6.6-stable patches

added patches:
	mptcp-prevent-bpf-accessing-lowat-from-a-subflow-socket.patch

diff --git a/queue-6.6/mptcp-prevent-bpf-accessing-lowat-from-a-subflow-socket.patch b/queue-6.6/mptcp-prevent-bpf-accessing-lowat-from-a-subflow-socket.patch
new file mode 100644 (file)
index 0000000..857a4a6
--- /dev/null
+++ b/queue-6.6/mptcp-prevent-bpf-accessing-lowat-from-a-subflow-socket.patch
@@ -0,0 +1,65 @@
+From fcf4692fa39e86a590c14a4af2de704e1d20a3b5 Mon Sep 17 00:00:00 2001
+From: Paolo Abeni <pabeni@redhat.com>
+Date: Fri, 29 Mar 2024 19:50:36 +0100
+Subject: mptcp: prevent BPF accessing lowat from a subflow socket.
+
+From: Paolo Abeni <pabeni@redhat.com>
+
+commit fcf4692fa39e86a590c14a4af2de704e1d20a3b5 upstream.
+
+Alexei reported the following splat:
+
+ WARNING: CPU: 32 PID: 3276 at net/mptcp/subflow.c:1430 subflow_data_ready+0x147/0x1c0
+ Modules linked in: dummy bpf_testmod(O) [last unloaded: bpf_test_no_cfi(O)]
+ CPU: 32 PID: 3276 Comm: test_progs Tainted: GO       6.8.0-12873-g2c43c33bfd23
+ Call Trace:
+  <TASK>
+  mptcp_set_rcvlowat+0x79/0x1d0
+  sk_setsockopt+0x6c0/0x1540
+  __bpf_setsockopt+0x6f/0x90
+  bpf_sock_ops_setsockopt+0x3c/0x90
+  bpf_prog_509ce5db2c7f9981_bpf_test_sockopt_int+0xb4/0x11b
+  bpf_prog_dce07e362d941d2b_bpf_test_socket_sockopt+0x12b/0x132
+  bpf_prog_348c9b5faaf10092_skops_sockopt+0x954/0xe86
+  __cgroup_bpf_run_filter_sock_ops+0xbc/0x250
+  tcp_connect+0x879/0x1160
+  tcp_v6_connect+0x50c/0x870
+  mptcp_connect+0x129/0x280
+  __inet_stream_connect+0xce/0x370
+  inet_stream_connect+0x36/0x50
+  bpf_trampoline_6442491565+0x49/0xef
+  inet_stream_connect+0x5/0x50
+  __sys_connect+0x63/0x90
+  __x64_sys_connect+0x14/0x20
+
+The root cause of the issue is that bpf allows accessing mptcp-level
+proto_ops from a tcp subflow scope.
+
+Fix the issue detecting the problematic call and preventing any action.
+
+Reported-by: Alexei Starovoitov <alexei.starovoitov@gmail.com>
+Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/482
+Fixes: 5684ab1a0eff ("mptcp: give rcvlowat some love")
+Signed-off-by: Paolo Abeni <pabeni@redhat.com>
+Reviewed-by: Mat Martineau <martineau@kernel.org>
+Reviewed-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
+Link: https://lore.kernel.org/r/d8cb7d8476d66cb0812a6e29cd1e626869d9d53e.1711738080.git.pabeni@redhat.com
+Signed-off-by: Jakub Kicinski <kuba@kernel.org>
+Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
+---
+ net/mptcp/sockopt.c |    4 ++++
+ 1 file changed, 4 insertions(+)
+
+--- a/net/mptcp/sockopt.c
++++ b/net/mptcp/sockopt.c
+@@ -1538,6 +1538,10 @@ int mptcp_set_rcvlowat(struct sock *sk,
+       struct mptcp_subflow_context *subflow;
+       int space, cap;
+ 
++      /* bpf can land here with a wrong sk type */
++      if (sk->sk_protocol == IPPROTO_TCP)
++              return -EINVAL;
++
+       if (sk->sk_userlocks & SOCK_RCVBUF_LOCK)
+               cap = sk->sk_rcvbuf >> 1;
+       else

diff --git a/queue-6.6/series b/queue-6.6/series
index b050f79eb3f384547bfd1f5dfb5dbb509ebe661e..3376b2ceff8bdeb3868addb09998ed4db4de59ec 100644 (file)
--- a/queue-6.6/series
+++ b/queue-6.6/series
@@ -120,3 +120,4 @@ mptcp-fix-duplicate-data-handling.patch
 selftests-mptcp-always-close-input-s-fd-if-opened.patch
 selftests-mptcp-join-validate-backup-in-mpj.patch
 selftests-mptcp-join-check-backup-support-in-signal-endp.patch
+mptcp-prevent-bpf-accessing-lowat-from-a-subflow-socket.patch