net/core/sock.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
From: Zijun Hu <quic_zijuhu@quicinc.com>
(assign|release)_proto_idx() wrongly check find_first_zero_bit() failure
by condition '(prot->inuse_idx == PROTO_INUSE_NR - 1)' obviously.
Fix by correcting the condition to '(prot->inuse_idx == PROTO_INUSE_NR)'
Fixes: 13ff3d6fa4e6 ("[SOCK]: Enumerate struct proto-s to facilitate percpu inuse accounting (v2).")
Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
---
Changes in v2:
- Remove @prot->inuse_idx checks in fastpath
- Correct tile and commit message
- Link to v1: https://lore.kernel.org/r/20250408-fix_net-v1-1-375271a79c11@quicinc.com
---
net/core/sock.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/net/core/sock.c b/net/core/sock.c
index 323892066def8ba517ff59f98f2e4ab47edd4e63..e2c3c4bd9cd915706678137d98a15ca8c1a35cb8 100644
--- a/net/core/sock.c
+++ b/net/core/sock.c
@@ -3999,7 +3999,7 @@ static int assign_proto_idx(struct proto *prot)
{
prot->inuse_idx = find_first_zero_bit(proto_inuse_idx, PROTO_INUSE_NR);
- if (unlikely(prot->inuse_idx == PROTO_INUSE_NR - 1)) {
+ if (unlikely(prot->inuse_idx == PROTO_INUSE_NR)) {
pr_err("PROTO_INUSE_NR exhausted\n");
return -ENOSPC;
}
@@ -4010,7 +4010,7 @@ static int assign_proto_idx(struct proto *prot)
static void release_proto_idx(struct proto *prot)
{
- if (prot->inuse_idx != PROTO_INUSE_NR - 1)
+ if (prot->inuse_idx != PROTO_INUSE_NR)
clear_bit(prot->inuse_idx, proto_inuse_idx);
}
#else
---
base-commit: 34a07c5b257453b5fcadc2408719c7b075844014
change-id: 20250405-fix_net-3e8364d302ff
Best regards,
--
Zijun Hu <quic_zijuhu@quicinc.com>> [PATCH net-next v2] sock: Correct error checking condition for (assign|release)_proto_idx()
Maybe net instead of net-next ?
From: Zijun Hu <zijun_hu@icloud.com>
Date: Thu, 10 Apr 2025 09:01:27 +0800
> From: Zijun Hu <quic_zijuhu@quicinc.com>
>
> (assign|release)_proto_idx() wrongly check find_first_zero_bit() failure
> by condition '(prot->inuse_idx == PROTO_INUSE_NR - 1)' obviously.
>
> Fix by correcting the condition to '(prot->inuse_idx == PROTO_INUSE_NR)'
>
> Fixes: 13ff3d6fa4e6 ("[SOCK]: Enumerate struct proto-s to facilitate percpu inuse accounting (v2).")
> Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
On 2025/4/10 11:53, Kuniyuki Iwashima wrote:
>> [PATCH net-next v2] sock: Correct error checking condition for (assign|release)_proto_idx()
> Maybe net instead of net-next ?
>
Either net or net-next is okay.
>
> From: Zijun Hu <zijun_hu@icloud.com>
> Date: Thu, 10 Apr 2025 09:01:27 +0800
>> From: Zijun Hu <quic_zijuhu@quicinc.com>
>>
>> (assign|release)_proto_idx() wrongly check find_first_zero_bit() failure
>> by condition '(prot->inuse_idx == PROTO_INUSE_NR - 1)' obviously.
>>
>> Fix by correcting the condition to '(prot->inuse_idx == PROTO_INUSE_NR)'
>>
>> Fixes: 13ff3d6fa4e6 ("[SOCK]: Enumerate struct proto-s to facilitate percpu inuse accounting (v2).")
>> Signed-off-by: Zijun Hu <quic_zijuhu@quicinc.com>
> Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
On Thu, Apr 10, 2025 at 5:53 AM Kuniyuki Iwashima <kuniyu@amazon.com> wrote: > > > [PATCH net-next v2] sock: Correct error checking condition for (assign|release)_proto_idx() > > Maybe net instead of net-next ? > I think this is a minor change, I would not add a Fixes: tag and risk another CVE for such a case that is never reached. We do not have 63 protocols, getting to 64 limit is moot. As a matter of fact, release_proto_idx(struct proto *prot) should never hit the condition.
© 2016 - 2025 Red Hat, Inc.