On Thu, Sep 11, 2025 at 09:09:36AM +0800, Yumei Huang wrote:

There is an issue reported by Volker Diels-Grabsch and Boleyn Su. A segmentation fault occurs when executing the following command:

(sleep 0.1; ssh -p 22000 127.0.0.1) & passt -f -t 22000:22

It's caused by commit 78da088f7bab ("tcp: unify payload and flags l2 frames array"). Fix it by storing the owner connections of flags frames into tcp_frame_conns[] array.

Reported-by: Volker Diels-Grabsch Reported-by: Boleyn Su Suggested-by: David Gibson Fixes: 78da088f7bab ("tcp: unify payload and flags l2 frames array") Signed-off-by: Yumei Huang

Reviewed-by: David Gibson

--- tcp_buf.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/tcp_buf.c b/tcp_buf.c index bc898de..d63c18d 100644 --- a/tcp_buf.c +++ b/tcp_buf.c @@ -209,13 +209,14 @@ int tcp_buf_send_flag(const struct ctx *c, struct tcp_tap_conn *conn, int flags) if (ret <= 0) return ret;

- tcp_payload_used++; + tcp_frame_conns[tcp_payload_used++] = conn; l4len = optlen + sizeof(struct tcphdr); iov[TCP_IOV_PAYLOAD].iov_len = l4len; tcp_l2_buf_fill_headers(conn, iov, NULL, seq, false);

if (flags & DUP_ACK) { - struct iovec *dup_iov = tcp_l2_iov[tcp_payload_used++]; + struct iovec *dup_iov = tcp_l2_iov[tcp_payload_used]; + tcp_frame_conns[tcp_payload_used++] = conn;

memcpy(dup_iov[TCP_IOV_TAP].iov_base, iov[TCP_IOV_TAP].iov_base, iov[TCP_IOV_TAP].iov_len); -- 2.47.0

-- David Gibson (he or they) | I'll have my music baroque, and my code david AT gibson.dropbear.id.au | minimalist, thank you, not the other way | around. http://www.ozlabs.org/~dgibson