From: Eric Dumazet <edumazet@google.com> mainline inclusion from mainline-v5.17-rc1 commit 42f67eea3ba36cef2dce2e853de6ddcb2e89eb39 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ID3WIC CVE: CVE-2025-40080 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... ------------------ Move sk_is_tcp() to include/net/sock.h and use it where we can. Signed-off-by: Eric Dumazet <edumazet@google.com> Signed-off-by: David S. Miller <davem@davemloft.net> Conflicts: include/linux/skmsg.h net/core/sock_map.c [Due to not merging commit 35d2b7ffffc1 ("bpf, sockmap: Fix preempt_rt splat when using raw_spin_lock_t").] include/net/sock.h [Context conflicts.] Signed-off-by: Zheng Qixing <zhengqixing@huawei.com> --- include/net/sock.h | 5 +++++ net/core/skbuff.c | 6 ++---- net/core/sock.c | 6 ++---- net/core/sock_map.c | 6 ------ 4 files changed, 9 insertions(+), 14 deletions(-) diff --git a/include/net/sock.h b/include/net/sock.h index b81e870a9fcc..7861559f3ce7 100644 --- a/include/net/sock.h +++ b/include/net/sock.h @@ -2678,6 +2678,11 @@ static inline void skb_setup_tx_timestamp(struct sk_buff *skb, __u16 tsflags) &skb_shinfo(skb)->tskey); } +static inline bool sk_is_tcp(const struct sock *sk) +{ + return sk->sk_type == SOCK_STREAM && sk->sk_protocol == IPPROTO_TCP; +} + DECLARE_STATIC_KEY_FALSE(tcp_rx_skb_cache_key); /** * sk_eat_skb - Release a skb if it is no longer needed diff --git a/net/core/skbuff.c b/net/core/skbuff.c index c5d13c3fd0d2..47ed4de1edf4 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -4930,8 +4930,7 @@ static void __skb_complete_tx_timestamp(struct sk_buff *skb, serr->header.h4.iif = skb->dev ? skb->dev->ifindex : 0; if (sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID) { serr->ee.ee_data = skb_shinfo(skb)->tskey; - if (sk->sk_protocol == IPPROTO_TCP && - sk->sk_type == SOCK_STREAM) + if (sk_is_tcp(sk)) serr->ee.ee_data -= sk->sk_tskey; } @@ -4999,8 +4998,7 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb, if (tsonly) { #ifdef CONFIG_INET if ((sk->sk_tsflags & SOF_TIMESTAMPING_OPT_STATS) && - sk->sk_protocol == IPPROTO_TCP && - sk->sk_type == SOCK_STREAM) { + sk_is_tcp(sk)) { skb = tcp_get_timestamping_opt_stats(sk, orig_skb); opt_stats = true; } else diff --git a/net/core/sock.c b/net/core/sock.c index 0e4ba9d63542..88bb667aebdc 100644 --- a/net/core/sock.c +++ b/net/core/sock.c @@ -1012,8 +1012,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname, if (val & SOF_TIMESTAMPING_OPT_ID && !(sk->sk_tsflags & SOF_TIMESTAMPING_OPT_ID)) { - if (sk->sk_protocol == IPPROTO_TCP && - sk->sk_type == SOCK_STREAM) { + if (sk_is_tcp(sk)) { if ((1 << sk->sk_state) & (TCPF_CLOSE | TCPF_LISTEN)) { ret = -EINVAL; @@ -1202,8 +1201,7 @@ int sock_setsockopt(struct socket *sock, int level, int optname, case SO_ZEROCOPY: if (sk->sk_family == PF_INET || sk->sk_family == PF_INET6) { - if (!((sk->sk_type == SOCK_STREAM && - sk->sk_protocol == IPPROTO_TCP) || + if (!(sk_is_tcp(sk) || (sk->sk_type == SOCK_DGRAM && sk->sk_protocol == IPPROTO_UDP))) ret = -ENOTSUPP; diff --git a/net/core/sock_map.c b/net/core/sock_map.c index beb8768a9285..07ab464d2d4e 100644 --- a/net/core/sock_map.c +++ b/net/core/sock_map.c @@ -550,12 +550,6 @@ static bool sock_map_op_okay(const struct bpf_sock_ops_kern *ops) ops->op == BPF_SOCK_OPS_TCP_LISTEN_CB; } -static bool sk_is_tcp(const struct sock *sk) -{ - return sk->sk_type == SOCK_STREAM && - sk->sk_protocol == IPPROTO_TCP; -} - static bool sk_is_udp(const struct sock *sk) { return sk->sk_type == SOCK_DGRAM && -- 2.39.2

From: Eric Dumazet <edumazet@google.com> mainline inclusion from mainline-v6.18-rc1 commit 9f7c02e031570e8291a63162c6c046dc15ff85b0 category: bugfix bugzilla: https://gitee.com/src-openeuler/kernel/issues/ID3WIC CVE: CVE-2025-40080 Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i... ------------------ Recently, syzbot started to abuse NBD with all kinds of sockets. Commit cf1b2326b734 ("nbd: verify socket is supported during setup") made sure the socket supported a shutdown() method. Explicitely accept TCP and UNIX stream sockets. Fixes: cf1b2326b734 ("nbd: verify socket is supported during setup") Reported-by: syzbot+e1cd6bd8493060bd701d@syzkaller.appspotmail.com Closes: https://lore.kernel.org/netdev/CANn89iJ+76eE3A_8S_zTpSyW5hvPRn6V57458hCZGY5h... Signed-off-by: Eric Dumazet <edumazet@google.com> Cc: Mike Christie <mchristi@redhat.com> Cc: Richard W.M. Jones <rjones@redhat.com> Cc: Jens Axboe <axboe@kernel.dk> Cc: Yu Kuai <yukuai1@huaweicloud.com> Cc: linux-block@vger.kernel.org Cc: nbd@other.debian.org Signed-off-by: Jens Axboe <axboe@kernel.dk> Signed-off-by: Zheng Qixing <zhengqixing@huawei.com> --- drivers/block/nbd.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index fa111ed7cdae..85eba9dcba3e 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -1121,6 +1121,14 @@ static struct socket *nbd_get_socket(struct nbd_device *nbd, unsigned long fd, if (!sock) return NULL; + if (!sk_is_tcp(sock->sk) && + !sk_is_stream_unix(sock->sk)) { + dev_err(disk_to_dev(nbd->disk), "Unsupported socket: should be TCP or UNIX.\n"); + *err = -EINVAL; + sockfd_put(sock); + return NULL; + } + if (sock->ops->shutdown == sock_no_shutdown) { dev_err(disk_to_dev(nbd->disk), "Unsupported socket: shutdown callout must be supported.\n"); *err = -EINVAL; -- 2.39.2