This is a note to let you know that I've just added the patch titled
net: tcp: fix crashes trying to free half-baked MTU probes
to the 6.5-stable tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary
The filename of the patch is:
net-tcp-fix-crashes-trying-to-free-half-baked-mtu-pr.patch
and it can be found in the queue-6.5 subdirectory.
If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.
commit bdec67a24485af08ce014aa3d86dcb38553e3274
Author: Jakub Kicinski <kuba@xxxxxxxxxx>
Date: Tue Oct 10 10:36:51 2023 -0700
net: tcp: fix crashes trying to free half-baked MTU probes
[ Upstream commit 71c299c711d1f44f0bf04f1fea66baad565240f1 ]
tcp_stream_alloc_skb() initializes the skb to use tcp_tsorted_anchor
which is a union with the destructor. We need to clean that
TCP-iness up before freeing.
Fixes: 736013292e3c ("tcp: let tcp_mtu_probe() build headless packets")
Reviewed-by: Eric Dumazet <edumazet@xxxxxxxxxx>
Link: https://lore.kernel.org/r/20231010173651.3990234-1-kuba@xxxxxxxxxx
Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>
diff --git a/net/ipv4/tcp_output.c b/net/ipv4/tcp_output.c
index 37fd9537423f1..a8f58f5e99a77 100644
--- a/net/ipv4/tcp_output.c
+++ b/net/ipv4/tcp_output.c
@@ -2441,6 +2441,7 @@ static int tcp_mtu_probe(struct sock *sk)
/* build the payload, and be prepared to abort if this fails. */
if (tcp_clone_payload(sk, nskb, probe_size)) {
+ tcp_skb_tsorted_anchor_cleanup(nskb);
consume_skb(nskb);
return -1;
}
