diff options
author | Paolo Abeni <pabeni@redhat.com> | 2023-06-20 18:24:20 +0200 |
---|---|---|
committer | Jakub Kicinski <kuba@kernel.org> | 2023-06-21 22:44:54 -0700 |
commit | 56a666c48b038e91b76471289e2cf60c79d326b9 (patch) | |
tree | 0ce708d167fdafeb743ee5ea658072a3389ec6a0 /ipc/mqueue.c | |
parent | 0ad529d9fd2bfa3fc619552a8d2fb2f2ef0bce2e (diff) |
mptcp: fix possible list corruption on passive MPJ
At passive MPJ time, if the msk socket lock is held by the user,
the new subflow is appended to the msk->join_list under the msk
data lock.
In mptcp_release_cb()/__mptcp_flush_join_list(), the subflows in
that list are moved from the join_list into the conn_list under the
msk socket lock.
Append and removal could race, possibly corrupting such list.
Address the issue splicing the join list into a temporary one while
still under the msk data lock.
Found by code inspection, the race itself should be almost impossible
to trigger in practice.
Fixes: 3e5014909b56 ("mptcp: cleanup MPJ subflow list handling")
Cc: stable@vger.kernel.org
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Diffstat (limited to 'ipc/mqueue.c')
0 files changed, 0 insertions, 0 deletions