From: Eric Dumazet <eric.duma...@gmail.com>
Date: Wed, 03 May 2017 06:39:31 -0700
> From: Eric Dumazet <eduma...@google.com>
>
> Under fuzzer stress, it is possible that a child gets a non NULL
> fastopen_req pointer from its parent at accept() time, when/if parent
> morphs from listener to active session.
>
> We need to make sure this can not happen, by clearing the field after
> socket cloning.
...
> Fixes: e994b2f0fb92 ("tcp: do not lock listener to process SYN packets")
> Fixes: 7db92362d2fe ("tcp: fix potential double free issue for fastopen_req")
> Signed-off-by: Eric Dumazet <eduma...@google.com>
> Reported-by: Andrey Konovalov <andreyk...@google.com>
Applied and queued up for -stable, thanks Eric.
