Jordan Rife wrote: > Callers of sock_sendmsg(), and similarly kernel_sendmsg(), in kernel > space may observe their value of msg_name change in cases where BPF > sendmsg hooks rewrite the send address. This has been confirmed to break > NFS mounts running in UDP mode and has the potential to break other > systems. > > This patch: > > 1) Creates a new function called __sock_sendmsg() with same logic as the > old sock_sendmsg() function. > 2) Replaces calls to sock_sendmsg() made by __sys_sendto() and > __sys_sendmsg() with __sock_sendmsg() to avoid an unnecessary copy, > as these system calls are already protected. > 3) Modifies sock_sendmsg() so that it makes a copy of msg_name if > present before passing it down the stack to insulate callers from > changes to the send address. > > Link: https://lore.kernel.org/netdev/20230912013332.2048422-1-jrife@xxxxxxxxxx/ > Fixes: 1cedee13d25a ("bpf: Hooks for sys_sendmsg") > Cc: stable@xxxxxxxxxxxxxxx > Signed-off-by: Jordan Rife <jrife@xxxxxxxxxx> Reviewed-by: Willem de Bruijn <willemb@xxxxxxxxxx>
