This repository has been archived by the owner on Apr 18, 2024. It is now read-only.
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
We introduced mptcp_icsk_forced_close to unlock the socket after the call to tcp_done to avoid racing tcp_done with packet-reception while we are in the ehash table. That fix missed one critical part: These sockets also are already in the bhash table. Meaning, icsk_bind_hash is set as is inet_num. mptcp_icsk_forced_close forces inet_num to zero to avoid triggering the WARN in inet_csk_destroy_sock. HOWEVER, this socket is properly in the bhash table and we need to remove it. If inet_num is 0, it means we end up taking the wrong head->lock in inet_put_port() and we end up racing with other list-processing. This ends up corrupting the bhash-list. Fixes: 1d5fc78 ("mptcp: Do not race forced-closure with packet reception") Signed-off-by: Christoph Paasch <cpaasch@apple.com> Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net> (cherry picked from commit 359aef5) Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net> (cherry picked from commit 5aff397) Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net> (cherry picked from commit 5387f81) Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
- Loading branch information
