From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-yx1-f49.google.com (mail-yx1-f49.google.com [74.125.224.49]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 2E558231842 for ; Sat, 2 May 2026 13:33:59 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=74.125.224.49 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777728841; cv=none; b=hr9jq1ncR7OJU6n4GEZ1w+QfYE9cHEVKtE/4gNBUGpVfwjl748bmSMii4Vve/DFuU5gX/jai7QxSpg5Mjnx/ujdv25WdkDjaFo0bFO2E61kRCnwntrJC9gg0+2132v4OEemxrLZi7bG9eMlI8mV7e1v6kCjOs8wUOIfdVmKui0w= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1777728841; c=relaxed/simple; bh=AZ67Up3J+Lw8gQpCeX9dILqmHFCACAvb+Eh5CTxVt4U=; h=Date:From:To:Cc:Message-ID:In-Reply-To:References:Subject: Mime-Version:Content-Type; b=IlVJw4+ivFa4/frkvfn9PpKxQDH+Vdp0bky+aaUJgUIG0MhxZaVIhV4o49F65UN2TL6hl0sz4Em5udgWViRwfXkjJzuABJ71+G+K8VPNyLcfjhxaO3alZPmQhJP1G/BTcs3u+0rtP0XZWM0UNMwEEsG+gO4yQqAa2RLRIrd/fA0= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=KTgakDz0; arc=none smtp.client-ip=74.125.224.49 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="KTgakDz0" Received: by mail-yx1-f49.google.com with SMTP id 956f58d0204a3-64e87a81639so2379181d50.0 for ; Sat, 02 May 2026 06:33:58 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1777728838; x=1778333638; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:subject:references :in-reply-to:message-id:cc:to:from:date:from:to:cc:subject:date :message-id:reply-to; bh=xJLk920qj6m+fkV0PzZ6Aaob+A5EwJlY0//ShcXomiU=; b=KTgakDz0OfagPZxy/g2lRkaKmGGtBshdkACcVEKWsmNdgTbWkZgG+wNZzj+bEGniuV 16SsYKK/+6WueAXHPbN4ZRTE/xCk4XAespVRcrDBVwfJBOwtTFstRrAPCQBaP3tBj6ni KjacbSuM/kgNFQ5qrhE+cKNOkcbtiriL+PWyIq6Lgsx5VjuNYjCJmEhfTN1mu+iAmiKf a8tS7FITtmXoxl9/eJpuXP5rDSmq2sIXotHcxjRQ+H4iPQS4ckKSaibCnf9oMWYSSCU8 ERCifZSibSBaj6IqIdEoSAv+7fbtGaErA0/Yq25cLxRlozwuqly31wKsqY5sgwVBxbvu KBzg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1777728838; x=1778333638; h=content-transfer-encoding:mime-version:subject:references :in-reply-to:message-id:cc:to:from:date:x-gm-gg:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=xJLk920qj6m+fkV0PzZ6Aaob+A5EwJlY0//ShcXomiU=; b=GiLtSKikrJ5ha499cFxxjJAZdFu47vmNBsk5ep7qb0vgqA4c8X0rUa/Tj28/xkk7MV q0of0Ssv6q0RHzgOGi6GO+Xo5kGtXKxHoDrAui2VPfHI8HRs90NKOd6Miwl6Uxgc2C9Z FpeA4IukFB90CgUuITEBPBlUGrBl6X27tuNMjiqYLICpcSHz/O7Kity7j1U+oljTCNEY uWFEd7FMfnUEDHEsdvd1zXhVNQmZvzR4N99fhe2yX1hWqj8n6YDCk8PXSnw04DT073qz LaExpBshRhv9QsfI+2gfUSBmYGsywNZdAhdHRzyTYFmj7t9zhG5R5cXcTRrjtzY99DAx /KqA== X-Forwarded-Encrypted: i=1; AFNElJ+rDKBdz1EYZri+7qXQb8iA99r+LXO1ycwl6Hx5G3ZaXe18oMdH0tFDMlrKsZ93ON+gwCYv8PfOL0VjzUk=@vger.kernel.org X-Gm-Message-State: AOJu0YwXyFlrJG6zacf3eajk7NMgbs7SCfEVmjOkHpet11yx/nOMfpFt ymQ1LHOGn5mF+pi0mXtZOMovvZlHSHo0gSFrd8VQ3G9zoM4VIxX4YXMqLlgjWQ== X-Gm-Gg: AeBDievkmk0zGuWFZbvV3cjB40FolM52omRgjPeZ4V+2Bx210TQH7PiIb1Kpb9xx9Mt bUUFZsy+0EmL0fiv6oKee5bjZY//A4FGrx1m5zZtyGoV1nHc3g8e5wXuCsLECe03QIa9gKv2eT7 ZhjwUvAQ4Dqi9GVYk0pm5yxt4CiSVYbfPTax+TZITJX2c6vkok8kdUhxfqowkd7rhJXiD/4aXIN AiPBhf/0ZqS3yDWZEAXwnxfhsPJ6iKS9y6sgYcHDA3oY0KwC5fQ7R4p2OMdgCGR4hXc+T/qyOx/ tYLBshNdmN14AWj+2Z8Cw9EVlomAIBgrQCyajzbEMVHX/aH+ekV20DgPNn+Jc+RUDL+BVdOpZfw YwQiHf95lJLdRJxZonjhzRfgnQqEnDLJskzR0cb8nmehNq2mqRl0K2uYtD5dcDj+ALr3Nt/Ihaj 2yBb2OrtwWGNAGzBfgz1yMxcaclVWva0zbgkarORyyFLvu3GRbZQET0Sq/OHjVZgFkTifFFsYoC JYlkaGi+nNdtJA= X-Received: by 2002:a05:690e:4396:b0:651:d634:6d32 with SMTP id 956f58d0204a3-65c3d9fb469mr1993284d50.20.1777728838205; Sat, 02 May 2026 06:33:58 -0700 (PDT) Received: from gmail.com (172.235.85.34.bc.googleusercontent.com. [34.85.235.172]) by smtp.gmail.com with ESMTPSA id 956f58d0204a3-65c2e1ce958sm2626253d50.8.2026.05.02.06.33.55 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sat, 02 May 2026 06:33:55 -0700 (PDT) Date: Sat, 02 May 2026 09:33:55 -0400 From: Willem de Bruijn To: Maoyi Xie , netdev@vger.kernel.org Cc: willemdebruijn.kernel@gmail.com, willemb@google.com, edumazet@google.com, pabeni@redhat.com, kuba@kernel.org, davem@davemloft.net, dsahern@kernel.org, kuznet@ms2.inr.ac.ru, linux-kernel@vger.kernel.org, stable@vger.kernel.org Message-ID: In-Reply-To: <20260502050037.3800122-1-maoyi.xie@ntu.edu.sg> References: <20260502050037.3800122-1-maoyi.xie@ntu.edu.sg> Subject: Re: [PATCH net v5] ipv6: flowlabel: enforce per-netns limit for unprivileged callers Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Maoyi Xie wrote: > fl_size, fl_ht and ip6_fl_lock in net/ipv6/ip6_flowlabel.c are file > scope and shared across netns. mem_check() reads fl_size to decide > whether to deny non-CAP_NET_ADMIN callers; capable() runs against > init_user_ns, so an unprivileged user in any non-init userns can > push fl_size past FL_MAX_SIZE - FL_MAX_SIZE/4 and starve every > other unprivileged userns on the host. > > Add struct netns_ipv6::flowlabel_count, bumped and decremented next > to fl_size in fl_intern, ip6_fl_gc and ip6_fl_purge. The new field > is placed in the existing 4-byte hole after ipmr_seq, so struct > netns_ipv6 stays the same size on 64-bit builds. > > Bump FL_MAX_SIZE from 4096 to 8192. It has been 4096 since the file > was added; machines and connection counts have grown. > > mem_check() folds an extra per-netns ceiling into the existing > non-CAP_NET_ADMIN conditional. The ceiling is half of the total > budget that unprivileged callers have ever been able to use, i.e. > (FL_MAX_SIZE - FL_MAX_SIZE/4) / 2 = 3072 entries. With FL_MAX_SIZE > doubled, this preserves the original per-user reach (~3K, what an > unprivileged caller could already obtain before this change) while > forcing an attacker to spread allocations across at least two > netns to exhaust the global non-CAP_NET_ADMIN budget. > > CAP_NET_ADMIN against init_user_ns still bypasses both caps. > > Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2") > Suggested-by: Willem de Bruijn > Cc: stable@vger.kernel.org # v5.15+ > Signed-off-by: Maoyi Xie No longer applies cleanly to net. Conflict on include/net/netns/ipv6.h. Please update your tree. > --- > v5 (this submission, addressing v4 review by Willem): > - Replaced the per-netns ceiling FL_MAX_SIZE/8 with the > computed unpriv_user_limit = (FL_MAX_SIZE - FL_MAX_SIZE/4)/2, > which evaluates to 3072. v4's FL_MAX_SIZE/8 = 1024 would have > reduced the per-user budget below the ~3K an unprivileged > caller could already obtain before any of this work, defeating > the reason FL_MAX_SIZE was doubled in the first place. The new > ceiling preserves the original per-user reach while still > requiring an attacker to spread across at least two netns to > drain the global non-CAP_NET_ADMIN budget. > - Reworded the corresponding paragraph in the commit body. > v4: addressed Willem's v3 review on netdev. Dropped the > flowlabel_has_excl cacheline argument in favour of "fills the > existing 4-byte hole after ipmr_seq", and reordered > atomic_dec(&...flowlabel_count) to sit immediately after > atomic_dec(&fl_size) in ip6_fl_gc and ip6_fl_purge. > v3: addressed Willem's review on the private security@ thread. > Merged FL_MAX_SIZE doubling, dropped test data, moved > flowlabel_count near ipmr_seq, inlined fl->fl_net in ip6_fl_gc. > v2: per-netns counter + cap, sent to security@ as a 2-patch series. > v1: fix-shape sketch in original disclosure. > > include/net/netns/ipv6.h | 1 + > net/ipv6/ip6_flowlabel.c | 16 ++++++++++++---- > 2 files changed, 13 insertions(+), 4 deletions(-) > > diff --git a/include/net/netns/ipv6.h b/include/net/netns/ipv6.h > index 34bdb1308..329482373 100644 > --- a/include/net/netns/ipv6.h > +++ b/include/net/netns/ipv6.h > @@ -119,6 +119,7 @@ struct netns_ipv6 { > struct fib_notifier_ops *notifier_ops; > struct fib_notifier_ops *ip6mr_notifier_ops; > unsigned int ipmr_seq; /* protected by rtnl_mutex */ > + atomic_t flowlabel_count; > struct { > struct hlist_head head; > spinlock_t lock; > diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c > index c92f98c6f..758a2fc4d 100644 > --- a/net/ipv6/ip6_flowlabel.c > +++ b/net/ipv6/ip6_flowlabel.c > @@ -36,7 +36,7 @@ > /* FL hash table */ > > #define FL_MAX_PER_SOCK 32 > -#define FL_MAX_SIZE 4096 > +#define FL_MAX_SIZE 8192 > #define FL_HASH_MASK 255 > #define FL_HASH(l) (ntohl(l)&FL_HASH_MASK) > > @@ -162,8 +162,9 @@ static void ip6_fl_gc(struct timer_list *unused) > ttd = fl->expires; > if (time_after_eq(now, ttd)) { > *flp = fl->next; > - fl_free(fl); > atomic_dec(&fl_size); > + atomic_dec(&fl->fl_net->ipv6.flowlabel_count); > + fl_free(fl); Do not touch fl_free (here and below) > continue; > } > if (!sched || time_before(ttd, sched)) > @@ -195,8 +196,9 @@ static void __net_exit ip6_fl_purge(struct net *net) > if (net_eq(fl->fl_net, net) && > atomic_read(&fl->users) == 0) { > *flp = fl->next; > - fl_free(fl); > atomic_dec(&fl_size); > + atomic_dec(&net->ipv6.flowlabel_count); > + fl_free(fl); > continue; > } > flp = &fl->next; > @@ -245,6 +247,7 @@ static struct ip6_flowlabel *fl_intern(struct net *net, > fl->next = fl_ht[FL_HASH(fl->label)]; > rcu_assign_pointer(fl_ht[FL_HASH(fl->label)], fl); > atomic_inc(&fl_size); > + atomic_inc(&net->ipv6.flowlabel_count); > spin_unlock_bh(&ip6_fl_lock); > rcu_read_unlock(); > return NULL; > @@ -464,6 +467,9 @@ fl_create(struct net *net, struct sock *sk, struct in6_flowlabel_req *freq, > > static int mem_check(struct sock *sk) > { > + const int unpriv_total_limit = FL_MAX_SIZE - (FL_MAX_SIZE / 4); > + const int unpriv_user_limit = unpriv_total_limit / 2; > + struct net *net = sock_net(sk); > int room = FL_MAX_SIZE - atomic_read(&fl_size); > struct ipv6_fl_socklist *sfl; > int count = 0; > @@ -478,7 +484,9 @@ static int mem_check(struct sock *sk) > > if (room <= 0 || > ((count >= FL_MAX_PER_SOCK || > - (count > 0 && room < FL_MAX_SIZE/2) || room < FL_MAX_SIZE/4) && > + (count > 0 && room < FL_MAX_SIZE/2) || > + room < FL_MAX_SIZE/4 || > + atomic_read(&net->ipv6.flowlabel_count) >= unpriv_user_limit) && > !capable(CAP_NET_ADMIN))) > return -ENOBUFS; > > -- > 2.34.1 >