From: Kuniyuki Iwashima <kuniyu@amazon.com>
To: "David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
Willem de Bruijn <willemb@google.com>
Cc: Simon Horman <horms@kernel.org>,
Kuniyuki Iwashima <kuniyu@amazon.com>,
Kuniyuki Iwashima <kuni1840@gmail.com>,
Chuck Lever <chuck.lever@oracle.com>,
Jeff Layton <jlayton@kernel.org>,
Matthieu Baerts <matttbe@kernel.org>,
"Keith Busch" <kbusch@kernel.org>, Jens Axboe <axboe@kernel.dk>,
Christoph Hellwig <hch@lst.de>,
Wenjia Zhang <wenjia@linux.ibm.com>,
Jan Karcher <jaka@linux.ibm.com>,
Steve French <sfrench@samba.org>, <netdev@vger.kernel.org>,
<mptcp@lists.linux.dev>, <linux-nfs@vger.kernel.org>,
<linux-rdma@vger.kernel.org>, <linux-nvme@lists.infradead.org>
Subject: [PATCH v2 net-next 0/7] socket: Make sock_create_kern() robust against misuse.
Date: Fri, 23 May 2025 11:21:06 -0700 [thread overview]
Message-ID: <20250523182128.59346-1-kuniyu@amazon.com> (raw)
There are a bunch of weird usages of sock_create() and friends due
to poor documentation.
1) some subsystems use __sock_create(), but all of them can be
replaced with sock_create_kern()
2) some subsystems use sock_create(), but most of the sockets are
not tied to userspace processes nor exposed via file descriptors
but are (most likely unintentionally) exposed to some BPF hooks
(infiniband, ISDN, iscsi, Xen PV call, ocfs2, smbd)
3) some subsystems use sock_create_kern() and convert the sockets
to hold netns refcnt (cifs, mptcp, nvme, rds, smc, and sunrpc)
The primary goal is to sort out such confusion and provide enough
documentation for future developers to choose an appropriate API.
Before commit 26abe14379f8 ("net: Modify sk_alloc to not reference
count the netns of kernel sockets."), sock_create_kern() held the
netns refcnt, and each caller dropped it if unnecessary:
sock_create_kern(&init_net, ..., &sock);
sk_change_net(sock->sk, net);
But that implicit API change ended up causing a lot of use-after-free
and finally introduced another helper:
sock_create_kern(net, ..., &sock);
sk_net_refcnt_upgrade(sock->sk);
Patch 2 renames sock_create_kern() to __sock_create_kern() to mark it
as a special-purpose API, and Patch 3 restores the original
sock_create_kern() that holds the netns refcnt.
Now, we can simply use sock_create_kern() or __sock_create_kern()
depending on the use case (except for rds).
Changes
v2:
patch 3: s/ret/err/ in sock_create_kern() for clarity
patch 4: newly added
patch 5: drop unnecessary change for sunrpc and updated changelog
v1: https://lore.kernel.org/netdev/20250517035120.55560-1-kuniyu@amazon.com/
Kuniyuki Iwashima (7):
socket: Un-export __sock_create().
socket: Rename sock_create_kern() to __sock_create_kern().
socket: Restore sock_create_kern().
smb: client: Add missing net_passive_dec().
socket: Remove kernel socket conversion except for net/rds/.
socket: Replace most sock_create() calls with sock_create_kern().
socket: Clean up kdoc for sock_create() and sock_create_lite().
drivers/block/drbd/drbd_receiver.c | 12 +-
drivers/infiniband/hw/erdma/erdma_cm.c | 6 +-
drivers/infiniband/sw/rxe/rxe_qp.c | 2 +-
drivers/infiniband/sw/siw/siw_cm.c | 6 +-
drivers/isdn/mISDN/l1oip_core.c | 3 +-
drivers/nvme/host/tcp.c | 5 +-
drivers/nvme/target/tcp.c | 5 +-
drivers/soc/qcom/qmi_interface.c | 4 +-
drivers/target/iscsi/iscsi_target_login.c | 7 +-
drivers/xen/pvcalls-back.c | 6 +-
fs/afs/rxrpc.c | 2 +-
fs/dlm/lowcomms.c | 8 +-
fs/ocfs2/cluster/tcp.c | 8 +-
fs/smb/client/connect.c | 11 +-
fs/smb/server/transport_tcp.c | 7 +-
include/linux/net.h | 7 +-
net/9p/trans_fd.c | 9 +-
net/bluetooth/rfcomm/core.c | 3 +-
net/ceph/messenger.c | 6 +-
net/handshake/handshake-test.c | 32 ++--
net/ipv4/af_inet.c | 2 +-
net/ipv4/udp_tunnel_core.c | 2 +-
net/ipv6/ip6_udp_tunnel.c | 2 +-
net/l2tp/l2tp_core.c | 8 +-
net/mctp/test/route-test.c | 6 +-
net/mptcp/pm_kernel.c | 4 +-
net/mptcp/subflow.c | 7 +-
net/netfilter/ipvs/ip_vs_sync.c | 8 +-
net/qrtr/ns.c | 6 +-
net/rds/tcp_connect.c | 8 +-
net/rds/tcp_listen.c | 4 +-
net/rxrpc/rxperf.c | 4 +-
net/sctp/socket.c | 2 +-
net/smc/af_smc.c | 18 +--
net/smc/smc_inet.c | 2 +-
net/socket.c | 138 ++++++++++++------
net/sunrpc/clnt.c | 4 +-
net/sunrpc/svcsock.c | 6 +-
net/sunrpc/xprtsock.c | 12 +-
net/tipc/topsrv.c | 4 +-
net/wireless/nl80211.c | 4 +-
.../selftests/bpf/test_kmods/bpf_testmod.c | 4 +-
42 files changed, 219 insertions(+), 185 deletions(-)
--
2.49.0
next reply other threads:[~2025-05-23 18:21 UTC|newest]
Thread overview: 32+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-05-23 18:21 Kuniyuki Iwashima [this message]
2025-05-23 18:21 ` [PATCH v2 net-next 1/7] socket: Un-export __sock_create() Kuniyuki Iwashima
2025-05-26 5:29 ` Christoph Hellwig
2025-05-26 10:06 ` David Laight
2025-05-30 2:42 ` Kuniyuki Iwashima
2025-05-23 18:21 ` [PATCH v2 net-next 2/7] socket: Rename sock_create_kern() to __sock_create_kern() Kuniyuki Iwashima
2025-05-26 5:30 ` Christoph Hellwig
2025-05-29 21:29 ` David Laight
2025-05-30 3:05 ` Kuniyuki Iwashima
2025-05-30 6:48 ` David Laight
2025-05-30 2:45 ` Kuniyuki Iwashima
2025-05-23 18:21 ` [PATCH v2 net-next 3/7] socket: Restore sock_create_kern() Kuniyuki Iwashima
2025-05-26 5:32 ` Christoph Hellwig
2025-05-30 2:53 ` Kuniyuki Iwashima
2025-06-02 5:08 ` Christoph Hellwig
2025-06-03 21:30 ` David Laight
2025-06-04 18:36 ` Kuniyuki Iwashima
2025-05-23 18:21 ` [PATCH v2 net-next 4/7] smb: client: Add missing net_passive_dec() Kuniyuki Iwashima
2025-05-23 18:21 ` [PATCH v2 net-next 5/7] socket: Remove kernel socket conversion except for net/rds/ Kuniyuki Iwashima
2025-05-26 5:33 ` Christoph Hellwig
2025-05-30 2:59 ` Kuniyuki Iwashima
2025-06-02 5:08 ` Christoph Hellwig
2025-05-23 18:21 ` [PATCH v2 net-next 6/7] socket: Replace most sock_create() calls with sock_create_kern() Kuniyuki Iwashima
2025-05-26 5:33 ` Christoph Hellwig
2025-05-26 5:35 ` Christoph Hellwig
2025-05-30 3:03 ` Kuniyuki Iwashima
2025-06-02 5:09 ` Christoph Hellwig
2025-06-02 21:52 ` Kuniyuki Iwashima
2025-06-03 4:50 ` Christoph Hellwig
2025-06-04 18:20 ` Kuniyuki Iwashima
2025-06-05 4:28 ` Christoph Hellwig
2025-05-23 18:21 ` [PATCH v2 net-next 7/7] socket: Clean up kdoc for sock_create() and sock_create_lite() Kuniyuki Iwashima
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250523182128.59346-1-kuniyu@amazon.com \
--to=kuniyu@amazon.com \
--cc=axboe@kernel.dk \
--cc=chuck.lever@oracle.com \
--cc=davem@davemloft.net \
--cc=edumazet@google.com \
--cc=hch@lst.de \
--cc=horms@kernel.org \
--cc=jaka@linux.ibm.com \
--cc=jlayton@kernel.org \
--cc=kbusch@kernel.org \
--cc=kuba@kernel.org \
--cc=kuni1840@gmail.com \
--cc=linux-nfs@vger.kernel.org \
--cc=linux-nvme@lists.infradead.org \
--cc=linux-rdma@vger.kernel.org \
--cc=matttbe@kernel.org \
--cc=mptcp@lists.linux.dev \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=sfrench@samba.org \
--cc=wenjia@linux.ibm.com \
--cc=willemb@google.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox