At disconnect time the MPTCP protocol traverse the subflows list closing each of them. In some circumstances - MPJ subflow, passive MPTCP socket, the latter operation can remove the subflow from the list, invalidating the current iterator. This could lead to a NULL pointer dereference issue. Upstream patch & commit: https://lore.kernel.org/netdev/20220708233610.410786-2-mathew.j.martineau@linux.intel.com/ https://github.com/torvalds/linux/commit/5c835bb142d4
Created kernel tracking bugs for this issue: Affects: fedora-all [bug 2145216]
This was fixed for Fedora with the 5.18.13 stable kernel updates.
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:2148 https://access.redhat.com/errata/RHSA-2023:2148
This issue has been addressed in the following products: Red Hat Enterprise Linux 9 Via RHSA-2023:2458 https://access.redhat.com/errata/RHSA-2023:2458
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2022-4128