Patch "mptcp: clear 'kern' flag from fallback sockets" has been added to the 5.10-stable tree

Sasha Levin <sashal@xxxxxxxxxx> · Sat, 18 Dec 2021 22:08:58 -0500

This is a note to let you know that I've just added the patch titled

    mptcp: clear 'kern' flag from fallback sockets

to the 5.10-stable tree which can be found at:
    http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary

The filename of the patch is:
     mptcp-clear-kern-flag-from-fallback-sockets.patch
and it can be found in the queue-5.10 subdirectory.

If you, or anyone else, feels it should not be added to the stable tree,
please let <stable@xxxxxxxxxxxxxxx> know about it.



commit 087ed4d98900ce65de91e62fac42ee3a4542c9c5
Author: Florian Westphal <fw@xxxxxxxxx>
Date:   Tue Dec 14 15:16:02 2021 -0800

    mptcp: clear 'kern' flag from fallback sockets
    
    [ Upstream commit d6692b3b97bdc165d150f4c1505751a323a80717 ]
    
    The mptcp ULP extension relies on sk->sk_sock_kern being set correctly:
    It prevents setsockopt(fd, IPPROTO_TCP, TCP_ULP, "mptcp", 6); from
    working for plain tcp sockets (any userspace-exposed socket).
    
    But in case of fallback, accept() can return a plain tcp sk.
    In such case, sk is still tagged as 'kernel' and setsockopt will work.
    
    This will crash the kernel, The subflow extension has a NULL ctx->conn
    mptcp socket:
    
    BUG: KASAN: null-ptr-deref in subflow_data_ready+0x181/0x2b0
    Call Trace:
     tcp_data_ready+0xf8/0x370
     [..]
    
    Fixes: cf7da0d66cc1 ("mptcp: Create SUBFLOW socket for incoming connections")
    Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
    Signed-off-by: Mat Martineau <mathew.j.martineau@xxxxxxxxxxxxxxx>
    Signed-off-by: Jakub Kicinski <kuba@xxxxxxxxxx>
    Signed-off-by: Sasha Levin <sashal@xxxxxxxxxx>

diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
index 3ca8b359e399a..8123c79e27913 100644
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -2149,7 +2149,7 @@ static struct sock *mptcp_accept(struct sock *sk, int flags, int *err,
 		 */
 		if (WARN_ON_ONCE(!new_mptcp_sock)) {
 			tcp_sk(newsk)->is_mptcp = 0;
-			return newsk;
+			goto out;
 		}
 
 		/* acquire the 2nd reference for the owning socket */
@@ -2174,6 +2174,8 @@ static struct sock *mptcp_accept(struct sock *sk, int flags, int *err,
 				MPTCP_MIB_MPCAPABLEPASSIVEFALLBACK);
 	}
 
+out:
+	newsk->sk_kern_sock = kern;
 	return newsk;
 }
 






