CVE-2025-40186

In the Linux kernel, the following vulnerability has been resolved:

tcp: Don't call reqskfastopenremove() in tcpconnrequest().

syzbot reported the splat below in tcpconnrequest(). [0]

If a listener is close()d while a TFO socket is being processed in tcpconnrequest(), inetcskreqskqueueadd() does not set reqsk->sk and calls inetchildforget(), which calls tcp_disconnect() for the TFO socket.

After the cited commit, tcpdisconnect() calls reqskfastopenremove(), where reqskput() is called due to !reqsk->sk.

Then, reqskfastopenremove() in tcpconnrequest() decrements the last req->rskrefcnt and frees reqsk, and _reqskfree() at the dropand_free label causes the refcount underflow for the listener and double-free of the reqsk.

Let's remove reqskfastopenremove() in tcpconnrequest().

Note that other callers make sure tp->fastopen_rsk is not NULL.

WARNING: CPU: 12 PID: 5563 at lib/refcount.c:28 refcountwarnsaturate (lib/refcount.c:28) Modules linked in: CPU: 12 UID: 0 PID: 5563 Comm: syz-executor Not tainted syzkaller #0 PREEMPT(full) Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 07/12/2025 RIP: 0010:refcountwarnsaturate (lib/refcount.c:28) Code: ab e8 8e b4 98 ff 0f 0b c3 cc cc cc cc cc 80 3d a4 e4 d6 01 00 75 9c c6 05 9b e4 d6 01 01 48 c7 c7 e8 df fb ab e8 6a b4 98 ff <0f> 0b e9 03 5b 76 00 cc 80 3d 7d e4 d6 01 00 0f 85 74 ff ff ff c6 RSP: 0018:ffffa79fc0304a98 EFLAGS: 00010246 RAX: d83af4db1c6b3900 RBX: ffff9f65c7a69020 RCX: d83af4db1c6b3900 RDX: 0000000000000000 RSI: 00000000ffff7fff RDI: ffffffffac78a280 RBP: 000000009d781b60 R08: 0000000000007fff R09: ffffffffac6ca280 R10: 0000000000017ffd R11: 0000000000000004 R12: ffff9f65c7b4f100 R13: ffff9f65c7d23c00 R14: ffff9f65c7d26000 R15: ffff9f65c7a64ef8 FS: 00007f9f962176c0(0000) GS:ffff9f65fcf00000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000200000000180 CR3: 000000000dbbe006 CR4: 0000000000372ef0 Call Trace: <IRQ> tcpconnrequest (./include/linux/refcount.h:400 ./include/linux/refcount.h:432 ./include/linux/refcount.h:450 ./include/net/sock.h:1965 ./include/net/requestsock.h:131 net/ipv4/tcpinput.c:7301) tcprcvstateprocess (net/ipv4/tcpinput.c:6708) tcpv6dorcv (net/ipv6/tcpipv6.c:1670) tcpv6rcv (net/ipv6/tcpipv6.c:1906) ip6protocoldeliverrcu (net/ipv6/ip6input.c:438) ip6input (net/ipv6/ip6input.c:500) ipv6rcv (net/ipv6/ip6input.c:311) _netifreceiveskb (net/core/dev.c:6104) processbacklog (net/core/dev.c:6456) _napipoll (net/core/dev.c:7506) netrxaction (net/core/dev.c:7569 net/core/dev.c:7696) handlesoftirqs (kernel/softirq.c:579) do_softirq (kernel/softirq.c:480) </IRQ>