[PATCH 5.4 0/4] sctp: sysctl: fix argument passed to container_of

[PATCH 5.4 0/4] sctp: sysctl: fix argument passed to container_of

[Magali Lemes]

Patches "sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy" and
"sctp: sysctl: auth_enable: avoid using current->nsproxy" have been
mixed up when backported to 5.4. The `member` argument passed to
`container_of` has been swapped in both proc_sctp_do_auth() and
proc_sctp_do_hmac_alg(). For instance, accessing
/proc/sys/net/sctp/cookie_hmac_alg can now cause a kernel oops.
Fix this by reverting the wrong backports and re-applying them correctly.

Magali Lemes (2):
  Revert "sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy"
  Revert "sctp: sysctl: auth_enable: avoid using current->nsproxy"

Matthieu Baerts (NGI0) (2):
  sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy
  sctp: sysctl: auth_enable: avoid using current->nsproxy

 net/sctp/sysctl.c | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

-- 
2.48.1

[PATCH 5.4 1/4] Revert "sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy"

[Magali Lemes]

This reverts commit 1031462a944ba0fa83c25ab1111465f8345b5589 as it
was backported incorrectly.
A subsequent commit will re-backport the original patch.

Signed-off-by: Magali Lemes <magali.lemes@canonical.com>
---
 net/sctp/sysctl.c | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/sctp/sysctl.c b/net/sctp/sysctl.c
index 7777c0096a38..3fc2fa57424b 100644
--- a/net/sctp/sysctl.c
+++ b/net/sctp/sysctl.c
@@ -441,8 +441,7 @@ static int proc_sctp_do_auth(struct ctl_table *ctl, int write,
 			     void __user *buffer, size_t *lenp,
 			     loff_t *ppos)
 {
-	struct net *net = container_of(ctl->data, struct net,
-				       sctp.sctp_hmac_alg);
+	struct net *net = current->nsproxy->net_ns;
 	struct ctl_table tbl;
 	int new_value, ret;
 
-- 
2.48.1

[PATCH 5.4 2/4] Revert "sctp: sysctl: auth_enable: avoid using current->nsproxy"

[Magali Lemes]

This reverts commit 10c869a52f266e40f548cc3c565d14930a5edafc as it
was backported incorrectly.
A subsequent commit will re-backport the original patch.

Signed-off-by: Magali Lemes <magali.lemes@canonical.com>
---
 net/sctp/sysctl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sctp/sysctl.c b/net/sctp/sysctl.c
index 3fc2fa57424b..4ecd3857204d 100644
--- a/net/sctp/sysctl.c
+++ b/net/sctp/sysctl.c
@@ -326,7 +326,7 @@ static int proc_sctp_do_hmac_alg(struct ctl_table *ctl, int write,
 				void __user *buffer, size_t *lenp,
 				loff_t *ppos)
 {
-	struct net *net = container_of(ctl->data, struct net, sctp.auth_enable);
+	struct net *net = current->nsproxy->net_ns;
 	struct ctl_table tbl;
 	bool changed = false;
 	char *none = "none";
-- 
2.48.1

[PATCH 5.4 3/4] sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy

[Magali Lemes]

From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>

commit ea62dd1383913b5999f3d16ae99d411f41b528d4 upstream.

As mentioned in a previous commit of this series, using the 'net'
structure via 'current' is not recommended for different reasons:

- Inconsistency: getting info from the reader's/writer's netns vs only
  from the opener's netns.

- current->nsproxy can be NULL in some cases, resulting in an 'Oops'
  (null-ptr-deref), e.g. when the current task is exiting, as spotted by
  syzbot [1] using acct(2).

The 'net' structure can be obtained from the table->data using
container_of().

Note that table->data could also be used directly, as this is the only
member needed from the 'net' structure, but that would increase the size
of this fix, to use '*data' everywhere 'net->sctp.sctp_hmac_alg' is
used.

Fixes: 3c68198e7511 ("sctp: Make hmac algorithm selection for cookie generation dynamic")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1]
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-4-5df34b2083e8@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Magali Lemes <magali.lemes@canonical.com>
---
 net/sctp/sysctl.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/sctp/sysctl.c b/net/sctp/sysctl.c
index 4ecd3857204d..4116b3cd83c2 100644
--- a/net/sctp/sysctl.c
+++ b/net/sctp/sysctl.c
@@ -326,7 +326,8 @@ static int proc_sctp_do_hmac_alg(struct ctl_table *ctl, int write,
 				void __user *buffer, size_t *lenp,
 				loff_t *ppos)
 {
-	struct net *net = current->nsproxy->net_ns;
+	struct net *net = container_of(ctl->data, struct net,
+				       sctp.sctp_hmac_alg);
 	struct ctl_table tbl;
 	bool changed = false;
 	char *none = "none";
-- 
2.48.1

[PATCH 5.4 4/4] sctp: sysctl: auth_enable: avoid using current->nsproxy

[Magali Lemes]

From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>

commit 15649fd5415eda664ef35780c2013adeb5d9c695 upstream.

As mentioned in a previous commit of this series, using the 'net'
structure via 'current' is not recommended for different reasons:

- Inconsistency: getting info from the reader's/writer's netns vs only
  from the opener's netns.

- current->nsproxy can be NULL in some cases, resulting in an 'Oops'
  (null-ptr-deref), e.g. when the current task is exiting, as spotted by
  syzbot [1] using acct(2).

The 'net' structure can be obtained from the table->data using
container_of().

Note that table->data could also be used directly, but that would
increase the size of this fix, while 'sctp.ctl_sock' still needs to be
retrieved from 'net' structure.

Fixes: b14878ccb7fa ("net: sctp: cache auth_enable per endpoint")
Cc: stable@vger.kernel.org
Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1]
Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-6-5df34b2083e8@kernel.org
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Magali Lemes <magali.lemes@canonical.com>
---
 net/sctp/sysctl.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sctp/sysctl.c b/net/sctp/sysctl.c
index 4116b3cd83c2..f6fe63f60acd 100644
--- a/net/sctp/sysctl.c
+++ b/net/sctp/sysctl.c
@@ -442,7 +442,7 @@ static int proc_sctp_do_auth(struct ctl_table *ctl, int write,
 			     void __user *buffer, size_t *lenp,
 			     loff_t *ppos)
 {
-	struct net *net = current->nsproxy->net_ns;
+	struct net *net = container_of(ctl->data, struct net, sctp.auth_enable);
 	struct ctl_table tbl;
 	int new_value, ret;
 
-- 
2.48.1

Re: [PATCH 5.4 1/4] Revert "sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy"

[Sasha Levin]

[ Sasha's backport helper bot ]

Hi,

Summary of potential issues:
⚠️ Could not find matching upstream commit

No upstream commit was identified. Using temporary commit for testing.

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-5.4.y        |  Success    |  Success   |

Re: [PATCH 5.4 2/4] Revert "sctp: sysctl: auth_enable: avoid using current->nsproxy"

[Sasha Levin]

[ Sasha's backport helper bot ]

Hi,

Summary of potential issues:
ℹ️ This is part 2/4 of a series
⚠️ Could not find matching upstream commit

No upstream commit was identified. Using temporary commit for testing.

NOTE: These results are for this patch alone. Full series testing will be
performed when all parts are received.

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-5.4.y        |  Success    |  Success   |

Re: [PATCH 5.4 4/4] sctp: sysctl: auth_enable: avoid using current->nsproxy

[Sasha Levin]

[ Sasha's backport helper bot ]

Hi,

✅ All tests passed successfully. No issues detected.
No action required from the submitter.

The upstream commit SHA1 provided is correct: 15649fd5415eda664ef35780c2013adeb5d9c695

WARNING: Author mismatch between patch and upstream commit:
Backport author: Magali Lemes<magali.lemes@canonical.com>
Commit author: Matthieu Baerts (NGI0)<matttbe@kernel.org>

Status in newer kernel trees:
6.13.y | Present (exact SHA1)
6.12.y | Present (different SHA1: c184bc621e3c)
6.6.y | Present (different SHA1: 7ec30c54f339)
6.1.y | Present (different SHA1: 1b67030d39f2)
5.15.y | Present (different SHA1: bd2a29394235)
5.10.y | Present (different SHA1: dc583e7e5f85)

Note: The patch differs from the upstream commit:
---
1:  15649fd5415ed ! 1:  43321e75147b6 sctp: sysctl: auth_enable: avoid using current->nsproxy
    @@ Metadata
      ## Commit message ##
         sctp: sysctl: auth_enable: avoid using current->nsproxy
     
    +    commit 15649fd5415eda664ef35780c2013adeb5d9c695 upstream.
    +
         As mentioned in a previous commit of this series, using the 'net'
         structure via 'current' is not recommended for different reasons:
     
    @@ Commit message
         Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
         Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-6-5df34b2083e8@kernel.org
         Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    +    Signed-off-by: Magali Lemes <magali.lemes@canonical.com>
     
      ## net/sctp/sysctl.c ##
    -@@ net/sctp/sysctl.c: static int proc_sctp_do_alpha_beta(const struct ctl_table *ctl, int write,
    - static int proc_sctp_do_auth(const struct ctl_table *ctl, int write,
    - 			     void *buffer, size_t *lenp, loff_t *ppos)
    +@@ net/sctp/sysctl.c: static int proc_sctp_do_auth(struct ctl_table *ctl, int write,
    + 			     void __user *buffer, size_t *lenp,
    + 			     loff_t *ppos)
      {
     -	struct net *net = current->nsproxy->net_ns;
     +	struct net *net = container_of(ctl->data, struct net, sctp.auth_enable);
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-5.4.y        |  Success    |  Success   |

Re: [PATCH 5.4 3/4] sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy

[Sasha Levin]

[ Sasha's backport helper bot ]

Hi,

✅ All tests passed successfully. No issues detected.
No action required from the submitter.

The upstream commit SHA1 provided is correct: ea62dd1383913b5999f3d16ae99d411f41b528d4

WARNING: Author mismatch between patch and upstream commit:
Backport author: Magali Lemes<magali.lemes@canonical.com>
Commit author: Matthieu Baerts (NGI0)<matttbe@kernel.org>

Status in newer kernel trees:
6.13.y | Present (exact SHA1)
6.12.y | Present (different SHA1: f0bb39354706)
6.6.y | Present (different SHA1: ad673e514b27)
6.1.y | Present (different SHA1: 3cd0659deb9c)
5.15.y | Present (different SHA1: 86ddf8118123)
5.10.y | Present (different SHA1: 03ca51faba2b)

Note: The patch differs from the upstream commit:
---
1:  ea62dd1383913 ! 1:  0deb81ab0a4a2 sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy
    @@ Metadata
      ## Commit message ##
         sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy
     
    +    commit ea62dd1383913b5999f3d16ae99d411f41b528d4 upstream.
    +
         As mentioned in a previous commit of this series, using the 'net'
         structure via 'current' is not recommended for different reasons:
     
    @@ Commit message
         Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
         Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-4-5df34b2083e8@kernel.org
         Signed-off-by: Jakub Kicinski <kuba@kernel.org>
    +    Signed-off-by: Magali Lemes <magali.lemes@canonical.com>
     
      ## net/sctp/sysctl.c ##
    -@@ net/sctp/sysctl.c: static struct ctl_table sctp_net_table[] = {
    - static int proc_sctp_do_hmac_alg(const struct ctl_table *ctl, int write,
    - 				 void *buffer, size_t *lenp, loff_t *ppos)
    +@@ net/sctp/sysctl.c: static int proc_sctp_do_hmac_alg(struct ctl_table *ctl, int write,
    + 				void __user *buffer, size_t *lenp,
    + 				loff_t *ppos)
      {
     -	struct net *net = current->nsproxy->net_ns;
     +	struct net *net = container_of(ctl->data, struct net,
---

Results of testing on various branches:

| Branch                    | Patch Apply | Build Test |
|---------------------------|-------------|------------|
| stable/linux-5.4.y        |  Success    |  Success   |