From: Paolo Abeni <[email protected]> Date: Mon, 25 May 2020 16:38:47 +0200
> In the MPTCP receive path we must cope with TCP fallback > on blocking recvmsg(). Currently in such code path we detect > the fallback condition, but we don't fetch the struct socket > required for fallback. > > The above allowed syzkaller to trigger a NULL pointer > dereference: ... > Address the issue initializing the struct socket reference > before entering the fallback code. > > Reported-and-tested-by: [email protected] > Suggested-by: Ondrej Mosnacek <[email protected]> > Fixes: 8ab183deb26a ("mptcp: cope with later TCP fallback") > Signed-off-by: Paolo Abeni <[email protected]> Applied and queued up for -stable, thanks.
