In the Linux kernel, the following vulnerability has been resolved:

mptcp: Fix crash due to tcptsortedanchor was initialized before release skb

Got crash when doing pressure test of mptcp:

=========================================================================== dstrelease: dst:ffffa06ce6e5c058 refcnt:-1 kernel tried to execute NX-protected page - exploit attempt? (uid: 0) BUG: unable to handle kernel paging request at ffffa06ce6e5c058 PGD 190a01067 P4D 190a01067 PUD 43fffb067 PMD 22e403063 PTE 8000000226e5c063 Oops: 0011 [#1] SMP PTI CPU: 7 PID: 7823 Comm: kworker/7:0 Kdump: loaded Tainted: G E Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS 1.2.1 04/01/2014 Call Trace: ? skbreleaseheadstate+0x68/0x100 ? skbreleaseall+0xe/0x30 ? kfreeskb+0x32/0xa0 ? mptcpsendmsg_frag+0x57e/0x750 ? __mptcp_retrans+0x21b/0x3c0 ? __switchtoasm+0x35/0x70 ? mptcpworker+0x25e/0x320 ? processonework+0x1a7/0x360 ? workerthread+0x30/0x390 ? createworker+0x1a0/0x1a0 ? kthread+0x112/0x130 ? kthreadflushworkfn+0x10/0x10

? retfromfork+0x35/0x40

In _mptcpalloctxskb skb was allocated and skb->tcptsortedanchor will be initialized, in under memory pressure situation skwmemschedule will return false and then kfreeskb. In this case skb->skbrefdst is not null becauseskbrefdst and tcptsortedanchor are stored in the same mem, and kfreeskb will try to release dst and cause crash.