From: Paolo Abeni <pabeni@redhat.com>
Date: Fri, 24 Apr 2020 11:15:21 +0000 (+0200)
Subject: mptcp: fix race in msk status update
X-Git-Tag: v5.7-rc5~30^2~79
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1200832c6e850a17f36631f6492f953a1b39e6b8;p=thirdparty%2Fkernel%2Flinux.git

mptcp: fix race in msk status update

Currently subflow_finish_connect() changes unconditionally
any msk socket status other than TCP_ESTABLISHED.

If an unblocking connect() races with close(), we can end-up
triggering:

IPv4: Attempt to release TCP socket in state 1 00000000e32b8b7e

when the msk socket is disposed.

Be sure to enter the established status only from SYN_SENT.

Fixes: c3c123d16c0e ("net: mptcp: don't hang in mptcp_sendmsg() after TCP fallback")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
---

diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
index fabd06f2ff455..71256f03707fe 100644
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -225,7 +225,7 @@ static void subflow_finish_connect(struct sock *sk, const struct sk_buff *skb)
 
 	subflow->icsk_af_ops->sk_rx_dst_set(sk, skb);
 
-	if (inet_sk_state_load(parent) != TCP_ESTABLISHED) {
+	if (inet_sk_state_load(parent) == TCP_SYN_SENT) {
 		inet_sk_state_store(parent, TCP_ESTABLISHED);
 		parent->sk_state_change(parent);
 	}