CVE-2022-49775

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> tcp: cdg: allow tcp_cdg_release() to be called multiple times<br /> <br /> Apparently, mptcp is able to call tcp_disconnect() on an already<br /> disconnected flow. This is generally fine, unless current congestion<br /> control is CDG, because it might trigger a double-free [1]<br /> <br /> Instead of fixing MPTCP, and future bugs, we can make tcp_disconnect()<br /> more resilient.<br /> <br /> [1]<br /> BUG: KASAN: double-free in slab_free mm/slub.c:3539 [inline]<br /> BUG: KASAN: double-free in kfree+0xe2/0x580 mm/slub.c:4567<br /> <br /> CPU: 0 PID: 3645 Comm: kworker/0:7 Not tainted 6.0.0-syzkaller-02734-g0326074ff465 #0<br /> Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 09/22/2022<br /> Workqueue: events mptcp_worker<br /> Call Trace:<br /> <br /> __dump_stack lib/dump_stack.c:88 [inline]<br /> dump_stack_lvl+0xcd/0x134 lib/dump_stack.c:106<br /> print_address_description mm/kasan/report.c:317 [inline]<br /> print_report.cold+0x2ba/0x719 mm/kasan/report.c:433<br /> kasan_report_invalid_free+0x81/0x190 mm/kasan/report.c:462<br /> ____kasan_slab_free+0x18b/0x1c0 mm/kasan/common.c:356<br /> kasan_slab_free include/linux/kasan.h:200 [inline]<br /> slab_free_hook mm/slub.c:1759 [inline]<br /> slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1785<br /> slab_free mm/slub.c:3539 [inline]<br /> kfree+0xe2/0x580 mm/slub.c:4567<br /> tcp_disconnect+0x980/0x1e20 net/ipv4/tcp.c:3145<br /> __mptcp_close_ssk+0x5ca/0x7e0 net/mptcp/protocol.c:2327<br /> mptcp_do_fastclose net/mptcp/protocol.c:2592 [inline]<br /> mptcp_worker+0x78c/0xff0 net/mptcp/protocol.c:2627<br /> process_one_work+0x991/0x1610 kernel/workqueue.c:2289<br /> worker_thread+0x665/0x1080 kernel/workqueue.c:2436<br /> kthread+0x2e4/0x3a0 kernel/kthread.c:376<br /> ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:306<br /> <br /> <br /> Allocated by task 3671:<br /> kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38<br /> kasan_set_track mm/kasan/common.c:45 [inline]<br /> set_alloc_info mm/kasan/common.c:437 [inline]<br /> ____kasan_kmalloc mm/kasan/common.c:516 [inline]<br /> ____kasan_kmalloc mm/kasan/common.c:475 [inline]<br /> __kasan_kmalloc+0xa9/0xd0 mm/kasan/common.c:525<br /> kmalloc_array include/linux/slab.h:640 [inline]<br /> kcalloc include/linux/slab.h:671 [inline]<br /> tcp_cdg_init+0x10d/0x170 net/ipv4/tcp_cdg.c:380<br /> tcp_init_congestion_control+0xab/0x550 net/ipv4/tcp_cong.c:193<br /> tcp_reinit_congestion_control net/ipv4/tcp_cong.c:217 [inline]<br /> tcp_set_congestion_control+0x96c/0xaa0 net/ipv4/tcp_cong.c:391<br /> do_tcp_setsockopt+0x505/0x2320 net/ipv4/tcp.c:3513<br /> tcp_setsockopt+0xd4/0x100 net/ipv4/tcp.c:3801<br /> mptcp_setsockopt+0x35f/0x2570 net/mptcp/sockopt.c:844<br /> __sys_setsockopt+0x2d6/0x690 net/socket.c:2252<br /> __do_sys_setsockopt net/socket.c:2263 [inline]<br /> __se_sys_setsockopt net/socket.c:2260 [inline]<br /> __x64_sys_setsockopt+0xba/0x150 net/socket.c:2260<br /> do_syscall_x64 arch/x86/entry/common.c:50 [inline]<br /> do_syscall_64+0x35/0xb0 arch/x86/entry/common.c:80<br /> entry_SYSCALL_64_after_hwframe+0x63/0xcd<br /> <br /> Freed by task 16:<br /> kasan_save_stack+0x1e/0x40 mm/kasan/common.c:38<br /> kasan_set_track+0x21/0x30 mm/kasan/common.c:45<br /> kasan_set_free_info+0x20/0x30 mm/kasan/generic.c:370<br /> ____kasan_slab_free mm/kasan/common.c:367 [inline]<br /> ____kasan_slab_free+0x166/0x1c0 mm/kasan/common.c:329<br /> kasan_slab_free include/linux/kasan.h:200 [inline]<br /> slab_free_hook mm/slub.c:1759 [inline]<br /> slab_free_freelist_hook+0x8b/0x1c0 mm/slub.c:1785<br /> slab_free mm/slub.c:3539 [inline]<br /> kfree+0xe2/0x580 mm/slub.c:4567<br /> tcp_cleanup_congestion_control+0x70/0x120 net/ipv4/tcp_cong.c:226<br /> tcp_v4_destroy_sock+0xdd/0x750 net/ipv4/tcp_ipv4.c:2254<br /> tcp_v6_destroy_sock+0x11/0x20 net/ipv6/tcp_ipv6.c:1969<br /> inet_csk_destroy_sock+0x196/0x440 net/ipv4/inet_connection_sock.c:1157<br /> tcp_done+0x23b/0x340 net/ipv4/tcp.c:4649<br /> tcp_rcv_state_process+0x40e7/0x4990 net/ipv4/tcp_input.c:6624<br /> tcp_v6_do_rcv+0x3fc/0x13c0 net/ipv6/tcp_ipv6.c:1525<br /> tcp_v6_rcv+0x2e8e/0x3830 net/ipv6/tcp_ipv6.c:1759<br /> ip6_protocol_deliver_rcu+0x2db/0x1950 net/ipv6/ip6_input.c:439<br /> ip6_input_finish+0x14c/0x2c0 net/ipv6/ip6_input.c:484<br /> NF_HOOK include/linux/netfilter.h:302 [inline]<br /> NF_HOOK include/linux/netfilter.h:296 [inline]<br /> ip6_input+0x9c/0xd<br /> ---truncated---