From e4eeb8266879fd69407381751ddcd232d266d0b8 Mon Sep 17 00:00:00 2001
From: Christoph Paasch <cpaasch@apple.com>
Date: Wed, 2 May 2018 10:41:51 -0700
Subject: [PATCH] mptcp: Reset tsorted_anchor after call to tcp_fragment

The reinject-queue is special in the sense that its segments get kfree'd
right after sending. We need to make sure that the dst-pointer is NULL
as otherwise during the freeing we will access garbage.

Fixes: 8a1051d977cf ("Merge tag 'v4.15' into mptcp_trunk")
Signed-off-by: Christoph Paasch <cpaasch@apple.com>
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
---
 net/mptcp/mptcp_output.c | 6 ++++++
 1 file changed, 6 insertions(+)

diff --git a/net/mptcp/mptcp_output.c b/net/mptcp/mptcp_output.c
index 2e89188ebb4e..a2d65b6af836 100644
--- a/net/mptcp/mptcp_output.c
+++ b/net/mptcp/mptcp_output.c
@@ -642,6 +642,12 @@ static int mptcp_fragment(struct sock *meta_sk, enum tcp_queue tcp_queue,
 			if (undo)
 				tcp_adjust_pcount(meta_sk, skb, -undo);
 		}
+
+		/* tcp_fragment's call to sk_stream_alloc_skb initializes the
+		 * tcp_tsorted_anchor. We need to revert this as it clashes
+		 * with the refdst pointer.
+		 */
+		tcp_skb_tsorted_anchor_cleanup(buff);
 	}
 
 	return 0;