[PATCH net-next] sock: Correct error checking condition for assign|release_proto_idx()

From: Zijun Hu
Date: Tue Apr 08 2025 - 09:50:24 EST

Next message: Alexander Lobakin: "Re: [PATCH net-next 11/16] idpf: prepare structures to support XDP"
Previous message: Sascha Hauer: "Re: [PATCH 2/3] clk: add TI CDCE6214 clock driver"
Next in thread: Kuniyuki Iwashima: "Re: [PATCH net-next] sock: Correct error checking condition for assign|release_proto_idx()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Zijun Hu <quic_zijuhu@xxxxxxxxxxx>

assign|release_proto_idx() wrongly check find_first_zero_bit() failure
by condition '(prot->inuse_idx == PROTO_INUSE_NR - 1)' obviously.

Fix by correcting the condition to '(prot->inuse_idx == PROTO_INUSE_NR)'
Also check @->inuse_idx before accessing @->val[] to avoid OOB.

Fixes: 13ff3d6fa4e6 ("[SOCK]: Enumerate struct proto-s to facilitate percpu inuse accounting (v2).")
Signed-off-by: Zijun Hu <quic_zijuhu@xxxxxxxxxxx>
---
include/net/sock.h | 5 ++++-
net/core/sock.c | 7 +++++--
2 files changed, 9 insertions(+), 3 deletions(-)

diff --git a/include/net/sock.h b/include/net/sock.h
index 8daf1b3b12c607d81920682139b53fee935c9bb5..9ece93a3dd044997276b0fa37dddc7b5bbdacc43 100644
--- a/include/net/sock.h
+++ b/include/net/sock.h
@@ -1421,7 +1421,10 @@ struct prot_inuse {
static inline void sock_prot_inuse_add(const struct net *net,
const struct proto *prot, int val)
{
- this_cpu_add(net->core.prot_inuse->val[prot->inuse_idx], val);
+ unsigned int idx = prot->inuse_idx;
+
+ if (likely(idx < PROTO_INUSE_NR))
+ this_cpu_add(net->core.prot_inuse->val[idx], val);
}

static inline void sock_inuse_add(const struct net *net, int val)
diff --git a/net/core/sock.c b/net/core/sock.c
index 323892066def8ba517ff59f98f2e4ab47edd4e63..92f4618c576a3120bcc8e9d03d36738b77447360 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -3948,6 +3948,9 @@ int sock_prot_inuse_get(struct net *net, struct proto *prot)
int cpu, idx = prot->inuse_idx;
int res = 0;

+ if (unlikely(idx >= PROTO_INUSE_NR))
+ return 0;
+
for_each_possible_cpu(cpu)
res += per_cpu_ptr(net->core.prot_inuse, cpu)->val[idx];

@@ -3999,7 +4002,7 @@ static int assign_proto_idx(struct proto *prot)
{
prot->inuse_idx = find_first_zero_bit(proto_inuse_idx, PROTO_INUSE_NR);

- if (unlikely(prot->inuse_idx == PROTO_INUSE_NR - 1)) {
+ if (unlikely(prot->inuse_idx == PROTO_INUSE_NR)) {
pr_err("PROTO_INUSE_NR exhausted\n");
return -ENOSPC;
}
@@ -4010,7 +4013,7 @@ static int assign_proto_idx(struct proto *prot)

static void release_proto_idx(struct proto *prot)
{
- if (prot->inuse_idx != PROTO_INUSE_NR - 1)
+ if (prot->inuse_idx != PROTO_INUSE_NR)
clear_bit(prot->inuse_idx, proto_inuse_idx);
}
#else

---
base-commit: 34a07c5b257453b5fcadc2408719c7b075844014
change-id: 20250405-fix_net-3e8364d302ff

Best regards,
--
Zijun Hu <quic_zijuhu@xxxxxxxxxxx>

Next message: Alexander Lobakin: "Re: [PATCH net-next 11/16] idpf: prepare structures to support XDP"
Previous message: Sascha Hauer: "Re: [PATCH 2/3] clk: add TI CDCE6214 clock driver"
Next in thread: Kuniyuki Iwashima: "Re: [PATCH net-next] sock: Correct error checking condition for assign|release_proto_idx()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]