CVE-2024-26826

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: fix data re-injection from stale subflow<br /> <br /> When the MPTCP PM detects that a subflow is stale, all the packet<br /> scheduler must re-inject all the mptcp-level unacked data. To avoid<br /> acquiring unneeded locks, it first try to check if any unacked data<br /> is present at all in the RTX queue, but such check is currently<br /> broken, as it uses TCP-specific helper on an MPTCP socket.<br /> <br /> Funnily enough fuzzers and static checkers are happy, as the accessed<br /> memory still belongs to the mptcp_sock struct, and even from a<br /> functional perspective the recovery completed successfully, as<br /> the short-cut test always failed.<br /> <br /> A recent unrelated TCP change - commit d5fed5addb2b ("tcp: reorganize<br /> tcp_sock fast path variables") - exposed the issue, as the tcp field<br /> reorganization makes the mptcp code always skip the re-inection.<br /> <br /> Fix the issue dropping the bogus call: we are on a slow path, the early<br /> optimization proved once again to be evil.