linux/net
Paolo Abeni c5c79763fa mptcp: remove msk from the token container at destruction time.
Currently we remote the msk from the token container only
via mptcp_close(). The MPTCP master socket can be destroyed
also via other paths (e.g. if not yet accepted, when shutting
down the listener socket). When we hit the latter scenario,
dangling msk references are left into the token container,
leading to memory corruption and/or UaF.

This change addresses the issue by moving the token removal
into the msk destructor.

Fixes: 79c0949e9a ("mptcp: Add key generation and token tree")
Signed-off-by: Paolo Abeni <pabeni@redhat.com>
Reviewed-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2020-05-30 21:39:13 -07:00
..
6lowpan
9p 9pnet: allow making incomplete read requests 2020-03-27 09:29:56 +00:00
802 net: 802: psnap.c: Use built-in RCU list checking 2020-02-24 13:02:53 -08:00
8021q net: vlan: suppress "failed to kill vid" warnings 2020-02-17 14:30:54 -08:00
appletalk
atm atm: fix a memory leak of vcc->user_back 2020-05-04 11:59:38 -07:00
ax25 ax25: fix setsockopt(SO_BINDTODEVICE) 2020-05-20 20:59:07 -07:00
batman-adv batman-adv: Fix refcnt leak in batadv_v_ogm_process 2020-04-21 10:08:05 +02:00
bluetooth Bluetooth: L2CAP: Use DEFER_SETUP to group ECRED connections 2020-03-25 22:16:08 +01:00
bpf bpf: Fix build warning regarding missing prototypes 2020-03-28 18:13:18 +01:00
bpfilter SPDX patches for 5.7-rc1. 2020-04-03 13:12:26 -07:00
bridge bridge: multicast: work around clang bug 2020-05-27 11:34:48 -07:00
caif net: caif: Add lockdep expression to RCU traversal primitive 2020-03-11 22:55:25 -07:00
can
ceph libceph: directly skip to the end of redirect reply 2020-03-30 12:42:41 +02:00
core neigh: fix ARP retransmit timer guard 2020-05-29 16:56:53 -07:00
dcb
dccp Merge git://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2020-02-29 15:53:35 -08:00
decnet Remove DST_HOST 2020-03-23 21:57:44 -07:00
dns_resolver KEYS: Don't write out to userspace while holding key semaphore 2020-03-29 12:40:41 +01:00
dsa net: dsa: declare lockless TX feature for slave ports 2020-05-27 15:09:28 -07:00
ethernet net: remove eth_change_mtu 2020-01-27 11:09:31 +01:00
ethtool ethtool: count header size in reply size estimate 2020-05-21 16:59:19 -07:00
hsr net: hsr: fix incorrect type usage for protocol variable 2020-05-06 15:00:20 -07:00
ieee802154 nl802154: add missing attribute validation for dev_type 2020-03-03 13:28:48 -08:00
ife
ipv4 devinet: fix memleak in inetdev_init() 2020-05-30 17:48:56 -07:00
ipv6 Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec 2020-05-29 13:05:56 -07:00
iucv
kcm net: kcm: kcmproc.c: Fix RCU list suspicious usage warning 2020-03-16 17:14:02 -07:00
key
l2tp l2tp: Allow management of tunnels and session in user namespace 2020-04-08 14:30:46 -07:00
l3mdev
lapb
llc af_llc: fix if-statement empty body warning 2020-02-26 20:38:13 -08:00
mac80211 mac80211: mesh: fix discovery timer re-arming issue / crash 2020-05-25 10:31:16 +02:00
mac802154
mpls net: add net available in build_state 2020-03-29 22:30:57 -07:00
mptcp mptcp: remove msk from the token container at destruction time. 2020-05-30 21:39:13 -07:00
ncsi
netfilter netfilter: nf_conntrack_pptp: fix compilation warning with W=1 build 2020-05-27 13:39:08 +02:00
netlabel netlabel: cope with NULL catmap 2020-05-12 18:12:40 -07:00
netlink Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-03-25 18:58:11 -07:00
netrom net: netrom: Fix potential nr_neigh refcnt leak in nr_add_node 2020-04-18 13:09:46 -07:00
nfc Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-03-12 22:34:48 -07:00
nsh
openvswitch net: openvswitch: ovs_ct_exit to be done under ovs_lock 2020-04-20 10:53:54 -07:00
packet net/packet: tpacket_rcv: avoid a producer race condition 2020-03-15 00:25:25 -07:00
phonet
psample
qrtr net: qrtr: Fix passing invalid reference to qrtr_local_enqueue() 2020-05-21 17:04:53 -07:00
rds net/rds: Use ERR_PTR for rds_message_alloc_sgs() 2020-04-15 12:33:29 -07:00
rfkill
rose
rxrpc rxrpc: Fix a memory leak in rxkad_verify_response() 2020-05-23 00:35:46 +01:00
sched net/sched: act_ct: add nat mangle action only for NAT-conntrack 2020-05-30 17:57:58 -07:00
sctp sctp: check assoc before SCTP_ADDR_{MADE_PRIM, ADDED} event 2020-05-28 12:47:02 -07:00
smc Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2020-03-12 22:34:48 -07:00
strparser
sunrpc NFS client bugfixes for Linux 5.7 2020-05-15 14:03:13 -07:00
switchdev net: switchdev: do not propagate bridge updates across bridges 2020-02-26 20:58:33 -08:00
tipc tipc: block BH before using dst_cache 2020-05-22 15:39:00 -07:00
tls net/tls: fix race condition causing kernel panic 2020-05-25 17:41:40 -07:00
unix net: datagram: drop 'destructor' argument from several helpers 2020-02-28 12:12:53 -08:00
vmw_vsock virtio_vsock: Fix race condition in virtio_transport_recv_pkt 2020-05-30 17:44:01 -07:00
wimax
wireless cfg80211: fix debugfs rename crash 2020-05-25 13:12:32 +02:00
x25 net/x25: Fix null-ptr-deref in x25_disconnect 2020-04-28 14:08:59 -07:00
xdp xsk: Add overflow check for u64 division, stored into u32 2020-05-26 00:06:00 +02:00
xfrm xfrm: fix a NULL-ptr deref in xfrm_local_error 2020-05-29 12:10:22 +02:00
compat.c net: abstract out normal and compat msghdr import 2020-03-10 09:12:49 -06:00
Kconfig net: Fix CONFIG_NET_CLS_ACT=n and CONFIG_NFT_FWD_NETDEV={y, m} build 2020-03-25 12:24:33 -07:00
Makefile
socket.c for-5.7/io_uring-2020-03-29 2020-03-30 12:18:49 -07:00
sysctl_net.c