From: Paolo Abeni <pab...@redhat.com>
Date: Mon, 25 May 2020 16:38:47 +0200
> In the MPTCP receive path we must cope with TCP fallback
> on blocking recvmsg(). Currently in such code path we detect
> the fallback condition, but we don't fetch the struct socket
> required for fallback.
>
> The above allowed syzkaller to trigger a NULL pointer
> dereference:
...
> Address the issue initializing the struct socket reference
> before entering the fallback code.
>
> Reported-and-tested-by: syzbot+c6bfc3db991edc918...@syzkaller.appspotmail.com
> Suggested-by: Ondrej Mosnacek <omosn...@redhat.com>
> Fixes: 8ab183deb26a ("mptcp: cope with later TCP fallback")
> Signed-off-by: Paolo Abeni <pab...@redhat.com>
Applied and queued up for -stable, thanks.
