[PATCH 5.4 0/4] sctp: sysctl: fix argument passed to container_of

List overview All Threads
Download

newer

older

[PATCH 6.1.y 1/1] hrtimer: Use and...

[PATCH stable 5.15] lib/buildid:...

Magali Lemes

11 Mar 2025 11 Mar '25

6:54 p.m.

Patches "sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy" and "sctp: sysctl: auth_enable: avoid using current->nsproxy" have been mixed up when backported to 5.4. The `member` argument passed to `container_of` has been swapped in both proc_sctp_do_auth() and proc_sctp_do_hmac_alg(). For instance, accessing /proc/sys/net/sctp/cookie_hmac_alg can now cause a kernel oops. Fix this by reverting the wrong backports and re-applying them correctly.

Magali Lemes (2): Revert "sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy" Revert "sctp: sysctl: auth_enable: avoid using current->nsproxy"

Matthieu Baerts (NGI0) (2): sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy sctp: sysctl: auth_enable: avoid using current->nsproxy

net/sctp/sysctl.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-)

-- 2.48.1

Show replies by date

Magali Lemes

11 Mar 11 Mar

6:54 p.m.

New subject: [PATCH 5.4 1/4] Revert "sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy"

This reverts commit 1031462a944ba0fa83c25ab1111465f8345b5589 as it was backported incorrectly. A subsequent commit will re-backport the original patch.

Signed-off-by: Magali Lemes magali.lemes@canonical.com --- net/sctp/sysctl.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/net/sctp/sysctl.c b/net/sctp/sysctl.c index 7777c0096a38..3fc2fa57424b 100644 --- a/net/sctp/sysctl.c +++ b/net/sctp/sysctl.c @@ -441,8 +441,7 @@ static int proc_sctp_do_auth(struct ctl_table *ctl, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { - struct net *net = container_of(ctl->data, struct net, - sctp.sctp_hmac_alg); + struct net *net = current->nsproxy->net_ns; struct ctl_table tbl; int new_value, ret;

-- 2.48.1

Sasha Levin

13 Mar 13 Mar

9:01 a.m.

New subject: [PATCH 5.4 1/4] Revert "sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy"

[ Sasha's backport helper bot ]

Hi,

Summary of potential issues: ⚠️ Could not find matching upstream commit

No upstream commit was identified. Using temporary commit for testing.

Results of testing on various branches:

| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-5.4.y | Success | Success |

Magali Lemes

11 Mar 11 Mar

6:54 p.m.

New subject: [PATCH 5.4 2/4] Revert "sctp: sysctl: auth_enable: avoid using current->nsproxy"

This reverts commit 10c869a52f266e40f548cc3c565d14930a5edafc as it was backported incorrectly. A subsequent commit will re-backport the original patch.

Signed-off-by: Magali Lemes magali.lemes@canonical.com --- net/sctp/sysctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sctp/sysctl.c b/net/sctp/sysctl.c index 3fc2fa57424b..4ecd3857204d 100644 --- a/net/sctp/sysctl.c +++ b/net/sctp/sysctl.c @@ -326,7 +326,7 @@ static int proc_sctp_do_hmac_alg(struct ctl_table *ctl, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { - struct net *net = container_of(ctl->data, struct net, sctp.auth_enable); + struct net *net = current->nsproxy->net_ns; struct ctl_table tbl; bool changed = false; char *none = "none";

-- 2.48.1

Sasha Levin

13 Mar 13 Mar

9:01 a.m.

New subject: [PATCH 5.4 2/4] Revert "sctp: sysctl: auth_enable: avoid using current->nsproxy"

[ Sasha's backport helper bot ]

Hi,

Summary of potential issues: ℹ️ This is part 2/4 of a series ⚠️ Could not find matching upstream commit

No upstream commit was identified. Using temporary commit for testing.

NOTE: These results are for this patch alone. Full series testing will be performed when all parts are received.

Results of testing on various branches:

| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-5.4.y | Success | Success |

Magali Lemes

11 Mar 11 Mar

6:54 p.m.

New subject: [PATCH 5.4 3/4] sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy

From: "Matthieu Baerts (NGI0)" matttbe@kernel.org

commit ea62dd1383913b5999f3d16ae99d411f41b528d4 upstream.

As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons:

- Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns.

- current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2).

The 'net' structure can be obtained from the table->data using container_of().

Note that table->data could also be used directly, as this is the only member needed from the 'net' structure, but that would increase the size of this fix, to use '*data' everywhere 'net->sctp.sctp_hmac_alg' is used.

Fixes: 3c68198e7511 ("sctp: Make hmac algorithm selection for cookie generation dynamic") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1] Suggested-by: Al Viro viro@zeniv.linux.org.uk Signed-off-by: Matthieu Baerts (NGI0) matttbe@kernel.org Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-4-5df34b2083... Signed-off-by: Jakub Kicinski kuba@kernel.org Signed-off-by: Magali Lemes magali.lemes@canonical.com --- net/sctp/sysctl.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/sctp/sysctl.c b/net/sctp/sysctl.c index 4ecd3857204d..4116b3cd83c2 100644 --- a/net/sctp/sysctl.c +++ b/net/sctp/sysctl.c @@ -326,7 +326,8 @@ static int proc_sctp_do_hmac_alg(struct ctl_table *ctl, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { - struct net *net = current->nsproxy->net_ns; + struct net *net = container_of(ctl->data, struct net, + sctp.sctp_hmac_alg); struct ctl_table tbl; bool changed = false; char *none = "none";

-- 2.48.1

Sasha Levin

13 Mar 13 Mar

9:08 a.m.

New subject: [PATCH 5.4 3/4] sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy

[ Sasha's backport helper bot ]

Hi,

✅ All tests passed successfully. No issues detected. No action required from the submitter.

The upstream commit SHA1 provided is correct: ea62dd1383913b5999f3d16ae99d411f41b528d4

WARNING: Author mismatch between patch and upstream commit: Backport author: Magali Lemesmagali.lemes@canonical.com Commit author: Matthieu Baerts (NGI0)matttbe@kernel.org

Note: The patch differs from the upstream commit: --- 1: ea62dd1383913 ! 1: 0deb81ab0a4a2 sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy @@ Metadata ## Commit message ## sctp: sysctl: cookie_hmac_alg: avoid using current->nsproxy

+ commit ea62dd1383913b5999f3d16ae99d411f41b528d4 upstream. + As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons:

@@ Commit message Signed-off-by: Matthieu Baerts (NGI0) matttbe@kernel.org Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-4-5df34b2083... Signed-off-by: Jakub Kicinski kuba@kernel.org + Signed-off-by: Magali Lemes magali.lemes@canonical.com

## net/sctp/sysctl.c ## -@@ net/sctp/sysctl.c: static struct ctl_table sctp_net_table[] = { - static int proc_sctp_do_hmac_alg(const struct ctl_table *ctl, int write, - void *buffer, size_t *lenp, loff_t *ppos) +@@ net/sctp/sysctl.c: static int proc_sctp_do_hmac_alg(struct ctl_table *ctl, int write, + void __user *buffer, size_t *lenp, + loff_t *ppos) { - struct net *net = current->nsproxy->net_ns; + struct net *net = container_of(ctl->data, struct net, ---

Results of testing on various branches:

| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-5.4.y | Success | Success |

Magali Lemes

11 Mar 11 Mar

6:54 p.m.

New subject: [PATCH 5.4 4/4] sctp: sysctl: auth_enable: avoid using current->nsproxy

From: "Matthieu Baerts (NGI0)" matttbe@kernel.org

commit 15649fd5415eda664ef35780c2013adeb5d9c695 upstream.

As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons:

- Inconsistency: getting info from the reader's/writer's netns vs only from the opener's netns.

- current->nsproxy can be NULL in some cases, resulting in an 'Oops' (null-ptr-deref), e.g. when the current task is exiting, as spotted by syzbot [1] using acct(2).

The 'net' structure can be obtained from the table->data using container_of().

Note that table->data could also be used directly, but that would increase the size of this fix, while 'sctp.ctl_sock' still needs to be retrieved from 'net' structure.

Fixes: b14878ccb7fa ("net: sctp: cache auth_enable per endpoint") Cc: stable@vger.kernel.org Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1] Suggested-by: Al Viro viro@zeniv.linux.org.uk Signed-off-by: Matthieu Baerts (NGI0) matttbe@kernel.org Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-6-5df34b2083... Signed-off-by: Jakub Kicinski kuba@kernel.org Signed-off-by: Magali Lemes magali.lemes@canonical.com --- net/sctp/sysctl.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/net/sctp/sysctl.c b/net/sctp/sysctl.c index 4116b3cd83c2..f6fe63f60acd 100644 --- a/net/sctp/sysctl.c +++ b/net/sctp/sysctl.c @@ -442,7 +442,7 @@ static int proc_sctp_do_auth(struct ctl_table *ctl, int write, void __user *buffer, size_t *lenp, loff_t *ppos) { - struct net *net = current->nsproxy->net_ns; + struct net *net = container_of(ctl->data, struct net, sctp.auth_enable); struct ctl_table tbl; int new_value, ret;

-- 2.48.1

Sasha Levin

13 Mar 13 Mar

9:08 a.m.

New subject: [PATCH 5.4 4/4] sctp: sysctl: auth_enable: avoid using current->nsproxy

[ Sasha's backport helper bot ]

Hi,

✅ All tests passed successfully. No issues detected. No action required from the submitter.

The upstream commit SHA1 provided is correct: 15649fd5415eda664ef35780c2013adeb5d9c695

WARNING: Author mismatch between patch and upstream commit: Backport author: Magali Lemesmagali.lemes@canonical.com Commit author: Matthieu Baerts (NGI0)matttbe@kernel.org

Note: The patch differs from the upstream commit: --- 1: 15649fd5415ed ! 1: 43321e75147b6 sctp: sysctl: auth_enable: avoid using current->nsproxy @@ Metadata ## Commit message ## sctp: sysctl: auth_enable: avoid using current->nsproxy

+ commit 15649fd5415eda664ef35780c2013adeb5d9c695 upstream. + As mentioned in a previous commit of this series, using the 'net' structure via 'current' is not recommended for different reasons:

@@ Commit message Signed-off-by: Matthieu Baerts (NGI0) matttbe@kernel.org Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-6-5df34b2083... Signed-off-by: Jakub Kicinski kuba@kernel.org + Signed-off-by: Magali Lemes magali.lemes@canonical.com

## net/sctp/sysctl.c ## -@@ net/sctp/sysctl.c: static int proc_sctp_do_alpha_beta(const struct ctl_table *ctl, int write, - static int proc_sctp_do_auth(const struct ctl_table *ctl, int write, - void *buffer, size_t *lenp, loff_t *ppos) +@@ net/sctp/sysctl.c: static int proc_sctp_do_auth(struct ctl_table *ctl, int write, + void __user *buffer, size_t *lenp, + loff_t *ppos) { - struct net *net = current->nsproxy->net_ns; + struct net *net = container_of(ctl->data, struct net, sctp.auth_enable); ---

Results of testing on various branches:

| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-5.4.y | Success | Success |

days inactive

days old

linux-stable-mirror@lists.linaro.org

8 comments

participants

tags (0)

participants (2)

Magali Lemes
Sasha Levin