* [PATCH v1 net 1/2] tcp: Fix potential UAF in reqsk_timer_handler().
2026-05-06 3:59 [PATCH v1 net 0/2] tcp: Two fixes for socket migration in reqsk_timer_handler() Kuniyuki Iwashima
@ 2026-05-06 3:59 ` Kuniyuki Iwashima
2026-05-06 3:59 ` [PATCH v1 net 2/2] tcp: Fix imbalanced icsk_accept_queue count Kuniyuki Iwashima
2026-05-08 22:00 ` [PATCH v1 net 0/2] tcp: Two fixes for socket migration in reqsk_timer_handler() patchwork-bot+netdevbpf
2 siblings, 0 replies; 4+ messages in thread
From: Kuniyuki Iwashima @ 2026-05-06 3:59 UTC (permalink / raw)
To: Eric Dumazet, Neal Cardwell, David S . Miller, Jakub Kicinski,
Paolo Abeni
Cc: Simon Horman, Kuniyuki Iwashima, Kuniyuki Iwashima, netdev,
Damiano Melotti
When TCP socket migration fails at inet_ehash_insert() in
reqsk_timer_handler(), we jump to the no_ownership: label
and free the new reqsk immediately with __reqsk_free().
Thus, we must stop the new reqsk's timer before jumping to the
label, but the timer might be missed since the cited commit,
resulting in UAF.
As we are in the original reqsk's timer context, we can safely
call timer_delete_sync() for the new reqsk.
Let's pass false to __inet_csk_reqsk_queue_drop() to stop
the new reqsk's timer.
Fixes: 83fccfc3940c ("inet: fix potential deadlock in reqsk_queue_unlink()")
Reported-by: Damiano Melotti <melotti@google.com>
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
---
In case Sashiko asks
"What happens if TFO reqsk is migrated in reqsk_timer_handler() ?"
, the answer is
"TFO does not use reqsk_timer_handler()."
---
net/ipv4/inet_connection_sock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index 928654c34156..971f9db2c586 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -1108,7 +1108,7 @@ static void reqsk_timer_handler(struct timer_list *t)
if (!inet_ehash_insert(req_to_sk(nreq), req_to_sk(oreq), NULL)) {
/* delete timer */
- __inet_csk_reqsk_queue_drop(sk_listener, nreq, true);
+ __inet_csk_reqsk_queue_drop(sk_listener, nreq, false);
goto no_ownership;
}
--
2.54.0.545.g6539524ca2-goog
^ permalink raw reply related [flat|nested] 4+ messages in thread* [PATCH v1 net 2/2] tcp: Fix imbalanced icsk_accept_queue count.
2026-05-06 3:59 [PATCH v1 net 0/2] tcp: Two fixes for socket migration in reqsk_timer_handler() Kuniyuki Iwashima
2026-05-06 3:59 ` [PATCH v1 net 1/2] tcp: Fix potential UAF " Kuniyuki Iwashima
@ 2026-05-06 3:59 ` Kuniyuki Iwashima
2026-05-08 22:00 ` [PATCH v1 net 0/2] tcp: Two fixes for socket migration in reqsk_timer_handler() patchwork-bot+netdevbpf
2 siblings, 0 replies; 4+ messages in thread
From: Kuniyuki Iwashima @ 2026-05-06 3:59 UTC (permalink / raw)
To: Eric Dumazet, Neal Cardwell, David S . Miller, Jakub Kicinski,
Paolo Abeni
Cc: Simon Horman, Kuniyuki Iwashima, Kuniyuki Iwashima, netdev,
Damiano Melotti
When TCP socket migration happens in reqsk_timer_handler(),
@sk_listener will be updated with the new listener.
When we call __inet_csk_reqsk_queue_drop(), the listener must
be the one stored in req->rsk_listener.
The cited commit accidentally replaced oreq->rsk_listener with
sk_listener, leading to imbalanced icsk_accept_queue count.
Let's pass the correct listener to __inet_csk_reqsk_queue_drop().
Fixes: e8c526f2bdf1 ("tcp/dccp: Don't use timer_pending() in reqsk_queue_unlink().")
Reported-by: Damiano Melotti <melotti@google.com>
Signed-off-by: Kuniyuki Iwashima <kuniyu@google.com>
---
net/ipv4/inet_connection_sock.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/ipv4/inet_connection_sock.c b/net/ipv4/inet_connection_sock.c
index 971f9db2c586..dbcd37dfdc15 100644
--- a/net/ipv4/inet_connection_sock.c
+++ b/net/ipv4/inet_connection_sock.c
@@ -1134,7 +1134,7 @@ static void reqsk_timer_handler(struct timer_list *t)
}
drop:
- __inet_csk_reqsk_queue_drop(sk_listener, oreq, true);
+ __inet_csk_reqsk_queue_drop(oreq->rsk_listener, oreq, true);
reqsk_put(oreq);
}
--
2.54.0.545.g6539524ca2-goog
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [PATCH v1 net 0/2] tcp: Two fixes for socket migration in reqsk_timer_handler().
2026-05-06 3:59 [PATCH v1 net 0/2] tcp: Two fixes for socket migration in reqsk_timer_handler() Kuniyuki Iwashima
2026-05-06 3:59 ` [PATCH v1 net 1/2] tcp: Fix potential UAF " Kuniyuki Iwashima
2026-05-06 3:59 ` [PATCH v1 net 2/2] tcp: Fix imbalanced icsk_accept_queue count Kuniyuki Iwashima
@ 2026-05-08 22:00 ` patchwork-bot+netdevbpf
2 siblings, 0 replies; 4+ messages in thread
From: patchwork-bot+netdevbpf @ 2026-05-08 22:00 UTC (permalink / raw)
To: Kuniyuki Iwashima
Cc: edumazet, ncardwell, davem, kuba, pabeni, horms, kuni1840, netdev
Hello:
This series was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:
On Wed, 6 May 2026 03:59:17 +0000 you wrote:
> The series fixes two bugs in the error path of socket migration
> in reqsk_timer_handler().
>
> Patch 1 fixes a potential UAF in reqsk_timer_handler().
>
> Patch 2 fixes imbalanced icsk_accept_queue count.
>
> [...]
Here is the summary with links:
- [v1,net,1/2] tcp: Fix potential UAF in reqsk_timer_handler().
https://git.kernel.org/netdev/net/c/97c8a3c1f73d
- [v1,net,2/2] tcp: Fix imbalanced icsk_accept_queue count.
https://git.kernel.org/netdev/net/c/7eca3292cac7
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 4+ messages in thread