From: Willem de Bruijn <willemdebruijn.kernel@gmail.com>
To: Yochai Eisenrich <echelonh@gmail.com>, willemdebruijn.kernel@gmail.com
Cc: Yochai Eisenrich <echelonh@gmail.com>,
Andrew Lunn <andrew+netdev@lunn.ch>,
"David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>,
netdev@vger.kernel.org
Subject: Re: [PATCH] net: fix fanout UAF in packet_release() via NETDEV_UP race
Date: Thu, 19 Mar 2026 16:18:31 -0400 [thread overview]
Message-ID: <willemdebruijn.kernel.2ccb41b9933ea@gmail.com> (raw)
In-Reply-To: <20260319200610.25101-1-echelonh@gmail.com>
Yochai Eisenrich wrote:
> `packet_release()` has a race window where `NETDEV_UP` can re-register a
> socket into a fanout group's `arr[]` array. The re-registration is not
> cleaned up by `fanout_release()`, leaving a dangling pointer in the fanout
> array.
> `packet_release()` does NOT zero `po->num` in its `bind_lock` section.
> After releasing `bind_lock`, `po->num` is still non-zero and `po->ifindex`
> still matches the bound device. A concurrent `packet_notifier(NETDEV_UP)`
> that already found the socket in `sklist` can re-register the hook.
> For fanout sockets, this re-registration calls `__fanout_link(sk, po)`
> which adds the socket back into `f->arr[]` and increments `f->num_members`,
> but does NOT increment `f->sk_ref`.
>
> The fix sets `po->num` to zero in `packet_release` while `bind_lock` is
> held to prevent NETDEV_UP from linking, preventing the race window.
>
> This bug was found following an additional audit with Claude Code based on
> CVE-2025-38617.
> Link: https://blog.calif.io/p/a-race-within-a-race-exploiting-cve
>
> Fixes: ce06b03e60fc ("packet: Add helpers to register/unregister ->prot_hook")
>
> Signed-off-by: Yochai Eisenrich <echelonh@gmail.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
next prev parent reply other threads:[~2026-03-19 20:18 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-03-19 20:06 [PATCH] net: fix fanout UAF in packet_release() via NETDEV_UP race Yochai Eisenrich
2026-03-19 20:18 ` Willem de Bruijn [this message]
2026-03-24 0:30 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=willemdebruijn.kernel.2ccb41b9933ea@gmail.com \
--to=willemdebruijn.kernel@gmail.com \
--cc=andrew+netdev@lunn.ch \
--cc=davem@davemloft.net \
--cc=echelonh@gmail.com \
--cc=edumazet@google.com \
--cc=kuba@kernel.org \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.