From: Kuniyuki Iwashima
> Sent: 27 February 2024 01:11
> Subject: [PATCH v2 net 3/5] net: Convert @kern of __sock_create() to enum.
Should probably be (something like):
Allow __sock_create() create kernel sockets that hold a reference
to the network namespace.
> Historically, syzbot has reported many use-after-free of struct
> net by kernel sockets.
>
> In most cases, the root cause was a timer kicked by a kernel socket
> which does not hold netns refcount nor clean it up during netns
> dismantle.
>
> This patch converts the @kern argument of __sock_create() to enum
> so that we can pass SOCKET_KERN_NET_REF and later sk_alloc() can
> hold refcount of net for kernel sockets.
I think you should add a 'hold netns' parameter to sock_create_kern().
Indeed, that is likely to be used for a real connection
(which would need the 'hold netns') and code that doesn't need it
(because the socket is some internal housekeeping socket) could
directly call __sock_create().
Fortunately both functions are exported non-gpl.
I've this comment in a driver...
/* sock_create_kern() creates a socket that doesn't hold a reference
* to the namespace (they get used for sockets needed by the protocol
* stack code itself).
* We need a socket that holds a reference to the namespace, so create
* a 'user' socket in a specific namespace.
* This adds an extra security check which we should pass because all the
* sockets are created by kernel threads.
*/
rval = __sock_create(net, family, type, protocol, sockp, 0);
David
-
Registered Address Lakeside, Bramley Road, Mount Farm, Milton Keynes, MK1 1PT, UK
Registration No: 1397386 (Wales)
