* [PATCH net] ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table()
@ 2026-05-21 12:21 Eric Dumazet
2026-05-21 13:13 ` Jason Xing
2026-05-21 13:59 ` Jiayuan Chen
0 siblings, 2 replies; 4+ messages in thread
From: Eric Dumazet @ 2026-05-21 12:21 UTC (permalink / raw)
To: David S . Miller, Jakub Kicinski, Paolo Abeni
Cc: Simon Horman, netdev, Ido Schimmel, David Ahern, eric.dumazet,
Eric Dumazet, Ji'an Zhou, Cong Wang
ipv4_sysctl_exit_net() is currently freeing net->ipv4.sysctl_local_reserved_ports
too soon.
Only after unregister_net_sysctl_table() we can be sure no threads can possibly
use the sysctls, including /proc/sys/net/ipv4/ip_local_reserved_ports.
Fixes: 122ff243f5f1 ("ipv4: make ip_local_reserved_ports per netns")
Reported-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Cc: Cong Wang <xiyou.wangcong@gmail.com>
---
net/ipv4/sysctl_net_ipv4.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
index d8bdb1bdbff17ab52fe969b93ce13673e88c05a4..c0e85cc171aec099fd5d4897b1a623dd27eaee08 100644
--- a/net/ipv4/sysctl_net_ipv4.c
+++ b/net/ipv4/sysctl_net_ipv4.c
@@ -1705,10 +1705,10 @@ static __net_exit void ipv4_sysctl_exit_net(struct net *net)
{
const struct ctl_table *table;
- kfree(net->ipv4.sysctl_local_reserved_ports);
table = net->ipv4.ipv4_hdr->ctl_table_arg;
unregister_net_sysctl_table(net->ipv4.ipv4_hdr);
kfree(table);
+ kfree(net->ipv4.sysctl_local_reserved_ports);
}
static __net_initdata struct pernet_operations ipv4_sysctl_ops = {
--
2.54.0.669.g59709faab0-goog
^ permalink raw reply related [flat|nested] 4+ messages in thread
* Re: [PATCH net] ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table()
2026-05-21 12:21 [PATCH net] ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table() Eric Dumazet
@ 2026-05-21 13:13 ` Jason Xing
2026-05-21 13:59 ` Jiayuan Chen
1 sibling, 0 replies; 4+ messages in thread
From: Jason Xing @ 2026-05-21 13:13 UTC (permalink / raw)
To: Eric Dumazet
Cc: David S . Miller, Jakub Kicinski, Paolo Abeni, Simon Horman,
netdev, Ido Schimmel, David Ahern, eric.dumazet, Ji'an Zhou,
Cong Wang
On Thu, May 21, 2026 at 8:30 PM Eric Dumazet <edumazet@google.com> wrote:
>
> ipv4_sysctl_exit_net() is currently freeing net->ipv4.sysctl_local_reserved_ports
> too soon.
>
> Only after unregister_net_sysctl_table() we can be sure no threads can possibly
> use the sysctls, including /proc/sys/net/ipv4/ip_local_reserved_ports.
>
> Fixes: 122ff243f5f1 ("ipv4: make ip_local_reserved_ports per netns")
> Reported-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Cc: Cong Wang <xiyou.wangcong@gmail.com>
Reviewed-by: Jason Xing <kerneljasonxing@gmail.com>
Thanks!
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH net] ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table()
2026-05-21 12:21 [PATCH net] ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table() Eric Dumazet
2026-05-21 13:13 ` Jason Xing
@ 2026-05-21 13:59 ` Jiayuan Chen
2026-05-21 14:39 ` Eric Dumazet
1 sibling, 1 reply; 4+ messages in thread
From: Jiayuan Chen @ 2026-05-21 13:59 UTC (permalink / raw)
To: Eric Dumazet, David S . Miller, Jakub Kicinski, Paolo Abeni
Cc: Simon Horman, netdev, Ido Schimmel, David Ahern, eric.dumazet,
Ji'an Zhou, Cong Wang
On 5/21/26 8:21 PM, Eric Dumazet wrote:
> ipv4_sysctl_exit_net() is currently freeing net->ipv4.sysctl_local_reserved_ports
> too soon.
>
> Only after unregister_net_sysctl_table() we can be sure no threads can possibly
> use the sysctls, including /proc/sys/net/ipv4/ip_local_reserved_ports.
>
> Fixes: 122ff243f5f1 ("ipv4: make ip_local_reserved_ports per netns")
> Reported-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
> Signed-off-by: Eric Dumazet <edumazet@google.com>
> Cc: Cong Wang <xiyou.wangcong@gmail.com>
> ---
> net/ipv4/sysctl_net_ipv4.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
> index d8bdb1bdbff17ab52fe969b93ce13673e88c05a4..c0e85cc171aec099fd5d4897b1a623dd27eaee08 100644
> --- a/net/ipv4/sysctl_net_ipv4.c
> +++ b/net/ipv4/sysctl_net_ipv4.c
> @@ -1705,10 +1705,10 @@ static __net_exit void ipv4_sysctl_exit_net(struct net *net)
> {
> const struct ctl_table *table;
>
> - kfree(net->ipv4.sysctl_local_reserved_ports);
> table = net->ipv4.ipv4_hdr->ctl_table_arg;
> unregister_net_sysctl_table(net->ipv4.ipv4_hdr);
> kfree(table);
> + kfree(net->ipv4.sysctl_local_reserved_ports);
> }
>
> static __net_initdata struct pernet_operations ipv4_sysctl_ops = {
Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
If there are still processes in the namespace, the netns refcnt cannot
become 0,
so I think it should be: first open
/proc/sys/net/ipv4/ip_local_reserved_ports, then pass
the fd to another process outside the netns? Maybe SCM_RIGHTS is used?
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [PATCH net] ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table()
2026-05-21 13:59 ` Jiayuan Chen
@ 2026-05-21 14:39 ` Eric Dumazet
0 siblings, 0 replies; 4+ messages in thread
From: Eric Dumazet @ 2026-05-21 14:39 UTC (permalink / raw)
To: Jiayuan Chen
Cc: David S . Miller, Jakub Kicinski, Paolo Abeni, Simon Horman,
netdev, Ido Schimmel, David Ahern, eric.dumazet, Ji'an Zhou,
Cong Wang
On Thu, May 21, 2026 at 6:59 AM Jiayuan Chen <jiayuan.chen@linux.dev> wrote:
>
>
> On 5/21/26 8:21 PM, Eric Dumazet wrote:
> > ipv4_sysctl_exit_net() is currently freeing net->ipv4.sysctl_local_reserved_ports
> > too soon.
> >
> > Only after unregister_net_sysctl_table() we can be sure no threads can possibly
> > use the sysctls, including /proc/sys/net/ipv4/ip_local_reserved_ports.
> >
> > Fixes: 122ff243f5f1 ("ipv4: make ip_local_reserved_ports per netns")
> > Reported-by: Ji'an Zhou <eilaimemedsnaimel@gmail.com>
> > Signed-off-by: Eric Dumazet <edumazet@google.com>
> > Cc: Cong Wang <xiyou.wangcong@gmail.com>
> > ---
> > net/ipv4/sysctl_net_ipv4.c | 2 +-
> > 1 file changed, 1 insertion(+), 1 deletion(-)
> >
> > diff --git a/net/ipv4/sysctl_net_ipv4.c b/net/ipv4/sysctl_net_ipv4.c
> > index d8bdb1bdbff17ab52fe969b93ce13673e88c05a4..c0e85cc171aec099fd5d4897b1a623dd27eaee08 100644
> > --- a/net/ipv4/sysctl_net_ipv4.c
> > +++ b/net/ipv4/sysctl_net_ipv4.c
> > @@ -1705,10 +1705,10 @@ static __net_exit void ipv4_sysctl_exit_net(struct net *net)
> > {
> > const struct ctl_table *table;
> >
> > - kfree(net->ipv4.sysctl_local_reserved_ports);
> > table = net->ipv4.ipv4_hdr->ctl_table_arg;
> > unregister_net_sysctl_table(net->ipv4.ipv4_hdr);
> > kfree(table);
> > + kfree(net->ipv4.sysctl_local_reserved_ports);
> > }
> >
> > static __net_initdata struct pernet_operations ipv4_sysctl_ops = {
>
>
> Reviewed-by: Jiayuan Chen <jiayuan.chen@linux.dev>
>
>
> If there are still processes in the namespace, the netns refcnt cannot
> become 0,
>
> so I think it should be: first open
> /proc/sys/net/ipv4/ip_local_reserved_ports, then pass
>
> the fd to another process outside the netns? Maybe SCM_RIGHTS is used?
We will not share the repro publicly, for obvious reasons :)
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-05-21 14:39 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-21 12:21 [PATCH net] ipv4: free net->ipv4.sysctl_local_reserved_ports after unregister_net_sysctl_table() Eric Dumazet
2026-05-21 13:13 ` Jason Xing
2026-05-21 13:59 ` Jiayuan Chen
2026-05-21 14:39 ` Eric Dumazet
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox