mptcp: Reset tsorted_anchor after call to tcp_fragment

The reinject-queue is special in the sense that its segments get kfree'd right after sending. We need to make sure that the dst-pointer is NULL as otherwise during the freeing we will access garbage. Fixes: 8a1051d ("Merge tag 'v4.15' into mptcp_trunk") Signed-off-by: Christoph Paasch <[email protected]> Signed-off-by: Matthieu Baerts <[email protected]>
multipath-tcp · May 3, 2018 · e4eeb82 · e4eeb82
1 parent 005d56c
commit e4eeb82
Showing 1 changed file with 6 additions and 0 deletions.
diff --git a/net/mptcp/mptcp_output.c b/net/mptcp/mptcp_output.c
@@ -642,6 +642,12 @@ static int mptcp_fragment(struct sock *meta_sk, enum tcp_queue tcp_queue,
 			if (undo)
 				tcp_adjust_pcount(meta_sk, skb, -undo);
 		}
+
+		/* tcp_fragment's call to sk_stream_alloc_skb initializes the
+		 * tcp_tsorted_anchor. We need to revert this as it clashes
+		 * with the refdst pointer.
+		 */
+		tcp_skb_tsorted_anchor_cleanup(buff);
 	}
 
 	return 0;