From 5aff397a97b7ad92ac1086a37d0657e056af7363 Mon Sep 17 00:00:00 2001 From: Christoph Paasch Date: Wed, 27 Jul 2022 16:20:26 -0700 Subject: [PATCH] mptcp: Don't unset inet_num We introduced mptcp_icsk_forced_close to unlock the socket after the call to tcp_done to avoid racing tcp_done with packet-reception while we are in the ehash table. That fix missed one critical part: These sockets also are already in the bhash table. Meaning, icsk_bind_hash is set as is inet_num. mptcp_icsk_forced_close forces inet_num to zero to avoid triggering the WARN in inet_csk_destroy_sock. HOWEVER, this socket is properly in the bhash table and we need to remove it. If inet_num is 0, it means we end up taking the wrong head->lock in inet_put_port() and we end up racing with other list-processing. This ends up corrupting the bhash-list. Fixes: 1d5fc78957a7 ("mptcp: Do not race forced-closure with packet reception") Signed-off-by: Christoph Paasch Signed-off-by: Matthieu Baerts (cherry picked from commit 359aef5a07d7d78d080d0e49dbdd1b48a50bf475) Signed-off-by: Matthieu Baerts --- net/mptcp/mptcp_ctrl.c | 1 - 1 file changed, 1 deletion(-) diff --git a/net/mptcp/mptcp_ctrl.c b/net/mptcp/mptcp_ctrl.c index e6cac7e4de31..617d6c33cde5 100644 --- a/net/mptcp/mptcp_ctrl.c +++ b/net/mptcp/mptcp_ctrl.c @@ -1232,7 +1232,6 @@ static void mptcp_icsk_forced_close(struct sock *sk) /* The below has to be done to allow calling inet_csk_destroy_sock */ sock_set_flag(sk, SOCK_DEAD); percpu_counter_inc(sk->sk_prot->orphan_count); - inet_sk(sk)->inet_num = 0; tcp_done(sk);