From: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To: stable@vger.kernel.org
Cc: Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
patches@lists.linux.dev, Al Viro <viro@zeniv.linux.org.uk>,
"Matthieu Baerts (NGI0)" <matttbe@kernel.org>,
Jakub Kicinski <kuba@kernel.org>
Subject: [PATCH 6.1 41/92] sctp: sysctl: udp_port: avoid using current->nsproxy
Date: Wed, 15 Jan 2025 11:36:59 +0100 [thread overview]
Message-ID: <20250115103549.168057819@linuxfoundation.org> (raw)
In-Reply-To: <20250115103547.522503305@linuxfoundation.org>
6.1-stable review patch. If anyone has any objections, please let me know.
------------------
From: Matthieu Baerts (NGI0) <matttbe@kernel.org>
commit c10377bbc1972d858eaf0ab366a311b39f8ef1b6 upstream.
As mentioned in a previous commit of this series, using the 'net'
structure via 'current' is not recommended for different reasons:
- Inconsistency: getting info from the reader's/writer's netns vs only
from the opener's netns.
- current->nsproxy can be NULL in some cases, resulting in an 'Oops'
(null-ptr-deref), e.g. when the current task is exiting, as spotted by
syzbot [1] using acct(2).
The 'net' structure can be obtained from the table->data using
container_of().
Note that table->data could also be used directly, but that would
increase the size of this fix, while 'sctp.ctl_sock' still needs to be
retrieved from 'net' structure.
Fixes: 046c052b475e ("sctp: enable udp tunneling socks")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1]
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-7-5df34b2083e8@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---
net/sctp/sysctl.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/net/sctp/sysctl.c
+++ b/net/sctp/sysctl.c
@@ -521,7 +521,7 @@ static int proc_sctp_do_auth(struct ctl_
static int proc_sctp_do_udp_port(struct ctl_table *ctl, int write,
void *buffer, size_t *lenp, loff_t *ppos)
{
- struct net *net = current->nsproxy->net_ns;
+ struct net *net = container_of(ctl->data, struct net, sctp.udp_port);
unsigned int min = *(unsigned int *)ctl->extra1;
unsigned int max = *(unsigned int *)ctl->extra2;
struct ctl_table tbl;
next prev parent reply other threads:[~2025-01-15 10:40 UTC|newest]
Thread overview: 110+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-01-15 10:36 [PATCH 6.1 00/92] 6.1.125-rc1 review Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 01/92] ceph: give up on paths longer than PATH_MAX Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 02/92] bpf, sockmap: Fix race between element replace and close() Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 03/92] sched/task_stack: fix object_is_on_stack() for KASAN tagged pointers Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 04/92] jbd2: increase IO priority for writing revoke records Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 05/92] jbd2: flush filesystem device before updating tail sequence Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 06/92] dm array: fix releasing a faulty array block twice in dm_array_cursor_end Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 07/92] dm array: fix unreleased btree blocks on closing a faulty array cursor Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 08/92] dm array: fix cursor index when skipping across block boundaries Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 09/92] exfat: fix the infinite loop in exfat_readdir() Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 10/92] exfat: fix the infinite loop in __exfat_free_cluster() Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 11/92] scripts/sorttable: fix orc_sort_cmp() to maintain symmetry and transitivity Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 12/92] ASoC: mediatek: disable buffer pre-allocation Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 13/92] ieee802154: ca8210: Add missing check for kfifo_alloc() in ca8210_probe() Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 14/92] net: 802: LLC+SNAP OID:PID lookup on start of skb data Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 15/92] tcp/dccp: complete lockless accesses to sk->sk_max_ack_backlog Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 16/92] tcp/dccp: allow a connection when sk_max_ack_backlog is zero Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 17/92] net_sched: cls_flow: validate TCA_FLOW_RSHIFT attribute Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 18/92] bnxt_en: Fix possible memory leak when hwrm_req_replace fails Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 19/92] cxgb4: Avoid removal of uninserted tid Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 20/92] ice: fix incorrect PHY settings for 100 GB/s Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 21/92] tls: Fix tls_sw_sendmsg error handling Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 22/92] Bluetooth: hci_sync: Fix not setting Random Address when required Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 23/92] tcp: Annotate data-race around sk->sk_mark in tcp_v4_send_reset Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 24/92] netfilter: nf_tables: imbalance in flowtable binding Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 25/92] netfilter: conntrack: clamp maximum hashtable size to INT_MAX Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 26/92] sched: sch_cake: add bounds checks to host bulk flow fairness counts Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 27/92] net/mlx5: Fix variable not being completed when function returns Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 28/92] drm/mediatek: stop selecting foreign drivers Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 29/92] drm/mediatek: Fix YCbCr422 color format issue for DP Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 30/92] drm/mediatek: Fix mode valid issue for dp Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 31/92] drm/mediatek: Add return value check when reading DPCD Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 32/92] ksmbd: fix a missing return value check bug Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 33/92] afs: Fix the maximum cell name length Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 34/92] ksmbd: fix unexpectedly changed path in ksmbd_vfs_kern_path_locked Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 35/92] cpuidle: riscv-sbi: fix device node release in early exit of for_each_possible_cpu Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 36/92] dm thin: make get_first_thin use rcu-safe list first function Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 37/92] dm-ebs: dont set the flag DM_TARGET_PASSES_INTEGRITY Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 38/92] sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 39/92] sctp: sysctl: rto_min/max: " Greg Kroah-Hartman
2025-01-15 10:36 ` [PATCH 6.1 40/92] sctp: sysctl: auth_enable: " Greg Kroah-Hartman
2025-01-15 10:36 ` Greg Kroah-Hartman [this message]
2025-01-15 10:37 ` [PATCH 6.1 42/92] sctp: sysctl: plpmtud_probe_interval: " Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 43/92] drm/amd/display: Add check for granularity in dml ceil/floor helpers Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 44/92] thermal: of: fix OF node leak in of_thermal_zone_find() Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 45/92] riscv: Fix sleeping in invalid context in die() Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 46/92] ACPI: resource: Add TongFang GM5HG0A to irq1_edge_low_force_override[] Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 47/92] ACPI: resource: Add Asus Vivobook X1504VAP to irq1_level_low_skip_override[] Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 48/92] drm/amd/display: increase MAX_SURFACES to the value supported by hw Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 49/92] dm-verity FEC: Fix RS FEC repair for roots unaligned to block size (take 2) Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 50/92] bpf: Add MEM_WRITE attribute Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 51/92] bpf: Fix overloading of MEM_UNINITs meaning Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 52/92] USB: serial: option: add MeiG Smart SRM815 Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 53/92] USB: serial: option: add Neoway N723-EA support Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 54/92] staging: iio: ad9834: Correct phase range check Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 55/92] staging: iio: ad9832: " Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 56/92] usb-storage: Add max sectors quirk for Nokia 208 Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 57/92] USB: serial: cp210x: add Phoenix Contact UPS Device Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 58/92] usb: dwc3: gadget: fix writing NYET threshold Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 59/92] topology: Keep the cpumask unchanged when printing cpumap Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 60/92] misc: microchip: pci1xxxx: Resolve kernel panic during GPIO IRQ handling Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 61/92] misc: microchip: pci1xxxx: Resolve return code mismatch during GPIO set config Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 62/92] usb: gadget: u_serial: Disable ep before setting port to null to fix the crash caused by port being null Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 63/92] usb: dwc3-am62: Disable autosuspend during remove Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 64/92] USB: usblp: return error when setting unsupported protocol Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 65/92] USB: core: Disable LPM only for non-suspended ports Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 66/92] usb: fix reference leak in usb_new_device() Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 67/92] usb: gadget: f_uac2: Fix incorrect setting of bNumEndpoints Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 68/92] usb: gadget: f_fs: Remove WARN_ON in functionfs_bind Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 69/92] iio: pressure: zpa2326: fix information leak in triggered buffer Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 70/92] iio: dummy: iio_simply_dummy_buffer: " Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 71/92] iio: light: vcnl4035: " Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 72/92] iio: imu: kmx61: " Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 73/92] iio: adc: ti-ads8688: " Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 74/92] iio: gyro: fxas21002c: Fix missing data update in trigger handler Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 75/92] iio: adc: ti-ads124s08: Use gpiod_set_value_cansleep() Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 76/92] iio: adc: at91: call input_free_device() on allocated iio_dev Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 77/92] iio: inkern: call iio_device_put() only on mapped devices Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 78/92] iio: adc: ad7124: Disable all channels at probe time Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 79/92] io_uring/eventfd: ensure io_eventfd_signal() defers another RCU period Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 80/92] ARM: dts: imxrt1050: Fix clocks for mmc Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 81/92] block, bfq: fix waker_bfqq UAF after bfq_split_bfqq() Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 82/92] arm64: dts: rockchip: add hevc power domain clock to rk3328 Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 83/92] of: unittest: Add bus address range parsing tests Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 84/92] of/address: Add support for 3 address cell bus Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 85/92] of: address: Fix address translation when address-size is greater than 2 Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 86/92] of: address: Remove duplicated functions Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 87/92] of: address: Store number of bus flag cells rather than bool Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 88/92] of: address: Preserve the flags portion on 1:1 dma-ranges mapping Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 89/92] ocfs2: correct return value of ocfs2_local_free_info() Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 90/92] ocfs2: fix slab-use-after-free due to dangling pointer dqi_priv Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 91/92] drm: bridge: adv7511: use dev_err_probe in probe function Greg Kroah-Hartman
2025-01-15 10:37 ` [PATCH 6.1 92/92] drm: adv7511: Fix use-after-free in adv7533_attach_dsi() Greg Kroah-Hartman
2025-01-15 12:50 ` [PATCH 6.1 00/92] 6.1.125-rc1 review Pavel Machek
2025-01-15 13:57 ` Pavel Machek
[not found] ` <2025011725-underdog-heftiness-49df@gregkh>
2025-01-17 21:16 ` 6.1.125 build fail was -- " Pavel Machek
2025-01-18 6:37 ` Ron Economos
2025-01-18 7:20 ` Greg Kroah-Hartman
2025-01-18 12:27 ` Ron Economos
2025-01-15 14:09 ` Ron Economos
2025-01-15 15:07 ` Greg Kroah-Hartman
2025-01-15 13:15 ` Mark Brown
2025-01-15 14:13 ` Jon Hunter
2025-01-15 22:14 ` Florian Fainelli
2025-01-15 22:32 ` Shuah Khan
2025-01-16 10:48 ` Naresh Kamboju
2025-01-16 13:59 ` Peter Schneider
2025-01-17 2:25 ` [PATCH 6.1] " Hardik Garg
2025-01-18 15:05 ` [PATCH 6.1 00/92] " Guenter Roeck
2025-01-18 15:34 ` Greg Kroah-Hartman
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20250115103549.168057819@linuxfoundation.org \
--to=gregkh@linuxfoundation.org \
--cc=kuba@kernel.org \
--cc=matttbe@kernel.org \
--cc=patches@lists.linux.dev \
--cc=stable@vger.kernel.org \
--cc=viro@zeniv.linux.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox