Re: [PATCH net v3] tcp: clear sock_ops cb flags before force-closing a child socket

[Kuniyuki Iwashima]

On Thu, Jun 11, 2026 at 2:29 AM Sechang Lim <rhkrqnwk98@xxxxxxxxx> wrote:
>
> A child socket inherits the listener's bpf_sock_ops_cb_flags via
> sk_clone_lock(). If its setup fails in tcp_v4_syn_recv_sock() /
> tcp_v6_syn_recv_sock(), the child is freed through put_and_exit, where
> inet_csk_prepare_forced_close() drops the socket lock and tcp_done() runs
> without it.
>
> If BPF_SOCK_OPS_STATE_CB_FLAG was inherited, tcp_done() -> tcp_set_state()
> calls tcp_call_bpf(), which expects the lock and trips sock_owned_by_me():
>
>   WARNING: include/net/sock.h:1799 at tcp_set_state+0x433/0x550
>   RIP: 0010:tcp_set_state+0x433/0x550 include/net/sock.h:1799
>   Call Trace:
>    <IRQ>
>    tcp_done+0xba/0x250 net/ipv4/tcp.c:5095
>    tcp_v4_syn_recv_sock+0x850/0xa50 net/ipv4/tcp_ipv4.c:1787
>    tcp_check_req+0xf30/0x1360 net/ipv4/tcp_minisocks.c:926
>    tcp_v4_rcv+0x1047/0x1b50 net/ipv4/tcp_ipv4.c:2164
>    </IRQ>
>
> The child is freed before it is ever established, so it should run no
> sock_ops callback. Clear its cb flags in inet_csk_prepare_for_destroy_sock(),
> the common point for the IPv4, IPv6 and chtls forced-close paths and for the
> MPTCP ->syn_recv_sock() failure path (dispose_child), which reaches tcp_done()
> on a child that was never established too.
>
> Suggested-by: Jiayuan Chen <jiayuan.chen@xxxxxxxxx>
> Fixes: d44874910a26 ("bpf: Add BPF_SOCK_OPS_STATE_CB")
> Signed-off-by: Sechang Lim <rhkrqnwk98@xxxxxxxxx>

Reviewed-by: Kuniyuki Iwashima <kuniyu@xxxxxxxxxx>