In the Linux kernel, the following vulnerability has been resolved: mptcp: fix race condition in mptcp_schedule_work() syzbot reported use-after-free in mptcp_schedule_work() [1] Issue here is that mptcp_schedule_work() schedules a work, then gets a refcount on sk->sk_refcnt if the work was scheduled. This refcount will be released by mptcp_worker(). [A] if (schedule_work(...)) { [B] sock_hold(sk); return true; } Problem is that mptcp_worker() can run immediately and complete before [B] We need instead : sock_hold(sk); if (schedule_work(...)) return true; sock_put(sk); [1] refcount_t: additio…
GHSA-86fp-6jqc-qg25: In the Linux kernel, the following vulnerability has been resolved: mptcp: fix race condition in...
A use-after-free vulnerability in the Linux kernel's mptcp_schedule_work() function was resolved, which could lead to a race condition.