From 29640985438699d7bf8d55110ed39f20f312f39b Mon Sep 17 00:00:00 2001
From: Tim Froidcoeur <tim.froidcoeur@tessares.net>
Date: Thu, 18 Aug 2022 17:02:13 +0200
Subject: [PATCH] mptcp: correct check user owned socket

correct the check for user owned socket in TCP handling of routing
redirect.
this issue could lead to a race condition and a kernel crash, see
45caeaa5ac0b ("dccp/tcp: fix routing redirect race")

Fixes: e56ce5051a71 ("Merge tag 'v4.11' into mptcp_trunk")
Reported-by: Christoph Paasch <cpaasch@apple.com>
Reviewed-by: Matthieu Baerts <matthieu.baerts@tessares.net>
Signed-off-by: Tim Froidcoeur <tim.froidcoeur@tessares.net>
Acked-by: Christoph Paasch <cpaasch@apple.com>
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
(cherry picked from commit 041e84d3550e7477e388ac861806d5690c961437)
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
(cherry picked from commit 7d7555fb1c30cc29d64dfe689b84c04f4799b2e0)
Signed-off-by: Matthieu Baerts <matthieu.baerts@tessares.net>
---
 net/ipv4/tcp_ipv4.c | 2 +-
 net/ipv6/tcp_ipv6.c | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index 34e8fe331ed8..7053b285621c 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -502,7 +502,7 @@ void tcp_v4_err(struct sk_buff *icmp_skb, u32 info)
 
 	switch (type) {
 	case ICMP_REDIRECT:
-		if (!sock_owned_by_user(sk))
+		if (!sock_owned_by_user(meta_sk))
 			do_redirect(icmp_skb, sk);
 		goto out;
 	case ICMP_SOURCE_QUENCH:
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index f24db934cb93..497f9172aed5 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -426,7 +426,7 @@ static void tcp_v6_err(struct sk_buff *skb, struct inet6_skb_parm *opt,
 	np = inet6_sk(sk);
 
 	if (type == NDISC_REDIRECT) {
-		if (!sock_owned_by_user(sk)) {
+		if (!sock_owned_by_user(meta_sk)) {
 			struct dst_entry *dst = __sk_dst_check(sk, np->dst_cookie);
 
 			if (dst)