From nobody Mon Feb  9 01:16:36 2026
Delivered-To: wpasupplicant.patchew@gmail.com
Received: by 2002:a02:cbb9:0:0:0:0:0 with SMTP id v25csp4654802jap;
        Mon, 6 Dec 2021 07:51:35 -0800 (PST)
X-Google-Smtp-Source: 
 ABdhPJz3ILUrgsHkWdR1Jh0GWprdyk9SiYr/OMIGZCMGewIV2QuJ0CQGgC5aViWtD1fCWB3A/NPi
X-Received: by 2002:a37:2f45:: with SMTP id
 v66mr33324462qkh.752.1638805895149;
        Mon, 06 Dec 2021 07:51:35 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1638805895; cv=none;
        d=google.com; s=arc-20160816;
        b=r5xes8AEhvDkPNkpobMEZFHC3qaDN6Ag5qyyZCouwJVbiaHkuwk0rGp3uaFHnkuLUK
         J6wULbyyIylJMIMcZ+w+gKTuOOSB2LMpYtMNsOnMrgbagyTE2GBWEqDDPQmkmBgFAOhf
         xbgkU0JrkTmK5sg7jjMly4SF3SXZlOOW/4zd9KB8mQgjtltL5VsUdCJ9TFgV/DT/SNZ0
         6nGyJl92hq81YyfIAK8/u8byfFKNF21h/yKqXiycNxsUna0cKOaOgYPBhk2c9D0cYd80
         dAPAv1asNQs0y61kerf4fmPH0q4iE86y7aOjGEdZhphXDbUie722ACwbJRxt/4/I5oO3
         D6PQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
 s=arc-20160816;
        h=content-transfer-encoding:mime-version:list-unsubscribe
         :list-subscribe:list-id:precedence:references:in-reply-to:message-id
         :date:subject:cc:to:from;
        bh=eTA2NoO6PqLb4MYS0Q2EcSV/H5J+XPfr2812oSXt8to=;
        b=RsqBLvEQ8gVM6lMbbuQobFRvYytKRZelM0ZEjd8unSSd69PU0l2F7hIJqxAFn1cbbK
         DnJgqxqA/CFCIkVEKokOTzSMDB+hURpqPgG4SjlK94CkMEAcjniPPHd+rowvckuUYkmY
         UzmsSxzeohyuDj/gFfQTh8bvLGZcEZjRS55aIXIp1WCyo9+7GSx8lpMvqW4zOn9GQWPj
         RKjwuCDuAyeiN+LzCM9BNOI4/1r1BzmPsxrMbiWdFTGH+eUwx0LBG0qCEZ1KmHIvAyl/
         Qo8AQ61g1L/u4QHgR6X3dYokQ1oAvt8YQE2sZfYP/Kq3Rr0OLmzWtM4/OBqzHJrLwYh4
         Tiuw==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: domain of
 mptcp+bounces-2653-wpasupplicant.patchew=gmail.com@lists.linux.dev designates
 147.75.197.195 as permitted sender)
 smtp.mailfrom="mptcp+bounces-2653-wpasupplicant.patchew=gmail.com@lists.linux.dev"
Return-Path: 
 <mptcp+bounces-2653-wpasupplicant.patchew=gmail.com@lists.linux.dev>
Received: from ewr.edge.kernel.org (ewr.edge.kernel.org. [147.75.197.195])
        by mx.google.com with ESMTPS id
 bj2si15939922qkb.477.2021.12.06.07.51.35
        for <wpasupplicant.patchew@gmail.com>
        (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128);
        Mon, 06 Dec 2021 07:51:35 -0800 (PST)
Received-SPF: pass (google.com: domain of
 mptcp+bounces-2653-wpasupplicant.patchew=gmail.com@lists.linux.dev designates
 147.75.197.195 as permitted sender) client-ip=147.75.197.195;
Authentication-Results: mx.google.com;
       spf=pass (google.com: domain of
 mptcp+bounces-2653-wpasupplicant.patchew=gmail.com@lists.linux.dev designates
 147.75.197.195 as permitted sender)
 smtp.mailfrom="mptcp+bounces-2653-wpasupplicant.patchew=gmail.com@lists.linux.dev"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org
 [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ewr.edge.kernel.org (Postfix) with ESMTPS id DCD441C076D
	for <wpasupplicant.patchew@gmail.com>; Mon,  6 Dec 2021 15:51:34 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 9B1AE2C80;
	Mon,  6 Dec 2021 15:51:33 +0000 (UTC)
X-Original-To: mptcp@lists.linux.dev
Received: from Chamillionaire.breakpoint.cc (Chamillionaire.breakpoint.cc
 [193.142.43.52])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 5DC1729CA
	for <mptcp@lists.linux.dev>; Mon,  6 Dec 2021 15:51:32 +0000 (UTC)
Received: from fw by Chamillionaire.breakpoint.cc with local (Exim 4.92)
	(envelope-from <fw@breakpoint.cc>)
	id 1muGH4-0001ql-Br; Mon, 06 Dec 2021 16:51:30 +0100
From: Florian Westphal <fw@strlen.de>
To: <mptcp@lists.linux.dev>
Cc: Florian Westphal <fw@strlen.de>
Subject: [PATCH mptcp 1/2] mptcp: clear 'kern' flag from fallback sockets
Date: Mon,  6 Dec 2021 16:51:19 +0100
Message-Id: <20211206155120.26929-2-fw@strlen.de>
X-Mailer: git-send-email 2.32.0
In-Reply-To: <20211206155120.26929-1-fw@strlen.de>
References: <20211206155120.26929-1-fw@strlen.de>
Precedence: bulk
X-Mailing-List: mptcp@lists.linux.dev
List-Id: <mptcp.lists.linux.dev>
List-Subscribe: <mailto:mptcp+subscribe@lists.linux.dev>
List-Unsubscribe: <mailto:mptcp+unsubscribe@lists.linux.dev>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

The mptcp ULP extension relies on sk->sk_sock_kern being set correctly:
It prevents setsockopt(fd, IPPROTO_TCP, TCP_ULP, "mptcp", 6); from
working for plain tcp sockets (any userspace-exposed socket).

But in case of fallback, accept() can return a plain tcp sk.
In such case, sk is still tagged as 'kernel' and setsockopt will work.

This will crash the kernel, The subflow extension has a NULL ctx->conn
mptcp socket:

BUG: KASAN: null-ptr-deref in subflow_data_ready+0x181/0x2b0
Call Trace:
 tcp_data_ready+0xf8/0x370
 [..]

Fixes: cf7da0d66cc1 ("mptcp: Create SUBFLOW socket for incoming connections=
")
Signed-off-by: Florian Westphal <fw@strlen.de>
---
 net/mptcp/protocol.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/net/mptcp/protocol.c b/net/mptcp/protocol.c
index 8319e601bc2d..34ea4b25128e 100644
--- a/net/mptcp/protocol.c
+++ b/net/mptcp/protocol.c
@@ -3025,6 +3025,7 @@ static struct sock *mptcp_accept(struct sock *sk, int=
 flags, int *err,
 				MPTCP_MIB_MPCAPABLEPASSIVEFALLBACK);
 	}
=20
+	newsk->sk_kern_sock =3D kern;
 	return newsk;
 }
=20
--=20
2.32.0