.
If an unblocking connect() races with close(), we can end-up
triggering:
IPv4: Attempt to release TCP socket in state 1 00000000e32b8b7e
when the msk socket is disposed.
Be sure to enter the established status only from SYN_SENT.
Fixes: c3c123d16c0e ("net: mptcp: don't hang in mptcp_sendmsg() after TCP fallback")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Diffstat (limited to 'net')
-rw-r--r-- | net/mptcp/subflow.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c index fabd06f2ff45..71256f03707f 100644 --- a/net/mptcp/subflow.c +++ b/net/mptcp/subflow.c @@ -225,7 +225,7 @@ static void subflow_finish_connect(struct sock *sk, const struct sk_buff *skb) subflow->icsk_af_ops->sk_rx_dst_set(sk, skb); - if (inet_sk_state_load(parent) != TCP_ESTABLISHED) { + if (inet_sk_state_load(parent) == TCP_SYN_SENT) { inet_sk_state_store(parent, TCP_ESTABLISHED); parent->sk_state_change(parent); } |