Re: [PATCH net-next] sock: Correct error checking condition for assign|release_proto_idx()
From: Eric Dumazet
Date: Tue Apr 08 2025 - 15:11:10 EST
On Tue, Apr 8, 2025 at 3:43 PM Zijun Hu <zijun_hu@xxxxxxxxxx> wrote:
>
> From: Zijun Hu <quic_zijuhu@xxxxxxxxxxx>
>
> assign|release_proto_idx() wrongly check find_first_zero_bit() failure
> by condition '(prot->inuse_idx == PROTO_INUSE_NR - 1)' obviously.
>
> Fix by correcting the condition to '(prot->inuse_idx == PROTO_INUSE_NR)'
> Also check @->inuse_idx before accessing @->val[] to avoid OOB.
>
> Fixes: 13ff3d6fa4e6 ("[SOCK]: Enumerate struct proto-s to facilitate percpu inuse accounting (v2).")
> Signed-off-by: Zijun Hu <quic_zijuhu@xxxxxxxxxxx>
> ---
> include/net/sock.h | 5 ++++-
> net/core/sock.c | 7 +++++--
> 2 files changed, 9 insertions(+), 3 deletions(-)
>
> diff --git a/include/net/sock.h b/include/net/sock.h
> index 8daf1b3b12c607d81920682139b53fee935c9bb5..9ece93a3dd044997276b0fa37dddc7b5bbdacc43 100644
> --- a/include/net/sock.h
> +++ b/include/net/sock.h
> @@ -1421,7 +1421,10 @@ struct prot_inuse {
> static inline void sock_prot_inuse_add(const struct net *net,
> const struct proto *prot, int val)
> {
> - this_cpu_add(net->core.prot_inuse->val[prot->inuse_idx], val);
> + unsigned int idx = prot->inuse_idx;
> +
> + if (likely(idx < PROTO_INUSE_NR))
> + this_cpu_add(net->core.prot_inuse->val[idx], val);
> }
I do not think we are going to add such a test in the fast path, for a
bug that can not happen.
Please give us a reproducer ?