From: Wei Wang <wei...@google.com>
Date: Wed, 1 Mar 2017 13:29:48 -0800
> From: Wei Wang <wei...@google.com>
>
> tp->fastopen_req could potentially be double freed if a malicious
> user does the following:
> 1. Enable TCP_FASTOPEN_CONNECT sockopt and do a connect() on the socket.
> 2. Call connect() with AF_UNSPEC to disconnect the socket.
> 3. Make this socket a listening socket by calling listen().
> 4. Accept incoming connections and generate child sockets. All child
> sockets will get a copy of the pointer of fastopen_req.
> 5. Call close() on all sockets. fastopen_req will get freed multiple
> times.
>
> Fixes: 19f6d3f3c842 ("net/tcp-fastopen: Add new API support")
> Reported-by: Andrey Konovalov <andreyk...@google.com>
> Signed-off-by: Wei Wang <wei...@google.com>
> Signed-off-by: Eric Dumazet <eduma...@google.com>
Applied, and queued up for -stable.
