Home

Description

In the Linux kernel, the following vulnerability has been resolved: mptcp: Fix proto fallback detection with BPF The sockmap feature allows bpf syscall from userspace, or based on bpf sockops, replacing the sk_prot of sockets during protocol stack processing with sockmap's custom read/write interfaces. ''' tcp_rcv_state_process() syn_recv_sock()/subflow_syn_recv_sock() tcp_init_transfer(BPF_SOCK_OPS_PASSIVE_ESTABLISHED_CB) bpf_skops_established <== sockops bpf_sock_map_update(sk) <== call bpf helper tcp_bpf_update_proto() <== update sk_prot ''' When the server has MPTCP enabled but the client sends a TCP SYN without MPTCP, subflow_syn_recv_sock() performs a fallback on the subflow, replacing the subflow sk's sk_prot with the native sk_prot. ''' subflow_syn_recv_sock() subflow_ulp_fallback() subflow_drop_ctx() mptcp_subflow_ops_undo_override() ''' Then, this subflow can be normally used by sockmap, which replaces the native sk_prot with sockmap's custom sk_prot. The issue occurs when the user executes accept::mptcp_stream_accept::mptcp_fallback_tcp_ops(). Here, it uses sk->sk_prot to compare with the native sk_prot, but this is incorrect when sockmap is used, as we may incorrectly set sk->sk_socket->ops. This fix uses the more generic sk_family for the comparison instead. Additionally, this also prevents a WARNING from occurring: result from ./scripts/decode_stacktrace.sh: ------------[ cut here ]------------ WARNING: CPU: 0 PID: 337 at net/mptcp/protocol.c:68 mptcp_stream_accept \ (net/mptcp/protocol.c:4005) Modules linked in: ... PKRU: 55555554 Call Trace: <TASK> do_accept (net/socket.c:1989) __sys_accept4 (net/socket.c:2028 net/socket.c:2057) __x64_sys_accept (net/socket.c:2067) x64_sys_call (arch/x86/entry/syscall_64.c:41) do_syscall_64 (arch/x86/entry/syscall_64.c:63 arch/x86/entry/syscall_64.c:94) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:130) RIP: 0033:0x7f87ac92b83d ---[ end trace 0000000000000000 ]---

PUBLISHED Reserved 2025-12-16 | Published 2025-12-16 | Updated 2025-12-16 | Assigner Linux

Product status

Default status
unaffected

0b4f33def7bbde1ce2fea05f116639270e7acdc7 (git) before 92c4092fe012ecdfa5fb05d394f1c1d8f91ad81c
affected

0b4f33def7bbde1ce2fea05f116639270e7acdc7 (git) before 7ee8f015eb47907745e2070184a8ab1e442ac3c4
affected

0b4f33def7bbde1ce2fea05f116639270e7acdc7 (git) before 344974ea1a3ca30e4920687b0091bda4438cebdb
affected

0b4f33def7bbde1ce2fea05f116639270e7acdc7 (git) before 037cc50589643342d69185b663ecf9d26cce91e8
affected

0b4f33def7bbde1ce2fea05f116639270e7acdc7 (git) before 9b1980b6f23fa30bf12add19f37c7458625099eb
affected

0b4f33def7bbde1ce2fea05f116639270e7acdc7 (git) before 1a0d5c74af9b6ba9ffdf1172de5a1a6df5922a00
affected

0b4f33def7bbde1ce2fea05f116639270e7acdc7 (git) before c77b3b79a92e3345aa1ee296180d1af4e7031f8f
affected

Default status
affected

5.7
affected

Any version before 5.7
unaffected

5.10.247 (semver)
unaffected

5.15.197 (semver)
unaffected

6.1.159 (semver)
unaffected

6.6.118 (semver)
unaffected

6.12.60 (semver)
unaffected

6.17.10 (semver)
unaffected

6.18 (original_commit_for_fix)
unaffected

References

git.kernel.org/...c/92c4092fe012ecdfa5fb05d394f1c1d8f91ad81c

git.kernel.org/...c/7ee8f015eb47907745e2070184a8ab1e442ac3c4

git.kernel.org/...c/344974ea1a3ca30e4920687b0091bda4438cebdb

git.kernel.org/...c/037cc50589643342d69185b663ecf9d26cce91e8

git.kernel.org/...c/9b1980b6f23fa30bf12add19f37c7458625099eb

git.kernel.org/...c/1a0d5c74af9b6ba9ffdf1172de5a1a6df5922a00

git.kernel.org/...c/c77b3b79a92e3345aa1ee296180d1af4e7031f8f

cve.org (CVE-2025-68227)

nvd.nist.gov (CVE-2025-68227)

Download JSON

Data based on CVE®. Copyright © 1999-2025, The MITRE Corporation. All rights reserved.