CVE-2022-49669

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: fix race on unaccepted mptcp sockets<br /> <br /> When the listener socket owning the relevant request is closed,<br /> it frees the unaccepted subflows and that causes later deletion<br /> of the paired MPTCP sockets.<br /> <br /> The mptcp socket&amp;#39;s worker can run in the time interval between such delete<br /> operations. When that happens, any access to msk-&gt;first will cause an UaF<br /> access, as the subflow cleanup did not cleared such field in the mptcp<br /> socket.<br /> <br /> Address the issue explicitly traversing the listener socket accept<br /> queue at close time and performing the needed cleanup on the pending<br /> msk.<br /> <br /> Note that the locking is a bit tricky, as we need to acquire the msk<br /> socket lock, while still owning the subflow socket one.