mptcp: correct user owned check during FIN_ACK1

correctly check if a (meta) socket is user owned for mptcp subflows during tcp handling in TCP_FIN_WAIT1. This issue could cause the loss of a FIN and require a subsequent retransmission from the peer. Fixes: Zero-day Bug Reported-by: Christoph Paasch <[email protected]> Reviewed-by: Matthieu Baerts <[email protected]> Signed-off-by: Tim Froidcoeur <[email protected]> Acked-by: Christoph Paasch <[email protected]> Signed-off-by: Matthieu Baerts <[email protected]> (cherry picked from commit 2beaf58) Signed-off-by: Matthieu Baerts <[email protected]> (cherry picked from commit 1d6a567) Signed-off-by: Matthieu Baerts <[email protected]> (cherry picked from commit 071adf4) Signed-off-by: Matthieu Baerts <[email protected]>
multipath-tcp · Aug 31, 2022 · 44095ee · 44095ee
1 parent 00d2cf8
commit 44095ee
Showing 1 changed file with 2 additions and 1 deletion.
diff --git a/net/ipv4/tcp_input.c b/net/ipv4/tcp_input.c
@@ -6261,6 +6261,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb)
 		break;
 
 	case TCP_FIN_WAIT1: {
+		struct sock *meta_sk = mptcp(tcp_sk(sk)) ? mptcp_meta_sk(sk) : sk;
 		int tmo;
 
 		/* If we enter the TCP_FIN_WAIT1 state and we are a
@@ -6306,7 +6307,7 @@ int tcp_rcv_state_process(struct sock *sk, struct sk_buff *skb)
 		if (tmo > TCP_TIMEWAIT_LEN) {
 			inet_csk_reset_keepalive_timer(sk, tmo - TCP_TIMEWAIT_LEN);
 		} else if (th->fin || mptcp_is_data_fin(skb) ||
-			   sock_owned_by_user(sk)) {
+			   sock_owned_by_user(meta_sk)) {
 			/* Bad case. We could lose such FIN otherwise.
 			 * It is not a big problem, but it looks confusing
 			 * and not so rare event. We still can lose it now,