kernel/linux.git/net/ipv4/inetpeer.c, branch v7.1-rc5Linux kernel stable tree (mirror)https://git.radix-linux.su/kernel/linux.git/atom?h=v7.1-rc52026-05-07T00:44:13+00:00inetpeer: add a missing read_seqretry() in inet_getpeer()2026-05-07T00:44:13+00:00Eric Dumazetedumazet@google.com2026-05-05T13:32:33+00:00urn:sha1:67ef49047d312be692c8c439145f4514174e517f
When performing a lockless lookup over the inet_peer rbtree,
if a matching node is found, inet_getpeer() returns it immediately
without validating the seqlock sequence.
This missing check introduces a race condition:
Trigger Path: When a host receives an incoming fragmented IPv4 packet,
ip4_frag_init() (in net/ipv4/ip_fragment.c) calls inet_getpeer_v4()
to track the peer.
The Race: If the packet is from a new source IP, CPU A acquires the
write_seqlock, allocates a new inet_peer node (p), sets its IP address
(daddr), and links it to the rbtree (rb_link_node).
Uninitialized Access: Due to the lack of memory barriers between
rb_link_node and the initialization of the rest of the struct
(like refcount_set(&p->refcnt, 1)), CPU A can make the node visible
to readers before its refcnt is initialized.
This is especially true on weakly-ordered architectures like ARM64
where the CPU can reorder the memory stores.
Lockless Reader: Concurrently, CPU B processes a second fragmented packet
from the same source IP. CPU B does a lockless lookup, finds the newly
inserted node, and returns it immediately.
Use-After-Free (UAF): CPU B reads p->refcnt as uninitialized garbage
(left over from previous kmalloc-128/192 allocations).
If the garbage is > 0, refcount_inc_not_zero(&p->refcnt) succeeds.
CPU A then executes refcount_set(&p->refcnt, 1), overwriting CPU B's increment.
When CPU B finishes with the fragment queue, it calls inet_putpeer(),
which drops the refcount to 0 and frees the node via RCU.
The node is now freed but remains linked in the rbtree,
resulting in a Use-After-Free in the rbtree.
Fixes: b145425f269a ("inetpeer: remove AVL implementation in favor of RB tree")
Reported-by: Damiano Melotti <melotti@google.com>
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20260505133233.3039575-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
net: remove EXPORT_IPV6_MOD() and EXPORT_IPV6_MOD_GPL() macros2026-03-29T18:21:22+00:00Fernando Fernandez Mancerafmancera@suse.de2026-03-25T12:08:43+00:00urn:sha1:0557a34487b10f3e600a3a20b98ea164f36a3ad2
As IPv6 is built-in only, the macro is always evaluating to an empty
one. Remove it completely from the code.
Signed-off-by: Fernando Fernandez Mancera <fmancera@suse.de>
Link: https://patch.msgid.link/20260325120928.15848-3-fmancera@suse.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
net: Add SPDX ids to some source files2026-03-10T01:32:45+00:00Tim Birdtim.bird@sony.com2026-03-05T00:47:22+00:00urn:sha1:2ed4b46b4fc77749cb0f8dd31a01441b82c8dbaa
Add SPDX-License-Identifier lines to several source
files under the network sub-directory. Work on files
in the core, dns_resolver, ipv4, ipv6 and
netfilter sub-dirs. Remove boilerplate
and license reference text to avoid ambiguity.
Rusty Russell has expressed that his contributions
were intended to be GPL-2.0-or-later.
Signed-off-by: Tim Bird <tim.bird@sony.com>
Link: https://patch.msgid.link/20260305004724.87469-1-tim.bird@sony.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
inetpeer: use EXPORT_IPV6_MOD[_GPL]()2025-02-14T21:09:39+00:00Eric Dumazetedumazet@google.com2025-02-12T13:24:16+00:00urn:sha1:95a3c96c746008a2abed2882e0da48a78f941c49
Use EXPORT_IPV6_MOD[_GPL]() for symbols that do not need to
to be exported unless CONFIG_IPV6=m
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Mateusz Polchlopek <mateusz.polchlopek@intel.com>
Link: https://patch.msgid.link/20250212132418.1524422-3-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
inetpeer: avoid false sharing in inet_peer_xrlim_allow()2024-12-20T21:04:40+00:00Eric Dumazetedumazet@google.com2024-12-19T15:03:30+00:00urn:sha1:05dd04b218f42c57a14e330fd8583995f141ed6b
Under DOS, inet_peer_xrlim_allow() might be called millions
of times per second from different cpus.
Make sure to write over peer->rate_tokens and peer->rate_last
only when really needed.
Note the inherent races of this function are still there,
we do not care of precise ICMP rate limiting.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://patch.msgid.link/20241219150330.3159027-1-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
inetpeer: do not get a refcount in inet_getpeer()2024-12-18T03:37:48+00:00Eric Dumazetedumazet@google.com2024-12-15T17:56:29+00:00urn:sha1:a853c609504e2d1d83e71285e3622fda1f1451d8
All inet_getpeer() callers except ip4_frag_init() don't need
to acquire a permanent refcount on the inetpeer.
They can switch to full RCU protection.
Move the refcount_inc_not_zero() into ip4_frag_init(),
so that all the other callers no longer have to
perform a pair of expensive atomic operations on
a possibly contended cache line.
inet_putpeer() no longer needs to be exported.
After this patch, my DUT can receive 8,400,000 UDP packets
per second targeting closed ports, using 50% less cpu cycles
than before.
Also change two calls to l3mdev_master_ifindex() by
l3mdev_master_ifindex_rcu() (Ido ideas)
Fixes: 8c2bd38b95f7 ("icmp: change the order of rate limits")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20241215175629.1248773-5-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
inetpeer: update inetpeer timestamp in inet_getpeer()2024-12-18T03:37:00+00:00Eric Dumazetedumazet@google.com2024-12-15T17:56:28+00:00urn:sha1:50b362f21d6c10b0f7939c1482c6a1b43da82f1a
inet_putpeer() will be removed in the following patch,
because we will no longer use refcounts.
Update inetpeer timestamp (p->dtime) at lookup time.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20241215175629.1248773-4-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
inetpeer: remove create argument of inet_getpeer()2024-12-18T03:37:00+00:00Eric Dumazetedumazet@google.com2024-12-15T17:56:27+00:00urn:sha1:7a596a50c4a4eab946aec149171c72321b4934aa
All callers of inet_getpeer() want to create an inetpeer.
Signed-off-by: Eric Dumazet <edumazet@google.com>
Link: https://patch.msgid.link/20241215175629.1248773-3-edumazet@google.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
inetpeer: replace call_rcu by kfree_rcu for simple kmem_cache_free callback2024-10-15T17:50:21+00:00Julia LawallJulia.Lawall@inria.fr2024-10-13T20:16:50+00:00urn:sha1:bb5810d4236be8750505ffc9f74e2403e7e7d617
Since SLOB was removed and since
commit 6c6c47b063b5 ("mm, slab: call kvfree_rcu_barrier() from kmem_cache_destroy()"),
it is not necessary to use call_rcu when the callback only performs
kmem_cache_free. Use kfree_rcu() directly.
The changes were made using Coccinelle.
Signed-off-by: Julia Lawall <Julia.Lawall@inria.fr>
Reviewed-by: Eric Dumazet <edumazet@google.com>
Acked-by: Paul E. McKenney <paulmck@kernel.org>
Acked-by: Vlastimil Babka <vbabka@suse.cz>
Link: https://patch.msgid.link/20241013201704.49576-4-Julia.Lawall@inria.fr
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
net: ipv4: Simplify the allocation of slab caches in inet_initpeers2024-02-01T00:39:42+00:00Kunwu Chanchentao@kylinos.cn2024-01-30T09:22:55+00:00urn:sha1:57f2c6350f2d8d835def0a613a3d37c28d146102
commit 0a31bd5f2bbb ("KMEM_CACHE(): simplify slab cache creation")
introduces a new macro.
Use the new KMEM_CACHE() macro instead of direct kmem_cache_create
to simplify the creation of SLAB caches.
Signed-off-by: Kunwu Chan <chentao@kylinos.cn>
Reviewed-by: Jiri Pirko <jiri@nvidia.com>
Link: https://lore.kernel.org/r/20240130092255.73078-1-chentao@kylinos.cn
Signed-off-by: Jakub Kicinski <kuba@kernel.org>