From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-yw1-f177.google.com (mail-yw1-f177.google.com [209.85.128.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id C539E3B19C2 for ; Mon, 6 Jul 2026 17:35:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.128.177 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783359327; cv=none; b=iQLVlU+xo2F9n8N8umjLRzZ4SdACiJb332mzR94uxrxY12RMRmMKVrqenWxGNT/Yf2Tij+UbO/X4fW2SdBtMLSgCTexTWt1/HEfSo3L1Ks24g0OdmxiwowoF/ZKOC7QjdDDBI2xOleBGTJuHkjzksA9WvGBoa0/A0UIdR8bW3J0= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1783359327; c=relaxed/simple; bh=XyJ6/jCk0lvpWQQi1qBmAqNhDAOjnyk1oXshJsoZz0Q=; h=Date:From:To:Cc:Message-ID:In-Reply-To:References:Subject: Mime-Version:Content-Type; b=a0BviSSvoQIh51fX4T88NS3RJ6BxQLGAlud8btfPKWO6+JdOXGoXDRvWPyNWczfzeUF5Yk/fRdet2q8tFhmznq1Rd5UekO5XA2e40NE6uZrtcLXY3UGosI7+n45l4p/ZFLt22arSMnhsZZBjTkWBBfC/R0+m/hNwA7Eqj5WwbII= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=fEQ2pZpX; arc=none smtp.client-ip=209.85.128.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="fEQ2pZpX" Received: by mail-yw1-f177.google.com with SMTP id 00721157ae682-8111c0c7439so24190307b3.2 for ; Mon, 06 Jul 2026 10:35:25 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1783359325; x=1783964125; darn=vger.kernel.org; h=content-transfer-encoding:content-type:mime-version:subject :references:in-reply-to:message-id:cc:to:from:date:from:to:cc :subject:date:message-id:reply-to:content-type; bh=9PYIrjiLcLJRMsJz3MN9nJHHGWlJH+U5Otv0B9TwQZQ=; b=fEQ2pZpXIdC93SrHgHXDogxfxhKgqG/cmqzIgJhpUq1TjxF9C/SabN0AvV76Yxsj65 MySJtqHULhCUozAUCxQf3eSywksLKLjSOBvivOKNuFslS0eMyBKaDZ2ejRtNce1zW9fU +vpNvIcazHfHaHj/OMohzbNhiWZV4jIkQ3KRNd2nUVXSNp5LqTkKma4NtFIa2bY7T7ui 1i8hWeDRDq8RH8wicPlEKpftFisZe07CPwP21MU7B7oLkIreV9cheH/+yfpcqLL7i+NI b0gBNmGkZ+0BNIP3PQuA+uWM95CdsjuuCvDIAlwLpZCzx7v0Ocx4w5qL/PqvFkw+JPmV lj8Q== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1783359325; x=1783964125; h=content-transfer-encoding:content-type:mime-version:subject :references:in-reply-to:message-id:cc:to:from:date:x-gm-gg :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to :content-type; bh=9PYIrjiLcLJRMsJz3MN9nJHHGWlJH+U5Otv0B9TwQZQ=; b=Ap6dKfHqNijs8ZqIeQQI5EWFfvLrxoEmRYPrXKEbG8T5unvLanHDalsbqYfV8Ut1tS 0a9Om0xJVmQZ74wirK5909LpaDB7nhNJOxvcsKbdhzL7r6+xgur7eMSBulZLWdaZ+b15 gyyWJI0nv9aWXSmOcc5OVJh7jcVvcNHJFY4lV4lMlq6QZ1qwfjaOce8z+xxmMBDTjTEp sioIvPSCjELnad8Bq0nYE5kEzikuSueAqYVrErVIc9L98kd7gQGPD149O2CCKuaMggBc JSTqqZEOrAw79RSW328EUfFFxSjgClrVv9jaCSaGypWyZIn/623UaLBGeRg/M+t0B1ZB 4OkQ== X-Forwarded-Encrypted: i=1; AHgh+RpbD2RBhQjkrJ/bZq1wB752fZnKYOQHd9BctH9HuewVRGITzV+7FTZVdXKVNbkQvYP2LGChr5P8F0kqUNQ=@vger.kernel.org X-Gm-Message-State: AOJu0YwPPTQbMXAPI7mtT7esCCToHv2l0BKnd8/QI3e0ZVXk8jIpMpKG 7DGxc4LJ/CVIZzj6Ok94uvQsQM/gqwawBgXzQEkU5jMXy/XdhgzPvef1 X-Gm-Gg: AfdE7ckR1lMe4ml1pm/cyWBE15Vpk41DtvGvYcpqS6P3txvG3ZUNRm48oo865raRVKv PBbO55byU1w1tXvvFqf4aHvSoNsXV9FTdDk7IqSDljCSEZ7R04Oy7HKXSP3oe2d5S+x09qF6i/S 4DqCBQgaDUJmvWH6DUtgTTbwrGZZ5iPDDq/5ijsxgG9ws4+Jlb2qVDFI4NNoAjDPyxubExqvkFh bsSqWksBL381fZ6rmQBpd9DoYbRv3SZ+k5P/b03SZykYNKTl28M/bbifUBbRzqThgQo6zU5hKsF qwR5YJoPMaxDf0arPPz/Mwwc7nsSmp8z+UiWAROUHK2+zC18DGAAxZtJfUIYVHl2LZV515ozkdH 1t4om7nSZgbaEKwx8aZOfV/cwQDppLDOwpAdeW9Gi8sL+eHo1K17DBnN8uAchfBaxhKbZxA3PcU nDKT2zY7ilDf5WYyXm3/kdGVrQPHAe5fQIc3z04EHks8Gm1kqUwz7FKZOT7p+aMZ3qtQ== X-Received: by 2002:a05:690c:62c8:b0:7dd:3f36:59f1 with SMTP id 00721157ae682-81be319d964mr10253497b3.45.1783359324738; Mon, 06 Jul 2026 10:35:24 -0700 (PDT) Received: from gmail.com (172.235.85.34.bc.googleusercontent.com. [34.85.235.172]) by smtp.gmail.com with ESMTPSA id 00721157ae682-8144783cc7fsm60947197b3.5.2026.07.06.10.35.24 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Mon, 06 Jul 2026 10:35:24 -0700 (PDT) Date: Mon, 06 Jul 2026 13:35:23 -0400 From: Willem de Bruijn To: David Lee , Willem de Bruijn Cc: David Lee , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman , Dominik 'Disconnect3d' Czarnota , netdev@vger.kernel.org, linux-kernel@vger.kernel.org Message-ID: In-Reply-To: <20260706111226.309506-1-david.lee@trailofbits.com> References: <20260706111226.309506-1-david.lee@trailofbits.com> Subject: Re: [PATCH net v2] packet: avoid re-registering fanout hook after device unregister Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit David Lee wrote: > packet_set_ring() temporarily detaches a socket from packet delivery while > reconfiguring its ring. It records the previous running state, clears > po->num, unregisters the protocol hook when needed, drops po->bind_lock, > and later restores po->num and re-registers the hook from the saved > was_running value. > > That unlocked window can race with NETDEV_UNREGISTER. The notifier can > observe the socket as not running, skip __unregister_prot_hook(), and > invalidate the per-socket binding by setting po->ifindex to -1 and clearing > po->prot_hook.dev. A one-member fanout group can still retain its shared > fanout hook device pointer. When packet_set_ring() resumes, re-registering > solely from the stale was_running state can re-add the fanout hook after > the device has been unregistered. > > Treat po->ifindex == -1 as an invalidated binding after reacquiring > po->bind_lock. Restore po->num as before, but do not re-register the hook > if device unregister already detached the socket. > > Fixes: dc99f600698d ("packet: Add fanout support.") > Reported-by: David Lee > Signed-off-by: David Lee My suggestion of a Reported-by was becaused the Signed-off-by was from a different author. Both tags from the same author is generally discouraged. Perhaps also add a Link to the discussion in the first patch, which adds some more rationale. The crux to me is that ifindex -1 is not just the default for detached sockets, it is a special invalidated condition. Link: https://lore.kernel.org/netdev/20260701113947.23180-1-david.lee@trailofbits.com/ With those asides Reviewed-by: Willem de Bruijn > Assisted-by: Codex:gpt-5 > --- > Changes in v2: > - Add Fixes and Reported-by tags. > - Fix the incorrect Signed-off-by tag from v1. > > Trail of Bits has a PoC that achieves local privilege escalation using this > bug on a custom kernel config with CONFIG_LIST_HARDENED disabled, which can > be shared further if needed. > > net/packet/af_packet.c | 6 +++++- > 1 file changed, 5 insertions(+), 1 deletion(-) > > diff --git a/net/packet/af_packet.c b/net/packet/af_packet.c > --- a/net/packet/af_packet.c > +++ b/net/packet/af_packet.c > @@ -4561,7 +4561,11 @@ static int packet_set_ring(struct sock *sk, union tpacket_req_u *req_u, > > spin_lock(&po->bind_lock); > WRITE_ONCE(po->num, num); > - if (was_running) > + /* > + * NETDEV_UNREGISTER may have invalidated the binding while bind_lock > + * was dropped above. Do not re-add a fanout hook to a dead device. > + */ > + if (was_running && READ_ONCE(po->ifindex) != -1) > register_prot_hook(sk); > > spin_unlock(&po->bind_lock); > -- > 2.43.0