CVE-2022-50070

In the Linux kernel, the following vulnerability has been resolved:<br /> <br /> mptcp: do not queue data on closed subflows<br /> <br /> Dipanjan reported a syzbot splat at close time:<br /> <br /> WARNING: CPU: 1 PID: 10818 at net/ipv4/af_inet.c:153<br /> inet_sock_destruct+0x6d0/0x8e0 net/ipv4/af_inet.c:153<br /> Modules linked in: uio_ivshmem(OE) uio(E)<br /> CPU: 1 PID: 10818 Comm: kworker/1:16 Tainted: G OE<br /> 5.19.0-rc6-g2eae0556bb9d #2<br /> Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS<br /> 1.13.0-1ubuntu1.1 04/01/2014<br /> Workqueue: events mptcp_worker<br /> RIP: 0010:inet_sock_destruct+0x6d0/0x8e0 net/ipv4/af_inet.c:153<br /> Code: 21 02 00 00 41 8b 9c 24 28 02 00 00 e9 07 ff ff ff e8 34 4d 91<br /> f9 89 ee 4c 89 e7 e8 4a 47 60 ff e9 a6 fc ff ff e8 20 4d 91 f9 0b<br /> e9 84 fe ff ff e8 14 4d 91 f9 0f 0b e9 d4 fd ff ff e8 08 4d<br /> RSP: 0018:ffffc9001b35fa78 EFLAGS: 00010246<br /> RAX: 0000000000000000 RBX: 00000000002879d0 RCX: ffff8881326f3b00<br /> RDX: 0000000000000000 RSI: ffff8881326f3b00 RDI: 0000000000000002<br /> RBP: ffff888179662674 R08: ffffffff87e983a0 R09: 0000000000000000<br /> R10: 0000000000000005 R11: 00000000000004ea R12: ffff888179662400<br /> R13: ffff888179662428 R14: 0000000000000001 R15: ffff88817e38e258<br /> FS: 0000000000000000(0000) GS:ffff8881f5f00000(0000) knlGS:0000000000000000<br /> CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033<br /> CR2: 0000000020007bc0 CR3: 0000000179592000 CR4: 0000000000150ee0<br /> Call Trace:<br /> <br /> __sk_destruct+0x4f/0x8e0 net/core/sock.c:2067<br /> sk_destruct+0xbd/0xe0 net/core/sock.c:2112<br /> __sk_free+0xef/0x3d0 net/core/sock.c:2123<br /> sk_free+0x78/0xa0 net/core/sock.c:2134<br /> sock_put include/net/sock.h:1927 [inline]<br /> __mptcp_close_ssk+0x50f/0x780 net/mptcp/protocol.c:2351<br /> __mptcp_destroy_sock+0x332/0x760 net/mptcp/protocol.c:2828<br /> mptcp_worker+0x5d2/0xc90 net/mptcp/protocol.c:2586<br /> process_one_work+0x9cc/0x1650 kernel/workqueue.c:2289<br /> worker_thread+0x623/0x1070 kernel/workqueue.c:2436<br /> kthread+0x2e9/0x3a0 kernel/kthread.c:376<br /> ret_from_fork+0x1f/0x30 arch/x86/entry/entry_64.S:302<br /> <br /> <br /> The root cause of the problem is that an mptcp-level (re)transmit can<br /> race with mptcp_close() and the packet scheduler checks the subflow<br /> state before acquiring the socket lock: we can try to (re)transmit on<br /> an already closed ssk.<br /> <br /> Fix the issue checking again the subflow socket status under the<br /> subflow socket lock protection. Additionally add the missing check<br /> for the fallback-to-tcp case.