kernel / kernel-source

Clone
Source Code
GIT

Blame patches.kernel.org/6.2.12-124-mptcp-fix-NULL-pointer-dereference-on-fastopen.patch

ALP-current ALP-current-GA ALP-current-RT ALP-current-RT-GA SLE12-SP5 SLE12-SP5-AZURE SLE12-SP5-RT SLE15-SP2-EB SLE15-SP3-RT-LTSS SLE15-SP4-RT-LTSS SLE15-SP5 SLE15-SP5-AZURE SLE15-SP5-RT SLE15-SP6 SLE15-SP6-AZURE SLE15-SP6-AZURE-GA SLE15-SP6-GA SLE15-SP6-RT SLE15-SP6-RT-GA linux-next master packaging scripts slowroll stable vanilla
  1.   258790baab924e1f02e367593bf7d2d2cf9fa12e
  2.   patches.kernel.org
  3.   6.2.12-124-mptcp-fix-NULL-pointer-dereference-on-fastopen.patch
Blob History Raw
Jiri Slaby 258790 
From: Paolo Abeni <pabeni@redhat.com>
Jiri Slaby 258790 
Date: Tue, 11 Apr 2023 22:42:11 +0200
Jiri Slaby 258790 
Subject: [PATCH] mptcp: fix NULL pointer dereference on fastopen early
Jiri Slaby 258790 
 fallback
Jiri Slaby 258790 
References: bsc#1012628
Jiri Slaby 258790 
Patch-mainline: 6.2.12
Jiri Slaby 258790 
Git-commit: c0ff6f6da66a7791a32c0234388b1bdc00244917
Jiri Slaby 258790
Jiri Slaby 258790 
commit c0ff6f6da66a7791a32c0234388b1bdc00244917 upstream.
Jiri Slaby 258790
Jiri Slaby 258790 
In case of early fallback to TCP, subflow_syn_recv_sock() deletes
Jiri Slaby 258790 
the subflow context before returning the newly allocated sock to
Jiri Slaby 258790 
the caller.
Jiri Slaby 258790
Jiri Slaby 258790 
The fastopen path does not cope with the above unconditionally
Jiri Slaby 258790 
dereferencing the subflow context.
Jiri Slaby 258790
Jiri Slaby 258790 
Fixes: 36b122baf6a8 ("mptcp: add subflow_v(4,6)_send_synack()")
Jiri Slaby 258790 
Cc: stable@vger.kernel.org
Jiri Slaby 258790 
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Jiri Slaby 258790 
Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Jiri Slaby 258790 
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Jiri Slaby 258790 
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Jiri Slaby 258790 
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
Jiri Slaby 258790 
Signed-off-by: Jiri Slaby <jslaby@suse.cz>
Jiri Slaby 258790 
---
Jiri Slaby 258790 
 net/mptcp/fastopen.c | 11 +++++++++--
Jiri Slaby 258790 
 1 file changed, 9 insertions(+), 2 deletions(-)
Jiri Slaby 258790
Jiri Slaby 258790 
diff --git a/net/mptcp/fastopen.c b/net/mptcp/fastopen.c
Jiri Slaby 258790 
index d237d142..bceaab8d 100644
Jiri Slaby 258790 
--- a/net/mptcp/fastopen.c
Jiri Slaby 258790 
+++ b/net/mptcp/fastopen.c
Jiri Slaby 258790 
@@ -9,11 +9,18 @@
Jiri Slaby 258790 
 void mptcp_fastopen_subflow_synack_set_params(struct mptcp_subflow_context *subflow,
Jiri Slaby 258790 
 					      struct request_sock *req)
Jiri Slaby 258790 
 {
Jiri Slaby 258790 
-	struct sock *ssk = subflow->tcp_sock;
Jiri Slaby 258790 
-	struct sock *sk = subflow->conn;
Jiri Slaby 258790 
+	struct sock *sk, *ssk;
Jiri Slaby 258790 
 	struct sk_buff *skb;
Jiri Slaby 258790 
 	struct tcp_sock *tp;
Jiri Slaby 258790
Jiri Slaby 258790 
+	/* on early fallback the subflow context is deleted by
Jiri Slaby 258790 
+	 * subflow_syn_recv_sock()
Jiri Slaby 258790 
+	 */
Jiri Slaby 258790 
+	if (!subflow)
Jiri Slaby 258790 
+		return;
Jiri Slaby 258790 
+
Jiri Slaby 258790 
+	ssk = subflow->tcp_sock;
Jiri Slaby 258790 
+	sk = subflow->conn;
Jiri Slaby 258790 
 	tp = tcp_sk(ssk);
Jiri Slaby 258790
Jiri Slaby 258790 
 	subflow->is_mptfo = 1;
Jiri Slaby 258790 
--
Jiri Slaby 258790 
2.35.3
Jiri Slaby 258790
Powered by Pagure 5.13.3
DocumentationAbout this InstanceSSH Hostkey/Fingerprint
© Red Hat, Inc. and others.