From: Eric Dumazet edumazet@google.com
mainline inclusion from mainline-v6.6-rc3 commit f4f82c52a0ead5ab363d207d06f81b967d09ffb8 category: bugfix bugzilla: https://gitee.com/openeuler/kernel/issues/IB0F23 CVE: NA
Reference: https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git/commit/?i...
--------------------------------
Nothing prevents iscsi_sw_tcp_conn_bind() to receive file descriptor pointing to non TCP socket (af_unix for example).
Return -EINVAL if this is attempted, instead of crashing the kernel.
Fixes: 7ba247138907 ("[SCSI] open-iscsi/linux-iscsi-5 Initiator: Initiator code") Signed-off-by: Eric Dumazet edumazet@google.com Cc: Lee Duncan lduncan@suse.com Cc: Chris Leech cleech@redhat.com Cc: Mike Christie michael.christie@oracle.com Cc: "James E.J. Bottomley" jejb@linux.ibm.com Cc: "Martin K. Petersen" martin.petersen@oracle.com Cc: open-iscsi@googlegroups.com Cc: linux-scsi@vger.kernel.org Reviewed-by: Mike Christie michael.christie@oracle.com Signed-off-by: David S. Miller davem@davemloft.net Conflicts: drivers/scsi/iscsi_tcp.c [commit 42f67eea3ba3 ("net: use sk_is_tcp() in more places") is not backported, include linux/skmsg.h here] Signed-off-by: Yu Kuai yukuai3@huawei.com --- drivers/scsi/iscsi_tcp.c | 5 +++++ 1 file changed, 5 insertions(+)
diff --git a/drivers/scsi/iscsi_tcp.c b/drivers/scsi/iscsi_tcp.c index 35273434aa56..6e7b7288cd20 100644 --- a/drivers/scsi/iscsi_tcp.c +++ b/drivers/scsi/iscsi_tcp.c @@ -29,6 +29,7 @@ #include <linux/scatterlist.h> #include <linux/module.h> #include <linux/backing-dev.h> +#include <linux/skmsg.h> #include <net/tcp.h> #include <scsi/scsi_cmnd.h> #include <scsi/scsi_device.h> @@ -687,6 +688,10 @@ iscsi_sw_tcp_conn_bind(struct iscsi_cls_session *cls_session, return -EEXIST; }
+ err = -EINVAL; + if (!sk_is_tcp(sock->sk)) + goto free_socket; + err = iscsi_conn_bind(cls_session, cls_conn, is_leading); if (err) goto free_socket;