[5.10,149/221] ipv6: weaken the v4mapped source check

Message ID	20210329075634.138636069@linuxfoundation.org
State	New
Headers	show Return-Path: <stable-owner@kernel.org> From: Greg Kroah-Hartman <gregkh@linuxfoundation.org> To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>, stable@vger.kernel.org, Sunyi Shao <sunyishao@fb.com>, Jakub Kicinski <kuba@kernel.org>, Mat Martineau <mathew.j.martineau@linux.intel.com>, Eric Dumazet <edumazet@google.com>, "David S. Miller" <davem@davemloft.net>, Sasha Levin <sashal@kernel.org> Subject: [PATCH 5.10 149/221] ipv6: weaken the v4mapped source check Date: Mon, 29 Mar 2021 09:58:00 +0200 Message-Id: <20210329075634.138636069@linuxfoundation.org> In-Reply-To: <20210329075629.172032742@linuxfoundation.org> References: <20210329075629.172032742@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk
Series	None \| expand [5.10,002/221] mm/memcg: set memcg when splitting page [5.10,003/221] mt76: fix tx skb error handling in mt76_dma_tx_queue_skb [5.10,004/221] net: stmmac: fix dma physical address of descriptor when display ring [5.10,005/221] net: fec: ptp: avoid register access when ipg clock is disabled [5.10,006/221] powerpc/4xx: Fix build errors from mfdcr() [5.10,007/221] atm: eni: dont release is never initialized [5.10,008/221] atm: lanai: dont run lanai_dev_close if not open [5.10,009/221] Revert "r8152: adjust the settings about MAC clock speed down for RTL8153" [5.10,010/221] ALSA: hda: ignore invalid NHLT table [5.10,011/221] ixgbe: Fix memleak in ixgbe_configure_clsu32 [5.10,012/221] scsi: ufs: ufs-qcom: Disable interrupt in reset path [5.10,013/221] blk-cgroup: Fix the recursive blkg rwstat [5.10,014/221] net: tehuti: fix error return code in bdx_probe() [5.10,015/221] net: intel: iavf: fix error return code of iavf_init_get_resources() [5.10,016/221] sun/niu: fix wrong RXMAC_BC_FRM_CNT_COUNT count [5.10,017/221] gianfar: fix jumbo packets+napi+rx overrun crash [5.10,018/221] cifs: ask for more credit on async read/write code paths [5.10,019/221] gfs2: fix use-after-free in trans_drain [5.10,020/221] cpufreq: blacklist Arm Vexpress platforms in cpufreq-dt-platdev [5.10,021/221] gpiolib: acpi: Add missing IRQF_ONESHOT [5.10,022/221] nfs: fix PNFS_FLEXFILE_LAYOUT Kconfig default [5.10,023/221] NFS: Correct size calculation for create reply length [5.10,024/221] net: hisilicon: hns: fix error return code of hns_nic_clear_all_rx_fetch() [5.10,025/221] net: wan: fix error return code of uhdlc_init() [5.10,026/221] net: davicom: Use platform_get_irq_optional() [5.10,027/221] net: enetc: set MAC RX FIFO to recommended value [5.10,028/221] atm: uPD98402: fix incorrect allocation [5.10,029/221] atm: idt77252: fix null-ptr-dereference [5.10,030/221] cifs: change noisy error message to FYI [5.10,031/221] irqchip/ingenic: Add support for the JZ4760 [5.10,032/221] kbuild: add image_name to no-sync-config-targets [5.10,033/221] kbuild: dummy-tools: fix inverted tests for gcc [5.10,034/221] umem: fix error return code in mm_pci_probe() [5.10,035/221] sparc64: Fix opcode filtering in handling of no fault loads [5.10,036/221] habanalabs: Call put_pid() when releasing control device [5.10,037/221] staging: rtl8192e: fix kconfig dependency on CRYPTO [5.10,038/221] u64_stats,lockdep: Fix u64_stats_init() vs lockdep [5.10,039/221] kselftest: arm64: Fix exit code of sve-ptrace [5.10,040/221] regulator: qcom-rpmh: Correct the pmic5_hfsmps515 buck [5.10,041/221] block: Fix REQ_OP_ZONE_RESET_ALL handling [5.10,042/221] drm/amd/display: Revert dram_clock_change_latency for DCN2.1 [5.10,043/221] drm/amdgpu: fb BO should be ttm_bo_type_device [5.10,044/221] drm/radeon: fix AGP dependency [5.10,045/221] nvme: simplify error logic in nvme_validate_ns() [5.10,046/221] nvme: add NVME_REQ_CANCELLED flag in nvme_cancel_request() [5.10,047/221] nvme-fc: set NVME_REQ_CANCELLED in nvme_fc_terminate_exchange() [5.10,048/221] nvme-fc: return NVME_SC_HOST_ABORTED_CMD when a command has been aborted [5.10,049/221] nvme-core: check ctrl css before setting up zns [5.10,050/221] nvme-rdma: Fix a use after free in nvmet_rdma_write_data_done [5.10,051/221] nvme-pci: add the DISABLE_WRITE_ZEROES quirk for a Samsung PM1725a [5.10,052/221] nfs: we dont support removing system.nfs4_acl [5.10,053/221] block: Suppress uevent for hidden device when removed [5.10,054/221] mm/fork: clear PASID for new mm [5.10,055/221] ia64: fix ia64_syscall_get_set_arguments() for break-based syscalls [5.10,056/221] ia64: fix ptrace(PTRACE_SYSCALL_INFO_EXIT) sign [5.10,057/221] static_call: Pull some static_call declarations to the type headers [5.10,058/221] static_call: Allow module use without exposing static_call_key [5.10,059/221] static_call: Fix the module key fixup [5.10,060/221] static_call: Fix static_call_set_init() [5.10,061/221] KVM: x86: Protect userspace MSR filter with SRCU, and set atomically-ish [5.10,062/221] btrfs: fix sleep while in non-sleep context during qgroup removal [5.10,063/221] selinux: dont log MAC_POLICY_LOAD record on failed policy load [5.10,064/221] selinux: fix variable scope issue in live sidtab conversion [5.10,065/221] netsec: restore phy power state after controller reset [5.10,066/221] platform/x86: intel-vbtn: Stop reporting SW_DOCK events [5.10,067/221] psample: Fix user API breakage [5.10,068/221] z3fold: prevent reclaim/free race for headless pages [5.10,069/221] squashfs: fix inode lookup sanity checks [5.10,070/221] squashfs: fix xattr id and id lookup sanity checks [5.10,071/221] hugetlb_cgroup: fix imbalanced css_get and css_put pair for shared mappings [5.10,072/221] kasan: fix per-page tags for non-page_alloc pages [5.10,073/221] gcov: fix clang-11+ support [5.10,074/221] ACPI: video: Add missing callback back for Sony VPCEH3U1E [5.10,075/221] ACPICA: Always create namespace nodes using acpi_ns_create_node() [5.10,076/221] arm64: stacktrace: dont trace arch_stack_walk() [5.10,077/221] arm64: dts: ls1046a: mark crypto engine dma coherent [5.10,078/221] arm64: dts: ls1012a: mark crypto engine dma coherent [5.10,079/221] arm64: dts: ls1043a: mark crypto engine dma coherent [5.10,080/221] ARM: dts: at91: sam9x60: fix mux-mask for PA7 so it can be set to A, B and C [5.10,081/221] ARM: dts: at91: sam9x60: fix mux-mask to match products datasheet [5.10,082/221] ARM: dts: at91-sama5d27_som1: fix phy address to 7 [5.10,083/221] integrity: double check iint_cache was initialized [5.10,084/221] drm/etnaviv: Use FOLL_FORCE for userptr [5.10,085/221] drm/amd/pm: workaround for audio noise issue [5.10,086/221] drm/amdgpu/display: restore AUX_DPHY_TX_CONTROL for DCN2.x [5.10,087/221] drm/amdgpu: Add additional Sienna Cichlid PCI ID [5.10,088/221] drm/i915: Fix the GT fence revocation runtime PM logic [5.10,089/221] dm verity: fix DM_VERITY_OPTS_MAX value [5.10,090/221] dm ioctl: fix out of bounds array access when no devices [5.10,091/221] bus: omap_l3_noc: mark l3 irqs as IRQF_NO_THREAD [5.10,092/221] ARM: OMAP2+: Fix smartreflex init regression after dropping legacy data [5.10,093/221] soc: ti: omap-prm: Fix occasional abort on reset deassert for dra7 iva [5.10,094/221] veth: Store queue_mapping independently of XDP prog presence [5.10,095/221] bpf: Change inode_storages lookup_elem return value from NULL to -EBADF [5.10,096/221] libbpf: Fix INSTALL flag order [5.10,097/221] net/mlx5e: RX, Mind the MPWQE gaps when calculating offsets [5.10,098/221] net/mlx5e: When changing XDP program without reset, take refs for XSK RQs [5.10,099/221] net/mlx5e: Dont match on Geneve options in case option masks are all zero [5.10,100/221] ipv6: fix suspecious RCU usage warning [5.10,101/221] drop_monitor: Perform cleanup upon probe registration failure [5.10,102/221] macvlan: macvlan_count_rx() needs to be aware of preemption [5.10,103/221] net: sched: validate stab values [5.10,104/221] net: dsa: bcm_sf2: Qualify phydev->dev_flags based on port [5.10,105/221] igc: reinit_locked() should be called with rtnl_lock [5.10,106/221] igc: Fix Pause Frame Advertising [5.10,107/221] igc: Fix Supported Pause Frame Link Setting [5.10,108/221] igc: Fix igc_ptp_rx_pktstamp() [5.10,109/221] e1000e: add rtnl_lock() to e1000_reset_task [5.10,110/221] e1000e: Fix error handling in e1000_set_d0_lplu_state_82571 [5.10,111/221] net/qlcnic: Fix a use after free in qlcnic_83xx_get_minidump_template [5.10,112/221] net: phy: broadcom: Add power down exit reset state delay [5.10,113/221] ftgmac100: Restart MAC HW once [5.10,114/221] clk: qcom: gcc-sc7180: Use floor ops for the correct sdcc1 clk [5.10,115/221] net: ipa: terminate message handler arrays [5.10,116/221] net: qrtr: fix a kernel-infoleak in qrtr_recvmsg() [5.10,117/221] flow_dissector: fix byteorder of dissected ICMP ID [5.10,118/221] selftests/bpf: Set gopt opt_class to 0 if get tunnel opt failed [5.10,119/221] netfilter: ctnetlink: fix dump of the expect mask attribute [5.10,120/221] net: hdlc_x25: Prevent racing between "x25_close" and "x25_xmit"/"x25_rx" [5.10,121/221] net: phylink: Fix phylink_err() function name error in phylink_major_config [5.10,122/221] tipc: better validate user input in tipc_nl_retrieve_key() [5.10,123/221] tcp: relookup sock for RST+ACK packets handled by obsolete req sock [5.10,124/221] can: isotp: isotp_setsockopt(): only allow to set low level TX flags for CAN-FD [5.10,125/221] can: isotp: TX-path: ensure that CAN frame flags are initialized [5.10,126/221] can: peak_usb: add forgotten supported devices [5.10,127/221] can: flexcan: flexcan_chip_freeze(): fix chip freeze for missing bitrate [5.10,128/221] can: kvaser_pciefd: Always disable bus load reporting [5.10,129/221] can: c_can_pci: c_can_pci_remove(): fix use-after-free [5.10,130/221] can: c_can: move runtime PM enable/disable to c_can_platform [5.10,131/221] can: m_can: m_can_do_rx_poll(): fix extraneous msg loss warning [5.10,132/221] can: m_can: m_can_rx_peripheral(): fix RX being blocked by errors [5.10,133/221] mac80211: fix rate mask reset [5.10,134/221] mac80211: Allow HE operation to be longer than expected. [5.10,135/221] selftests/net: fix warnings on reuseaddr_ports_exhausted [5.10,136/221] nfp: flower: fix unsupported pre_tunnel flows [5.10,137/221] nfp: flower: add ipv6 bit to pre_tunnel control message [5.10,138/221] nfp: flower: fix pre_tun mask id allocation [5.10,139/221] ftrace: Fix modify_ftrace_direct. [5.10,140/221] drm/msm/dsi: fix check-before-set in the 7nm dsi_pll code [5.10,141/221] ionic: linearize tso skb with too many frags [5.10,142/221] net/sched: cls_flower: fix only mask bit check in the validate_ct_state [5.10,143/221] netfilter: nftables: report EOPNOTSUPP on unsupported flowtable flags [5.10,144/221] netfilter: nftables: allow to update flowtable flags [5.10,145/221] netfilter: flowtable: Make sure GC works periodically in idle system [5.10,146/221] libbpf: Fix error path in bpf_object__elf_init() [5.10,147/221] libbpf: Use SOCK_CLOEXEC when opening the netlink socket [5.10,148/221] ARM: dts: imx6ull: fix ubi filesystem mount failed [5.10,149/221] ipv6: weaken the v4mapped source check [5.10,150/221] octeontx2-af: Formatting debugfs entry rsrc_alloc. [5.10,151/221] octeontx2-af: Modify default KEX profile to extract TX packet fields [5.10,152/221] octeontx2-af: Remove TOS field from MKEX TX [5.10,153/221] octeontx2-af: Fix irq free in rvu teardown [5.10,154/221] octeontx2-pf: Clear RSS enable flag on interace down [5.10,155/221] octeontx2-af: fix infinite loop in unmapping NPC counter [5.10,156/221] net: check all name nodes in __dev_alloc_name [5.10,157/221] net: cdc-phonet: fix data-interface release on probe failure [5.10,158/221] igb: check timestamp validity [5.10,159/221] r8152: limit the RX buffer size of RTL8153A for USB 2.0 [5.10,160/221] net: stmmac: dwmac-sun8i: Provide TX and RX fifo sizes [5.10,161/221] selinux: vsock: Set SID for socket returned by accept() [5.10,162/221] selftests: forwarding: vxlan_bridge_1d: Fix vxlan ecn decapsulate value [5.10,163/221] libbpf: Fix BTF dump of pointer-to-array-of-struct [5.10,164/221] bpf: Fix umd memory leak in copy_process() [5.10,165/221] can: isotp: tx-path: zero initialize outgoing CAN frames [5.10,166/221] drm/msm: fix shutdown hook in case GPU components failed to bind [5.10,167/221] drm/msm: Fix suspend/resume on i.MX5 [5.10,168/221] arm64: kdump: update ppos when reading elfcorehdr [5.10,169/221] PM: runtime: Defer suspending suppliers [5.10,170/221] net/mlx5: Add back multicast stats for uplink representor [5.10,171/221] net/mlx5e: Allow to match on MPLS parameters only for MPLS over UDP [5.10,172/221] net/mlx5e: Offload tuple rewrite for non-CT flows [5.10,173/221] net/mlx5e: Fix error path for ethtool set-priv-flag [5.10,174/221] PM: EM: postpone creating the debugfs dir till fs_initcall [5.10,175/221] net: bridge: dont notify switchdev for local FDB addresses [5.10,176/221] octeontx2-af: Fix memory leak of object buf [5.10,177/221] xen/x86: make XEN_BALLOON_MEMORY_HOTPLUG_LIMIT depend on MEMORY_HOTPLUG [5.10,178/221] RDMA/cxgb4: Fix adapter LE hash errors while destroying ipv6 listening server [5.10,179/221] bpf: Dont do bpf_cgroup_storage_set() for kuprobe/tp programs [5.10,180/221] net: Consolidate common blackhole dst ops [5.10,181/221] net, bpf: Fix ip6ip6 crash with collect_md populated skbs [5.10,182/221] igb: avoid premature Rx buffer reuse [5.10,183/221] net: axienet: Properly handle PCS/PMA PHY for 1000BaseX mode [5.10,184/221] net: axienet: Fix probe error cleanup [5.10,185/221] net: phy: introduce phydev->port [5.10,186/221] net: phy: broadcom: Avoid forward for bcm54xx_config_clock_delay() [5.10,187/221] net: phy: broadcom: Set proper 1000BaseX/SGMII interface mode for BCM54616S [5.10,188/221] net: phy: broadcom: Fix RGMII delays for BCM50160 and BCM50610M [5.10,189/221] Revert "netfilter: x_tables: Switch synchronization to RCU" [5.10,190/221] netfilter: x_tables: Use correct memory barriers. [5.10,191/221] arm64/mm: define arch_get_mappable_range() [5.10,192/221] arm64: mm: correct the inside linear map range during hotplug check [5.10,193/221] dm table: Fix zoned model check and zone sectors check [5.10,194/221] mm/mmu_notifiers: ensure range_end() is paired with range_start() [5.10,195/221] Revert "netfilter: x_tables: Update remaining dereference to RCU" [5.10,196/221] ACPI: scan: Rearrange memory allocation in acpi_device_add() [5.10,197/221] ACPI: scan: Use unique number for instance_no [5.10,198/221] perf auxtrace: Fix auxtrace queue conflict [5.10,199/221] perf synthetic events: Avoid write of uninitialized memory when generating PERF_RE... [5.10,200/221] io_uring: fix provide_buffers sign extension [5.10,201/221] block: recalculate segment count for multi-segment discards correctly [5.10,202/221] scsi: Revert "qla2xxx: Make sure that aborted commands are freed" [5.10,203/221] scsi: qedi: Fix error return code of qedi_alloc_global_queues() [5.10,204/221] scsi: mpt3sas: Fix error return code of mpt3sas_base_attach() [5.10,205/221] smb3: fix cached file size problems in duplicate extents (reflink) [5.10,206/221] cifs: Adjust key sizes and key generation routines for AES256 encryption [5.10,207/221] locking/mutex: Fix non debug version of mutex_lock_io_nested() [5.10,208/221] x86/mem_encrypt: Correct physical address calculation in __set_clr_pte_enc() [5.10,209/221] mm/memcg: fix 5.10 backport of splitting page memcg [5.10,210/221] fs/cachefiles: Remove wait_bit_key layout dependency [5.10,211/221] ch_ktls: fix enum-conversion warning [5.10,212/221] can: dev: Move device back to init netns on owning netns delete [5.10,213/221] r8169: fix DMA being used after buffer free if WoL is enabled [5.10,214/221] net: dsa: b53: VLAN filtering is global to all users [5.10,215/221] mac80211: fix double free in ibss_leave [5.10,216/221] ext4: add reclaim checks to xattr code [5.10,217/221] fs/ext4: fix integer overflow in s_log_groups_per_flex [5.10,218/221] Revert "xen: fix p2m size in dom0 for disabled memory hotplug case" [5.10,219/221] Revert "net: bonding: fix error return code of bond_neigh_init()" [5.10,220/221] nvme: fix the nsid value to print in nvme_validate_or_alloc_ns [5.10,221/221] can: peak_usb: Revert "can: peak_usb: add forgotten supported devices"

Message ID

20210329075634.138636069@linuxfoundation.org

State

New

Headers

From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: linux-kernel@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
	stable@vger.kernel.org, Sunyi Shao <sunyishao@fb.com>,
	Jakub Kicinski <kuba@kernel.org>,
	Mat Martineau <mathew.j.martineau@linux.intel.com>,
	Eric Dumazet <edumazet@google.com>,
	"David S. Miller" <davem@davemloft.net>, Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.10 149/221] ipv6: weaken the v4mapped source check
Date: Mon, 29 Mar 2021 09:58:00 +0200
Message-Id: <20210329075634.138636069@linuxfoundation.org>
In-Reply-To: <20210329075629.172032742@linuxfoundation.org>
References: <20210329075629.172032742@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk

Series

None | expand

Commit Message

Greg Kroah-Hartman March 29, 2021, 7:58 a.m. UTC

From: Jakub Kicinski <kuba@kernel.org>

[ Upstream commit dcc32f4f183ab8479041b23a1525d48233df1d43 ]

This reverts commit 6af1799aaf3f1bc8defedddfa00df3192445bbf3.

Commit 6af1799aaf3f ("ipv6: drop incoming packets having a v4mapped
source address") introduced an input check against v4mapped addresses.
Use of such addresses on the wire is indeed questionable and not
allowed on public Internet. As the commit pointed out

  https://tools.ietf.org/html/draft-itojun-v6ops-v4mapped-harmful-02

lists potential issues.

Unfortunately there are applications which use v4mapped addresses,
and breaking them is a clear regression. For example v4mapped
addresses (or any semi-valid addresses, really) may be used
for uni-direction event streams or packet export.

Since the issue which sparked the addition of the check was with
TCP and request_socks in particular push the check down to TCPv6
and DCCP. This restores the ability to receive UDPv6 packets with
v4mapped address as the source.

Keep using the IPSTATS_MIB_INHDRERRORS statistic to minimize the
user-visible changes.

Fixes: 6af1799aaf3f ("ipv6: drop incoming packets having a v4mapped source address")
Reported-by: Sunyi Shao <sunyishao@fb.com>
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Acked-by: Mat Martineau <mathew.j.martineau@linux.intel.com>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/dccp/ipv6.c      |  5 +++++
 net/ipv6/ip6_input.c | 10 ----------
 net/ipv6/tcp_ipv6.c  |  5 +++++
 net/mptcp/subflow.c  |  5 +++++
 4 files changed, 15 insertions(+), 10 deletions(-)

diff --git a/net/dccp/ipv6.c b/net/dccp/ipv6.c
index 78ee1b5acf1f..49f4034bf126 100644
--- a/net/dccp/ipv6.c
+++ b/net/dccp/ipv6.c
@@ -319,6 +319,11 @@  static int dccp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
 	if (!ipv6_unicast_destination(skb))
 		return 0;	/* discard, don't send a reset here */
 
+	if (ipv6_addr_v4mapped(&ipv6_hdr(skb)->saddr)) {
+		__IP6_INC_STATS(sock_net(sk), NULL, IPSTATS_MIB_INHDRERRORS);
+		return 0;
+	}
+
 	if (dccp_bad_service_code(sk, service)) {
 		dcb->dccpd_reset_code = DCCP_RESET_CODE_BAD_SERVICE_CODE;
 		goto drop;
diff --git a/net/ipv6/ip6_input.c b/net/ipv6/ip6_input.c
index e96304d8a4a7..06d60662717d 100644
--- a/net/ipv6/ip6_input.c
+++ b/net/ipv6/ip6_input.c
@@ -245,16 +245,6 @@  static struct sk_buff *ip6_rcv_core(struct sk_buff *skb, struct net_device *dev,
 	if (ipv6_addr_is_multicast(&hdr->saddr))
 		goto err;
 
-	/* While RFC4291 is not explicit about v4mapped addresses
-	 * in IPv6 headers, it seems clear linux dual-stack
-	 * model can not deal properly with these.
-	 * Security models could be fooled by ::ffff:127.0.0.1 for example.
-	 *
-	 * https://tools.ietf.org/html/draft-itojun-v6ops-v4mapped-harmful-02
-	 */
-	if (ipv6_addr_v4mapped(&hdr->saddr))
-		goto err;
-
 	skb->transport_header = skb->network_header + sizeof(*hdr);
 	IP6CB(skb)->nhoff = offsetof(struct ipv6hdr, nexthdr);
 
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 991dc36f95ff..3f9bb6dd1f98 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1170,6 +1170,11 @@  static int tcp_v6_conn_request(struct sock *sk, struct sk_buff *skb)
 	if (!ipv6_unicast_destination(skb))
 		goto drop;
 
+	if (ipv6_addr_v4mapped(&ipv6_hdr(skb)->saddr)) {
+		__IP6_INC_STATS(sock_net(sk), NULL, IPSTATS_MIB_INHDRERRORS);
+		return 0;
+	}
+
 	return tcp_conn_request(&tcp6_request_sock_ops,
 				&tcp_request_sock_ipv6_ops, sk, skb);
 
diff --git a/net/mptcp/subflow.c b/net/mptcp/subflow.c
index 16adba172fb9..6317b9bc8681 100644
--- a/net/mptcp/subflow.c
+++ b/net/mptcp/subflow.c
@@ -398,6 +398,11 @@  static int subflow_v6_conn_request(struct sock *sk, struct sk_buff *skb)
 	if (!ipv6_unicast_destination(skb))
 		goto drop;
 
+	if (ipv6_addr_v4mapped(&ipv6_hdr(skb)->saddr)) {
+		__IP6_INC_STATS(sock_net(sk), NULL, IPSTATS_MIB_INHDRERRORS);
+		return 0;
+	}
+
 	return tcp_conn_request(&mptcp_subflow_request_sock_ops,
 				&subflow_request_sock_ipv6_ops, sk, skb);

[5.10,149/221] ipv6: weaken the v4mapped source check

Commit Message

Patch