mptcp: fix possible list corruption on passive MPJ - drm-tip - DRM current development and nightly trees

diff options

author	Paolo Abeni <pabeni@redhat.com>	2023-06-20 18:24:20 +0200
committer	Jakub Kicinski <kuba@kernel.org>	2023-06-21 22:44:54 -0700
commit	56a666c48b038e91b76471289e2cf60c79d326b9 (patch)
tree	0ce708d167fdafeb743ee5ea658072a3389ec6a0 /security
parent	0ad529d9fd2bfa3fc619552a8d2fb2f2ef0bce2e (diff)

mptcp: fix possible list corruption on passive MPJ

At passive MPJ time, if the msk socket lock is held by the user, the new subflow is appended to the msk->join_list under the msk data lock. In mptcp_release_cb()/__mptcp_flush_join_list(), the subflows in that list are moved from the join_list into the conn_list under the msk socket lock. Append and removal could race, possibly corrupting such list. Address the issue splicing the join list into a temporary one while still under the msk data lock. Found by code inspection, the race itself should be almost impossible to trigger in practice. Fixes: 3e5014909b56 ("mptcp: cleanup MPJ subflow list handling") Cc: stable@vger.kernel.org Signed-off-by: Paolo Abeni <pabeni@redhat.com> Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net> Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net> Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Diffstat (limited to 'security')

0 files changed, 0 insertions, 0 deletions


context:
space:
mode: