linux/net
Paolo Abeni 10f6d46c94 mptcp: fix race between MP_JOIN and close
If a MP_JOIN subflow completes the 3whs while another
CPU is closing the master msk, we can hit the
following race:

CPU1                                    CPU2

close()
 mptcp_close
                                        subflow_syn_recv_sock
                                         mptcp_token_get_sock
                                         mptcp_finish_join
                                          inet_sk_state_load
  mptcp_token_destroy
  inet_sk_state_store(TCP_CLOSE)
  __mptcp_flush_join_list()
                                          mptcp_sock_graft
                                          list_add_tail
  sk_common_release
   sock_orphan()
 <socket free>

The MP_JOIN socket will be leaked. Additionally we can hit
UaF for the msk 'struct socket' referenced via the 'conn'
field.

This change try to address the issue introducing some
synchronization between the MP_JOIN 3whs and mptcp_close
via the join_list spinlock. If we detect the msk is closing
the MP_JOIN socket is closed, too.

Fixes: f296234c98 ("mptcp: Add handling of incoming MP_JOIN requests")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-05-30 21:39:13 -07:00
..
6lowpan
9p 9pnet: allow making incomplete read requests 2020-03-27 09:29:56 +00:00
802 net: 802: psnap.c: Use built-in RCU list checking 2020-02-24 13:02:53 -08:00
8021q net: vlan: suppress "failed to kill vid" warnings 2020-02-17 14:30:54 -08:00
appletalk
atm atm: fix a memory leak of vcc->user_back 2020-05-04 11:59:38 -07:00
ax25 ax25: fix setsockopt(SO_BINDTODEVICE) 2020-05-20 20:59:07 -07:00
batman-adv batman-adv: Fix refcnt leak in batadv_v_ogm_process 2020-04-21 10:08:05 +02:00
bluetooth Bluetooth: L2CAP: Use DEFER_SETUP to group ECRED connections 2020-03-25 22:16:08 +01:00
bpf bpf: Fix build warning regarding missing prototypes 2020-03-28 18:13:18 +01:00
bpfilter SPDX patches for 5.7-rc1. 2020-04-03 13:12:26 -07:00
bridge bridge: multicast: work around clang bug 2020-05-27 11:34:48 -07:00
caif net: caif: Add lockdep expression to RCU traversal primitive 2020-03-11 22:55:25 -07:00
can
ceph libceph: directly skip to the end of redirect reply 2020-03-30 12:42:41 +02:00
core neigh: fix ARP retransmit timer guard 2020-05-29 16:56:53 -07:00
dcb
dccp Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2020-02-29 15:53:35 -08:00
decnet Remove DST_HOST 2020-03-23 21:57:44 -07:00
dns_resolver KEYS: Don't write out to userspace while holding key semaphore 2020-03-29 12:40:41 +01:00
dsa net: dsa: declare lockless TX feature for slave ports 2020-05-27 15:09:28 -07:00
ethernet net: remove eth_change_mtu 2020-01-27 11:09:31 +01:00
ethtool ethtool: count header size in reply size estimate 2020-05-21 16:59:19 -07:00
hsr net: hsr: fix incorrect type usage for protocol variable 2020-05-06 15:00:20 -07:00
ieee802154 nl802154: add missing attribute validation for dev_type 2020-03-03 13:28:48 -08:00
ife
ipv4 devinet: fix memleak in inetdev_init() 2020-05-30 17:48:56 -07:00
ipv6 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 2020-05-29 13:05:56 -07:00
iucv
kcm net: kcm: kcmproc.c: Fix RCU list suspicious usage warning 2020-03-16 17:14:02 -07:00
key
l2tp l2tp: Allow management of tunnels and session in user namespace 2020-04-08 14:30:46 -07:00
l3mdev
lapb
llc af_llc: fix if-statement empty body warning 2020-02-26 20:38:13 -08:00
mac80211 mac80211: mesh: fix discovery timer re-arming issue / crash 2020-05-25 10:31:16 +02:00
mac802154
mpls net: add net available in build_state 2020-03-29 22:30:57 -07:00
mptcp mptcp: fix race between MP_JOIN and close 2020-05-30 21:39:13 -07:00
ncsi
netfilter netfilter: nf_conntrack_pptp: fix compilation warning with W=1 build 2020-05-27 13:39:08 +02:00
netlabel netlabel: cope with NULL catmap 2020-05-12 18:12:40 -07:00
netlink Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-03-25 18:58:11 -07:00
netrom net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node 2020-04-18 13:09:46 -07:00
nfc Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-03-12 22:34:48 -07:00
nsh
openvswitch net: openvswitch: ovs_ct_exit to be done under ovs_lock 2020-04-20 10:53:54 -07:00
packet net/packet: tpacket_rcv: avoid a producer race condition 2020-03-15 00:25:25 -07:00
phonet
psample
qrtr net: qrtr: Fix passing invalid reference to qrtr_local_enqueue() 2020-05-21 17:04:53 -07:00
rds net/rds: Use ERR_PTR for rds_message_alloc_sgs() 2020-04-15 12:33:29 -07:00
rfkill
rose
rxrpc rxrpc: Fix a memory leak in rxkad_verify_response() 2020-05-23 00:35:46 +01:00
sched net/sched: act_ct: add nat mangle action only for NAT-conntrack 2020-05-30 17:57:58 -07:00
sctp sctp: check assoc before SCTP_ADDR_{MADE_PRIM, ADDED} event 2020-05-28 12:47:02 -07:00
smc Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-03-12 22:34:48 -07:00
strparser
sunrpc NFS client bugfixes for Linux 5.7 2020-05-15 14:03:13 -07:00
switchdev net: switchdev: do not propagate bridge updates across bridges 2020-02-26 20:58:33 -08:00
tipc tipc: block BH before using dst_cache 2020-05-22 15:39:00 -07:00
tls net/tls: fix race condition causing kernel panic 2020-05-25 17:41:40 -07:00
unix net: datagram: drop 'destructor' argument from several helpers 2020-02-28 12:12:53 -08:00
vmw_vsock virtio_vsock: Fix race condition in virtio_transport_recv_pkt 2020-05-30 17:44:01 -07:00
wimax
wireless cfg80211: fix debugfs rename crash 2020-05-25 13:12:32 +02:00
x25 net/x25: Fix null-ptr-deref in x25_disconnect 2020-04-28 14:08:59 -07:00
xdp xsk: Add overflow check for u64 division, stored into u32 2020-05-26 00:06:00 +02:00
xfrm xfrm: fix a NULL-ptr deref in xfrm_local_error 2020-05-29 12:10:22 +02:00
compat.c net: abstract out normal and compat msghdr import 2020-03-10 09:12:49 -06:00
Kconfig net: Fix CONFIG_NET_CLS_ACT=n and CONFIG_NFT_FWD_NETDEV={y, m} build 2020-03-25 12:24:33 -07:00
Makefile
socket.c for-5.7/io_uring-2020-03-29 2020-03-30 12:18:49 -07:00
sysctl_net.c