mptcp: Only mpcb-put if the time-wait sk is still in the list

There is a race in that one CPU might be in mptcp_mpcb_cleanup and another one in mptcp_twsk_destructor. mpcb might still be set at that point. The point of synchronization is when we take the spinlock in mptcp_twsk_destructor and make sure that the twsk is still in the list. Only the one who is really removing it should put the reference to the mpcb. Fixes: Zero-day Bug Signed-off-by: Christoph Paasch <[email protected]> Signed-off-by: Matthieu Baerts <[email protected]> (cherry picked from commit 7df5ba4) Signed-off-by: Matthieu Baerts <[email protected]> (cherry picked from commit 551680a) Signed-off-by: Matthieu Baerts <[email protected]>
multipath-tcp · Feb 14, 2020 · f81f166 · f81f166
1 parent 4607ccf
commit f81f166
Showing 1 changed file with 3 additions and 2 deletions.
diff --git a/net/mptcp/mptcp_ctrl.c b/net/mptcp/mptcp_ctrl.c
@@ -2317,11 +2317,12 @@ void mptcp_twsk_destructor(struct tcp_timewait_sock *tw)
 		if (tw->mptcp_tw->in_list) {
 			list_del_rcu(&tw->mptcp_tw->list);
 			tw->mptcp_tw->in_list = 0;
+			/* Put, because we added it to the list */
+			mptcp_mpcb_put(mpcb);
 		}
 		spin_unlock(&mpcb->tw_lock);
 
-		/* Twice, because we increased it above */
-		mptcp_mpcb_put(mpcb);
+		/* Second time, because we increased it above */
 		mptcp_mpcb_put(mpcb);
 	}