linux-stable

mirror of https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git synced 2024-09-29 22:02:02 +00:00

History

Paolo Abeni b6985b9b82 mptcp: use the workqueue to destroy unaccepted sockets Christoph reported a UaF at token lookup time after having refactored the passive socket initialization part: BUG: KASAN: use-after-free in __token_bucket_busy+0x253/0x260 Read of size 4 at addr ffff88810698d5b0 by task syz-executor653/3198 CPU: 1 PID: 3198 Comm: syz-executor653 Not tainted 6.2.0-rc59af4eaa31c1f6c00c8f1e448ed99a45c66340dd5 #6 Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.13.0-0-gf21b5a4aeb02-prebuilt.qemu.org 04/01/2014 Call Trace: <TASK> dump_stack_lvl+0x6e/0x91 print_report+0x16a/0x46f kasan_report+0xad/0x130 __token_bucket_busy+0x253/0x260 mptcp_token_new_connect+0x13d/0x490 mptcp_connect+0x4ed/0x860 __inet_stream_connect+0x80e/0xd90 tcp_sendmsg_fastopen+0x3ce/0x710 mptcp_sendmsg+0xff1/0x1a20 inet_sendmsg+0x11d/0x140 __sys_sendto+0x405/0x490 __x64_sys_sendto+0xdc/0x1b0 do_syscall_64+0x3b/0x90 entry_SYSCALL_64_after_hwframe+0x72/0xdc We need to properly clean-up all the paired MPTCP-level resources and be sure to release the msk last, even when the unaccepted subflow is destroyed by the TCP internals via inet_child_forget(). We can re-use the existing MPTCP_WORK_CLOSE_SUBFLOW infra, explicitly checking that for the critical scenario: the closed subflow is the MPC one, the msk is not accepted and eventually going through full cleanup. With such change, __mptcp_destroy_sock() is always called on msk sockets, even on accepted ones. We don't need anymore to transiently drop one sk reference at msk clone time. Please note this commit depends on the parent one: mptcp: refactor passive socket initialization Fixes: `58b0991962` ("mptcp: create msk early") Cc: stable@vger.kernel.org Reported-and-tested-by: Christoph Paasch <cpaasch@apple.com> Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/347 Signed-off-by: Paolo Abeni <pabeni@redhat.com> Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net> Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net> Signed-off-by: Jakub Kicinski <kuba@kernel.org>		2023-03-10 21:42:56 -08:00
..
6lowpan
9p	9p patches for 6.3 merge window (part 1)	2023-03-01 08:52:49 -08:00
802	treewide: Convert del_timer() to timer_shutdown()	2022-12-25 13:38:09 -08:00
8021q
appletalk
atm
ax25
batman-adv	batman-adv: tvlv: prepare for tvlv enabled multicast packet type	2023-01-21 19:01:59 +01:00
bluetooth	TTY/Serial driver updates for 6.3-rc1	2023-02-24 12:17:14 -08:00
bpf	bpf, test_run: fix &xdp_frame misplacement for LIVE_FRAMES	2023-03-06 11:15:54 -08:00
bpfilter
bridge	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netfilter/nf	2023-02-22 21:25:23 -08:00
caif	net: caif: Fix use-after-free in cfusbl_device_notify()	2023-03-02 22:22:07 -08:00
can	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2023-02-09 12:25:40 -08:00
ceph	Networking changes for 6.3.	2023-02-21 18:24:12 -08:00
core	xdp: add xdp_set_features_flag utility routine	2023-03-10 21:33:47 -08:00
dcb	net: dcb: add helper functions to retrieve PCP and DSCP rewrite maps	2023-01-20 09:33:22 +00:00
dccp	dccp/tcp: Avoid negative sk_forward_alloc by ipv6_pinfo.pktoptions.	2023-02-10 19:53:42 -08:00
devlink	devlink: drop leftover duplicate/unused code	2023-02-20 11:38:35 +00:00
dns_resolver
dsa	net: dsa: use NL_SET_ERR_MSG_WEAK_MOD() more consistently	2023-02-03 19:23:32 -08:00
ethernet
ethtool	net: ethtool: fix __ethtool_dev_mm_supported() implementation	2023-02-21 09:05:01 -08:00
hsr
ieee802154	ieee802154: Prevent user from crashing the host	2023-03-02 14:39:48 +01:00
ife
ipv4	tcp: tcp_make_synack() can be called from process context	2023-03-09 23:12:00 -08:00
ipv6	netfilter: tproxy: fix deadlock due to missing BH disable	2023-03-06 12:09:48 +01:00
iucv
kcm	net/sock: Introduce trace_sk_data_ready()	2023-01-23 11:26:50 +00:00
key	af_key: Fix heap information leak	2023-02-13 09:30:14 +00:00
l2tp	l2tp: Avoid possible recursive deadlock in l2tp_tunnel_register()	2023-02-20 09:25:20 +00:00
l3mdev
lapb
llc
mac80211	wifi: mac80211: check basic rates validity	2023-03-10 11:47:00 +01:00
mac802154	Merge tag 'ieee802154-for-net-next-2023-02-20' of git://git.kernel.org/pub/scm/linux/kernel/git/sschmidt/wpan-next	2023-02-20 16:40:52 -08:00
mctp	net: mctp: purge receive queues on sk destruction	2023-01-28 00:26:09 -08:00
mpls	net: mpls: fix stale pointer if allocation fails during device rename	2023-02-15 10:26:37 +00:00
mptcp	mptcp: use the workqueue to destroy unaccepted sockets	2023-03-10 21:42:56 -08:00
ncsi
netfilter	netfilter: conntrack: adopt safer max chain length	2023-03-07 10:58:06 +01:00
netlabel
netlink	genetlink: Use string_is_terminated() helper	2023-02-09 22:30:24 -08:00
netrom	netrom: Fix use-after-free caused by accept on already connected socket	2023-01-30 07:30:47 +00:00
nfc	nfc: change order inside nfc_se_io error path	2023-03-07 13:37:05 -08:00
nsh
openvswitch	There is no particular theme here - mainly quick hits all over the tree.	2023-02-23 17:55:40 -08:00
packet	net: no longer support SOCK_REFCNT_DEBUG feature	2023-02-15 10:25:21 +00:00
phonet	net/sock: Introduce trace_sk_data_ready()	2023-01-23 11:26:50 +00:00
psample
qrtr	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2023-02-02 14:49:55 -08:00
rds	rds: rds_rm_zerocopy_callback() correct order for list_add_tail()	2023-02-13 09:33:39 +00:00
rfkill	rfkill: Use sysfs_emit() to instead of sprintf()	2023-02-14 12:21:14 +01:00
rose	net/rose: Fix to not accept on connected socket	2023-01-28 00:19:57 -08:00
rxrpc	Networking changes for 6.3.	2023-02-21 18:24:12 -08:00
sched	net/sched: flower: fix fl_change() error recovery path	2023-03-01 08:49:54 +00:00
sctp	sctp: add a refcnt in sctp_stream_priorities to avoid a nested loop	2023-02-23 12:59:40 -08:00
smc	net/smc: fix fallback failed while sendmsg with fastopen	2023-03-08 13:00:55 +00:00
strparser
sunrpc	nfsd-6.3 fixes:	2023-03-01 11:03:44 -08:00
switchdev
tipc	Networking changes for 6.3.	2023-02-21 18:24:12 -08:00
tls	net: tls: fix device-offloaded sendpage straddling records	2023-03-06 13:26:16 -08:00
unix	af_unix: fix struct pid leaks in OOB support	2023-03-08 23:26:03 -08:00
vmw_vsock	Networking changes for 6.3.	2023-02-21 18:24:12 -08:00
wireless	wifi: cfg80211: fix MLO connection ownership	2023-03-10 11:47:25 +01:00
x25	net/x25: Fix to not accept on connected socket	2023-01-25 09:51:04 +00:00
xdp	xsk: add linux/vmalloc.h to xsk.c	2023-02-21 09:00:09 -08:00
xfrm	bpf-next-for-netdev	2023-02-10 17:51:27 -08:00
compat.c
devres.c
Kconfig
Kconfig.debug
Makefile	devlink: move code to a dedicated directory	2023-01-05 22:12:00 -08:00
socket.c	net: avoid double iput when sock_alloc_file fails	2023-03-08 23:26:51 -08:00
sysctl_net.c