From: Geliang Tang <tanggeliang@kylinos.cn>
In mptcp_pm_userspace_get_local_id(), the address entry is looked up under
spinlock, but its id is read after dropping the lock. A concurrent deletion
can free the entry between the unlock and the read, leading to UAF.
Fix by copying the id into a local variable while still holding the lock,
and use -1 as a "not found" sentinel.
Fixes: f012d796a6de ("mptcp: check addrs list in userspace_pm_get_local_id")
Signed-off-by: Geliang Tang <tanggeliang@kylinos.cn>
---
net/mptcp/pm_userspace.c | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/net/mptcp/pm_userspace.c b/net/mptcp/pm_userspace.c
index ad6ba658e5a5..8a5cf5ed8f7b 100644
--- a/net/mptcp/pm_userspace.c
+++ b/net/mptcp/pm_userspace.c
@@ -132,12 +132,14 @@ static int mptcp_pm_userspace_get_local_id(struct mptcp_sock *msk,
__be16 msk_sport = ((struct inet_sock *)
inet_sk((struct sock *)msk))->inet_sport;
struct mptcp_pm_addr_entry *entry;
+ int id;
spin_lock_bh(&msk->pm.lock);
entry = mptcp_userspace_pm_lookup_addr(msk, &skc->addr);
+ id = entry ? entry->addr.id : -1;
spin_unlock_bh(&msk->pm.lock);
- if (entry)
- return entry->addr.id;
+ if (id != -1)
+ return id;
if (skc->addr.port == msk_sport)
skc->addr.port = 0;
--
2.53.0