Received: by 2002:a05:6358:51dd:b0:131:369:b2a3 with SMTP id 29csp141514rwl; Wed, 9 Aug 2023 12:12:19 -0700 (PDT) X-Google-Smtp-Source: AGHT+IGJqkbJV7fRD9fxwA6uCKgoQwnMgzdDNrnV9ws0rBfeCNhGZ1DvLJ3JqWhW6kt+tjW+YY3+ X-Received: by 2002:a05:6a20:9382:b0:13e:f5b5:48f5 with SMTP id x2-20020a056a20938200b0013ef5b548f5mr125049pzh.27.1691608339269; Wed, 09 Aug 2023 12:12:19 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1691608339; cv=none; d=google.com; s=arc-20160816; b=ZM5VJ9Y0CPKu5kws0FxFOlKmubnsOSDYbH8uxtCb5NBZ5PrdHN1aLWMAGcgMwrm+L0 VnpXf9uRNcSTLpnui28/7n98YoqQXQfOAhj5h6ZU81mJWGefaDtTDXFYRkx2iOwjDlgX Le5HFMlYECPINOTsOIraWq/TjLVcnEc2rOqJlXt4lTfUcfWm9tQpv7PSxAFv8j6YFbFU e08Bo40GoDzltawHBPMZlc6SQz8ADsvLkv3tWVAWz9FMtmqw+dqVT0rYItEaPppykF0t efDx4GFdhkHLFjYqDnWk4j31nttQbS/XjHnRZyjk9ZfzRYosDrumWaO61ukfz9z9Lqaz Mg1A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=uteISYD7JjwOHR1wR44ZJlbh38MA4pfZt8hz5AGXo18=; fh=bDMhawaV3Z1J7PJ3BxdcqcGpBnHFiMOpzHEfKROCXg0=; b=b7wZyqchVA8vzEjL4w7zB7qIYc8P93Yh04jGgKurN+1sWgSc1NMCmH4SnHeTq3f2Tz Ypmq/xNIJBeGBZmmheCuTUVrnnmGXzENWagzvZ50uCYRoLEo73Q0m1ebgkwbwOjk6aDo /J973noNDmflZBT4mZPPLD+6qYY7/wxMJ5LlTH374b2r0xlzVaRsVPVJMhk0WjwPeHO3 G2bDFNSkDQKHBO6AFyuSt9VLpY2wDvjoGc9JMWP0Momdu/We+msRc7yhDGALoq/FU3y5 ACYJWhAqLgUrmAE0nExsSG4upD56P+ikitdOz1Gb08lUHaylPgltoOv6aItd3Dzw2goW Iq/w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amazon.com header.s=amazon201209 header.b=md3waMxA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id l19-20020a170902d05300b001b9eb5d1ea2si9766936pll.198.2023.08.09.12.12.06; Wed, 09 Aug 2023 12:12:19 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@amazon.com header.s=amazon201209 header.b=md3waMxA; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S230478AbjHIRPK (ORCPT + 99 others); Wed, 9 Aug 2023 13:15:10 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:45644 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229517AbjHIRPJ (ORCPT ); Wed, 9 Aug 2023 13:15:09 -0400 Received: from smtp-fw-52004.amazon.com (smtp-fw-52004.amazon.com [52.119.213.154]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7BF341FF5; Wed, 9 Aug 2023 10:15:08 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.com; i=@amazon.com; q=dns/txt; s=amazon201209; t=1691601309; x=1723137309; h=from:to:cc:subject:date:message-id:in-reply-to: references:mime-version:content-transfer-encoding; bh=uteISYD7JjwOHR1wR44ZJlbh38MA4pfZt8hz5AGXo18=; b=md3waMxARUUgjO51GozgYzbPz4zgPuaezY9WZlskZwS51clr34evcYAz 3aPsWHlgg+VqQBFwwUmf4bMTUWhCRRaqk7fDaAASgfyhwsBTLWLZRRppN VkGEBo7W2/2zFjP9OWdhAaVKnxry8zV37pMi8gV/+JVuusSNEuKcmGzuj Y=; X-IronPort-AV: E=Sophos;i="6.01,159,1684800000"; d="scan'208";a="147566634" Received: from iad12-co-svc-p1-lb1-vlan2.amazon.com (HELO email-inbound-relay-pdx-2b-m6i4x-26a610d2.us-west-2.amazon.com) ([10.43.8.2]) by smtp-border-fw-52004.iad7.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 09 Aug 2023 17:15:06 +0000 Received: from EX19MTAUWC002.ant.amazon.com (pdx1-ws-svc-p6-lb9-vlan3.pdx.amazon.com [10.236.137.198]) by email-inbound-relay-pdx-2b-m6i4x-26a610d2.us-west-2.amazon.com (Postfix) with ESMTPS id EE13F40D6D; Wed, 9 Aug 2023 17:15:03 +0000 (UTC) Received: from EX19D004ANA001.ant.amazon.com (10.37.240.138) by EX19MTAUWC002.ant.amazon.com (10.250.64.143) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.30; Wed, 9 Aug 2023 17:15:03 +0000 Received: from 88665a182662.ant.amazon.com (10.106.100.32) by EX19D004ANA001.ant.amazon.com (10.37.240.138) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA) id 15.2.1118.30; Wed, 9 Aug 2023 17:14:59 +0000 From: Kuniyuki Iwashima To: CC: , , , , , , , , , , , Subject: Re: [PATCH bpf-next] net: Fix slab-out-of-bounds in inet[6]_steal_sock Date: Wed, 9 Aug 2023 10:14:51 -0700 Message-ID: <20230809171451.78725-1-kuniyu@amazon.com> X-Mailer: git-send-email 2.30.2 In-Reply-To: References: MIME-Version: 1.0 Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: 8bit X-Originating-IP: [10.106.100.32] X-ClientProxiedBy: EX19D035UWB001.ant.amazon.com (10.13.138.33) To EX19D004ANA001.ant.amazon.com (10.37.240.138) X-Spam-Status: No, score=-4.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H5,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE, T_SPF_PERMERROR autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Lorenz Bauer Date: Wed, 9 Aug 2023 17:55:02 +0100 > On Wed, Aug 9, 2023 at 4:56 PM Kuniyuki Iwashima wrote: > > > > > Things we could do if necessary: > > > 1. Reset the flag in inet_csk_clone_lock like we do for SOCK_RCU_FREE > > > > I think we can't do this as sk_reuseport is inherited to twsk and used > > in inet_bind_conflict(). > > Ok, so what kind of state does reuseport carry in the various states then? > > TCP_LISTEN: sk_reuseport && sk_reuseport_cb > TCP_ESTABLISHED: sk_reuseport && !sk_reuseport_cb > TCP_TIME_WAIT: sk_reuseport && !sk_reuseport_cb > > Where is sk_reuseport_cb cleared? On clone? Or not at all? sk_clone_lock() does when cloning sk from listener, and we cannot check sk_reuseport_cb for twsk as it doesn't have the member. > > > > 2. Duplicate the cb check into inet[6]_steal_sock > > > > or 3. Add sk_fullsock() test ? > > I guess this would be in addition to the convoluted series of checks > I've removed in this patch? Yes.