Matthieu Baerts

**Name of the Vulnerable Software and Affected Versions** Linux kernel versions prior to 6.1.0-rc5 **Description** A bug in the Linux kernel has been resolved, specifically in the mptcp protocol. The issue occurred when a sleeping function was called from an invalid context at close time, resulting in a splat. The problem was caused by calling `mptcp close` under the 'fast' socket lock variant, which has been replaced with `sock lock nested()` to fix the issue. The `mptcp close` function is called when the `msk` socket is closed, and it is related to the ` mptcp close ssk` and `mptcp subflow queue clean` functions. **Recommendations** To resolve the issue, update the Linux kernel to a version newer than 6.1.0-rc5. As a temporary workaround, consider disabling the `mptcp close` function until a patch is available. Restrict access to the `mptcp` protocol to minimize the risk of exploitation.

**Name of the Vulnerable Software and Affected Versions** Linux kernel (affected versions not specified) **Description** The issue is related to MPTCP sk forward memory handling, which is protected by the msk socket spin lock. A code path updating this field without handling the relevant lock can cause corruption. The problem occurs in the ` mptcp retrans()` function, which calls ` mptcp clean una wakeup()`, and several helpers in this function update `sk forward alloc`, possibly causing corruption. The issue was reported by Matthieu and has been addressed by providing and using a new variant of the blamed function, which explicitly acquires the msk spin lock. **Recommendations** At the moment, there is no information about a newer version that contains a fix for this vulnerability.