[PATCH net 1/1] net/sched: cls_flow: Dont expose folded kernel pointers

Netdev List
 help / color / mirror / Atom feed

* [PATCH net 1/1] net/sched: cls_flow: Dont  expose folded kernel pointers
@ 2026-06-10 10:18 Jamal Hadi Salim
  2026-06-10 10:24 ` Eric Dumazet
  2026-06-11 22:20 ` patchwork-bot+netdevbpf
  0 siblings, 2 replies; 3+ messages in thread
From: Jamal Hadi Salim @ 2026-06-10 10:18 UTC (permalink / raw)
  To: netdev
  Cc: jiri, davem, edumazet, kuba, pabeni, horms, victor, kylebot,
	stable, security, Jamal Hadi Salim

The flow classifier falls back to addr_fold() for fields that are missing
from packet headers. In map mode, userspace controls mask, xor, rshift,
addend and divisor, and can observe the resulting classid through class
statistics. This allows a tc classifier in a user/network namespace to
recover the 32-bit folded value of skb->sk, skb_dst() or skb_nfct().

Align with standard kernel practices for pointer hashing and replace the
XOR folding with a keyed siphash (which is cryptographically secure)

Fixes: e5dfb815181f ("[NET_SCHED]: Add flow classifier")
Reported-by: Kyle Zeng <kylebot@openai.com>
Tested-by: Kyle Zeng <kylebot@openai.com>
Tested-by: Victor Nogueira <victor@mojatatu.com>
Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>
---
 net/sched/cls_flow.c | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/net/sched/cls_flow.c b/net/sched/cls_flow.c
index ab364e4e4686..356c68ebc389 100644
--- a/net/sched/cls_flow.c
+++ b/net/sched/cls_flow.c
@@ -21,6 +21,7 @@
 #include <net/inet_sock.h>
 
 #include <net/pkt_cls.h>
+#include <linux/siphash.h>
 #include <net/ip.h>
 #include <net/route.h>
 #include <net/flow_dissector.h>
@@ -57,11 +58,15 @@ struct flow_filter {
 	struct rcu_work		rwork;
 };
 
+static siphash_aligned_key_t flow_keys_secret __read_mostly;
+
 static inline u32 addr_fold(void *addr)
 {
-	unsigned long a = (unsigned long)addr;
-
-	return (a & 0xFFFFFFFF) ^ (BITS_PER_LONG > 32 ? a >> 32 : 0);
+#ifdef CONFIG_64BIT
+	return (u32)siphash_1u64((u64)addr, &flow_keys_secret);
+#else
+	return (u32)siphash_1u32((u32)addr, &flow_keys_secret);
+#endif
 }
 
 static u32 flow_get_src(const struct sk_buff *skb, const struct flow_keys *flow)
@@ -596,6 +601,7 @@ static int flow_init(struct tcf_proto *tp)
 		return -ENOBUFS;
 	INIT_LIST_HEAD(&head->filters);
 	rcu_assign_pointer(tp->root, head);
+	net_get_random_once(&flow_keys_secret, sizeof(flow_keys_secret));
 	return 0;
 }
 
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread

* Re: [PATCH net 1/1] net/sched: cls_flow: Dont expose folded kernel pointers
  2026-06-10 10:18 [PATCH net 1/1] net/sched: cls_flow: Dont expose folded kernel pointers Jamal Hadi Salim
@ 2026-06-10 10:24 ` Eric Dumazet
  2026-06-11 22:20 ` patchwork-bot+netdevbpf
  1 sibling, 0 replies; 3+ messages in thread
From: Eric Dumazet @ 2026-06-10 10:24 UTC (permalink / raw)
  To: Jamal Hadi Salim
  Cc: netdev, jiri, davem, kuba, pabeni, horms, victor, kylebot, stable,
	security

On Wed, Jun 10, 2026 at 3:18 AM Jamal Hadi Salim <jhs@mojatatu.com> wrote:
>
> The flow classifier falls back to addr_fold() for fields that are missing
> from packet headers. In map mode, userspace controls mask, xor, rshift,
> addend and divisor, and can observe the resulting classid through class
> statistics. This allows a tc classifier in a user/network namespace to
> recover the 32-bit folded value of skb->sk, skb_dst() or skb_nfct().
>
> Align with standard kernel practices for pointer hashing and replace the
> XOR folding with a keyed siphash (which is cryptographically secure)
>
> Fixes: e5dfb815181f ("[NET_SCHED]: Add flow classifier")
> Reported-by: Kyle Zeng <kylebot@openai.com>
> Tested-by: Kyle Zeng <kylebot@openai.com>
> Tested-by: Victor Nogueira <victor@mojatatu.com>
> Signed-off-by: Jamal Hadi Salim <jhs@mojatatu.com>

Reviewed-by: Eric Dumazet <edumazet@google.com>

Thanks.

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH net 1/1] net/sched: cls_flow: Dont  expose folded kernel pointers
  2026-06-10 10:18 [PATCH net 1/1] net/sched: cls_flow: Dont expose folded kernel pointers Jamal Hadi Salim
  2026-06-10 10:24 ` Eric Dumazet
@ 2026-06-11 22:20 ` patchwork-bot+netdevbpf
  1 sibling, 0 replies; 3+ messages in thread
From: patchwork-bot+netdevbpf @ 2026-06-11 22:20 UTC (permalink / raw)
  To: Jamal Hadi Salim
  Cc: netdev, jiri, davem, edumazet, kuba, pabeni, horms, victor,
	kylebot, stable, security

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Wed, 10 Jun 2026 06:18:39 -0400 you wrote:
> The flow classifier falls back to addr_fold() for fields that are missing
> from packet headers. In map mode, userspace controls mask, xor, rshift,
> addend and divisor, and can observe the resulting classid through class
> statistics. This allows a tc classifier in a user/network namespace to
> recover the 32-bit folded value of skb->sk, skb_dst() or skb_nfct().
> 
> Align with standard kernel practices for pointer hashing and replace the
> XOR folding with a keyed siphash (which is cryptographically secure)
> 
> [...]

Here is the summary with links:
  - [net,1/1] net/sched: cls_flow: Dont expose folded kernel pointers
    https://git.kernel.org/netdev/net/c/f294fc71c4a0

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html



^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2026-06-11 22:20 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-06-10 10:18 [PATCH net 1/1] net/sched: cls_flow: Dont expose folded kernel pointers Jamal Hadi Salim
2026-06-10 10:24 ` Eric Dumazet
2026-06-11 22:20 ` patchwork-bot+netdevbpf

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox