From: Eric Dumazet <edumazet@google.com> mainline inclusion from mainline-v6.6-rc3 commit f4f82c52a0ead5ab363d207d06f81b967d09ffb8 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IB0F23 CVE: NA Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... -------------------------------- Nothing prevents iscsi_sw_tcp_conn_bind() to receive file descriptor pointing to non TCP socket (af_unix for example). Return -EINVAL if this is attempted, instead of crashing the kernel. Fixes: 7ba247138907 ("[SCSI] open-iscsi/linux-iscsi-5 Initiator: Initiator code") Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Lee Duncan <lduncan@suse.com> Cc: Chris Leech <cleech@redhat.com> Cc: Mike Christie <michael.christie@oracle.com> Cc: "James E.J. Bottomley" <jejb@linux.ibm.com> Cc: "Martin K. Petersen" <martin.petersen@oracle.com> Cc: open-iscsi@googlegroups.com Cc: linux-scsi@vger.kernel.org Reviewed-by: Mike Christie <michael.christie@oracle.com> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: drivers/scsi/iscsi_tcp.c [commit 42f67eea3ba3 ("net: use sk_is_tcp() in more places") is not backported, include linux/skmsg.h here] Signed-off-by: Yu Kuai <yukuai3@huawei.com> --- drivers/scsi/iscsi_tcp.c | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c index 35273434aa56..6e7b7288cd20 100644 --- a/drivers/scsi/iscsi_tcp.c +++ b/drivers/scsi/iscsi_tcp.c @@ -29,6 +29,7 @@ #include <linux/scatterlist.h> #include <linux/module.h> #include <linux/backing-dev.h> +#include <linux/skmsg.h> #include <net/tcp.h> #include <scsi/scsi_cmnd.h> #include <scsi/scsi_device.h> @@ -687,6 +688,10 @@ iscsi_sw_tcp_conn_bind(struct iscsi_cls_session *cls_session, return -EEXIST; } + err = -EINVAL; + if (!sk_is_tcp(sock->sk)) + goto free_socket; + err = iscsi_conn_bind(cls_session, cls_conn, is_leading); if (err) goto free_socket; -- 2.39.2