From: Greg Kroah-Hartman Date: Wed, 7 Aug 2024 14:55:11 +0000 (+0200) Subject: 6.6-stable patches X-Git-Tag: v6.1.104~11 X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=d2c67b5bf82deaa2a4849f2a25ae92aa33defbd1;p=thirdparty%2Fkernel%2Fstable-queue.git 6.6-stable patches added patches: mptcp-prevent-bpf-accessing-lowat-from-a-subflow-socket.patch --- diff --git a/queue-6.6/mptcp-prevent-bpf-accessing-lowat-from-a-subflow-socket.patch b/queue-6.6/mptcp-prevent-bpf-accessing-lowat-from-a-subflow-socket.patch new file mode 100644 index 00000000000..857a4a6f888 --- /dev/null +++ b/queue-6.6/mptcp-prevent-bpf-accessing-lowat-from-a-subflow-socket.patch @@ -0,0 +1,65 @@ +From fcf4692fa39e86a590c14a4af2de704e1d20a3b5 Mon Sep 17 00:00:00 2001 +From: Paolo Abeni +Date: Fri, 29 Mar 2024 19:50:36 +0100 +Subject: mptcp: prevent BPF accessing lowat from a subflow socket. + +From: Paolo Abeni + +commit fcf4692fa39e86a590c14a4af2de704e1d20a3b5 upstream. + +Alexei reported the following splat: + + WARNING: CPU: 32 PID: 3276 at net/mptcp/subflow.c:1430 subflow_data_ready+0x147/0x1c0 + Modules linked in: dummy bpf_testmod(O) [last unloaded: bpf_test_no_cfi(O)] + CPU: 32 PID: 3276 Comm: test_progs Tainted: GO 6.8.0-12873-g2c43c33bfd23 + Call Trace: + + mptcp_set_rcvlowat+0x79/0x1d0 + sk_setsockopt+0x6c0/0x1540 + __bpf_setsockopt+0x6f/0x90 + bpf_sock_ops_setsockopt+0x3c/0x90 + bpf_prog_509ce5db2c7f9981_bpf_test_sockopt_int+0xb4/0x11b + bpf_prog_dce07e362d941d2b_bpf_test_socket_sockopt+0x12b/0x132 + bpf_prog_348c9b5faaf10092_skops_sockopt+0x954/0xe86 + __cgroup_bpf_run_filter_sock_ops+0xbc/0x250 + tcp_connect+0x879/0x1160 + tcp_v6_connect+0x50c/0x870 + mptcp_connect+0x129/0x280 + __inet_stream_connect+0xce/0x370 + inet_stream_connect+0x36/0x50 + bpf_trampoline_6442491565+0x49/0xef + inet_stream_connect+0x5/0x50 + __sys_connect+0x63/0x90 + __x64_sys_connect+0x14/0x20 + +The root cause of the issue is that bpf allows accessing mptcp-level +proto_ops from a tcp subflow scope. + +Fix the issue detecting the problematic call and preventing any action. + +Reported-by: Alexei Starovoitov +Closes: https://github.com/multipath-tcp/mptcp_net-next/issues/482 +Fixes: 5684ab1a0eff ("mptcp: give rcvlowat some love") +Signed-off-by: Paolo Abeni +Reviewed-by: Mat Martineau +Reviewed-by: Matthieu Baerts (NGI0) +Link: https://lore.kernel.org/r/d8cb7d8476d66cb0812a6e29cd1e626869d9d53e.1711738080.git.pabeni@redhat.com +Signed-off-by: Jakub Kicinski +Signed-off-by: Greg Kroah-Hartman +--- + net/mptcp/sockopt.c | 4 ++++ + 1 file changed, 4 insertions(+) + +--- a/net/mptcp/sockopt.c ++++ b/net/mptcp/sockopt.c +@@ -1538,6 +1538,10 @@ int mptcp_set_rcvlowat(struct sock *sk, + struct mptcp_subflow_context *subflow; + int space, cap; + ++ /* bpf can land here with a wrong sk type */ ++ if (sk->sk_protocol == IPPROTO_TCP) ++ return -EINVAL; ++ + if (sk->sk_userlocks & SOCK_RCVBUF_LOCK) + cap = sk->sk_rcvbuf >> 1; + else diff --git a/queue-6.6/series b/queue-6.6/series index b050f79eb3f..3376b2ceff8 100644 --- a/queue-6.6/series +++ b/queue-6.6/series @@ -120,3 +120,4 @@ mptcp-fix-duplicate-data-handling.patch selftests-mptcp-always-close-input-s-fd-if-opened.patch selftests-mptcp-join-validate-backup-in-mpj.patch selftests-mptcp-join-check-backup-support-in-signal-endp.patch +mptcp-prevent-bpf-accessing-lowat-from-a-subflow-socket.patch