mirror of
https://github.com/torvalds/linux.git
synced 2024-11-17 01:22:07 +00:00
df1036da90
Following snippet (replicated from syzkaller reproducer) generates
warning: "IPv4: Attempt to release TCP socket in state 1".
int main(void) {
struct sockaddr_in sin1 = { .sin_family = 2, .sin_port = 0x4e20,
.sin_addr.s_addr = 0x010000e0, };
struct sockaddr_in sin2 = { .sin_family = 2,
.sin_addr.s_addr = 0x0100007f, };
struct sockaddr_in sin3 = { .sin_family = 2, .sin_port = 0x4e20,
.sin_addr.s_addr = 0x0100007f, };
int r0 = socket(0x2, 0x1, 0x106);
int r1 = socket(0x2, 0x1, 0x106);
bind(r1, (void *)&sin1, sizeof(sin1));
connect(r1, (void *)&sin2, sizeof(sin2));
listen(r1, 3);
return connect(r0, (void *)&sin3, 0x4d);
}
Reason is that the newly generated mptcp socket is closed via the ulp
release of the tcp listener socket when its accept backlog gets purged.
To fix this, delay setting the ESTABLISHED state until after userspace
calls accept and via mptcp specific destructor.
Fixes:
|
||
|---|---|---|
| .. | ||
| crypto.c | ||
| ctrl.c | ||
| diag.c | ||
| Kconfig | ||
| Makefile | ||
| mib.c | ||
| mib.h | ||
| options.c | ||
| pm_netlink.c | ||
| pm.c | ||
| protocol.c | ||
| protocol.h | ||
| subflow.c | ||
| token.c | ||