mptcp: Avoid double-free of fastopen_req

Setting tp->fastopen_req to NULL in mptcp_rcv_synsent_state_process may be too late, because the master-sk may get destroyed much earlier in case of any other of the error-conditions. Make sure that it is set to NULL as soon as possible. Fixes: e56ce50 ("Merge tag 'v4.11' into mptcp_trunk") Signed-off-by: Christoph Paasch <[email protected]> Signed-off-by: Matthieu Baerts <[email protected]> (cherry picked from commit 5bc4937) Signed-off-by: Matthieu Baerts <[email protected]> (cherry picked from commit cbcde89) Signed-off-by: Matthieu Baerts <[email protected]> (cherry picked from commit 575e790) Signed-off-by: Matthieu Baerts <[email protected]>
multipath-tcp · Oct 25, 2021 · 793f69a · 793f69a
1 parent 067f5df
commit 793f69a
Show file tree

Hide file tree

Showing 2 changed files with 2 additions and 3 deletions.
diff --git a/net/mptcp/mptcp_ctrl.c b/net/mptcp/mptcp_ctrl.c
@@ -1284,6 +1284,8 @@ static int mptcp_alloc_mpcb(struct sock *meta_sk, __u64 remote_key,
 	master_tp->out_of_order_queue = RB_ROOT;
 	INIT_LIST_HEAD(&master_tp->tsq_node);
 
+	master_tp->fastopen_req = NULL;
+
 	master_sk->sk_tsq_flags = 0;
 	/* icsk_bind_hash inherited from the meta, but it will be properly set in
 	 * mptcp_create_master_sk. Same operation is done in inet_csk_clone_lock.

diff --git a/net/mptcp/mptcp_input.c b/net/mptcp/mptcp_input.c
@@ -2355,9 +2355,6 @@ int mptcp_rcv_synsent_state_process(struct sock *sk, struct sock **skptr,
 
 		tp->mptcp->include_mpc = 1;
 
-		/* Ensure that fastopen is handled at the meta-level. */
-		tp->fastopen_req = NULL;
-
 		sk_set_socket(sk, meta_sk->sk_socket);
 		sk->sk_wq = meta_sk->sk_wq;