From 258790baab924e1f02e367593bf7d2d2cf9fa12e Mon Sep 17 00:00:00 2001 From: Jiri Slaby Date: Apr 20 2023 11:01:04 +0000 Subject: mptcp: fix NULL pointer dereference on fastopen early fallback (bsc#1012628). --- diff --git a/patches.kernel.org/6.2.12-124-mptcp-fix-NULL-pointer-dereference-on-fastopen.patch b/patches.kernel.org/6.2.12-124-mptcp-fix-NULL-pointer-dereference-on-fastopen.patch new file mode 100644 index 0000000..0481979 --- /dev/null +++ b/patches.kernel.org/6.2.12-124-mptcp-fix-NULL-pointer-dereference-on-fastopen.patch @@ -0,0 +1,57 @@ +From: Paolo Abeni +Date: Tue, 11 Apr 2023 22:42:11 +0200 +Subject: [PATCH] mptcp: fix NULL pointer dereference on fastopen early + fallback +References: bsc#1012628 +Patch-mainline: 6.2.12 +Git-commit: c0ff6f6da66a7791a32c0234388b1bdc00244917 + +commit c0ff6f6da66a7791a32c0234388b1bdc00244917 upstream. + +In case of early fallback to TCP, subflow_syn_recv_sock() deletes +the subflow context before returning the newly allocated sock to +the caller. + +The fastopen path does not cope with the above unconditionally +dereferencing the subflow context. + +Fixes: 36b122baf6a8 ("mptcp: add subflow_v(4,6)_send_synack()") +Cc: stable@vger.kernel.org +Signed-off-by: Paolo Abeni +Reviewed-by: Matthieu Baerts +Signed-off-by: Matthieu Baerts +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +Signed-off-by: Jiri Slaby +--- + net/mptcp/fastopen.c | 11 +++++++++-- + 1 file changed, 9 insertions(+), 2 deletions(-) + +diff --git a/net/mptcp/fastopen.c b/net/mptcp/fastopen.c +index d237d142..bceaab8d 100644 +--- a/net/mptcp/fastopen.c ++++ b/net/mptcp/fastopen.c +@@ -9,11 +9,18 @@ + void mptcp_fastopen_subflow_synack_set_params(struct mptcp_subflow_context *subflow, + struct request_sock *req) + { +- struct sock *ssk = subflow->tcp_sock; +- struct sock *sk = subflow->conn; ++ struct sock *sk, *ssk; + struct sk_buff *skb; + struct tcp_sock *tp; + ++ /* on early fallback the subflow context is deleted by ++ * subflow_syn_recv_sock() ++ */ ++ if (!subflow) ++ return; ++ ++ ssk = subflow->tcp_sock; ++ sk = subflow->conn; + tp = tcp_sk(ssk); + + subflow->is_mptfo = 1; +-- +2.35.3 + diff --git a/series.conf b/series.conf index c54046c..80ac67a 100644 --- a/series.conf +++ b/series.conf @@ -2351,6 +2351,7 @@ patches.kernel.org/6.2.12-121-drm-amd-pm-correct-SMU13.0.7-max-shader-clock-.patch patches.kernel.org/6.2.12-122-mptcp-use-mptcp_schedule_work-instead-of-open-.patch patches.kernel.org/6.2.12-123-mptcp-stricter-state-check-in-mptcp_worker.patch + patches.kernel.org/6.2.12-124-mptcp-fix-NULL-pointer-dereference-on-fastopen.patch ######################################################## # Build fixes that apply to the vanilla kernel too.