From nobody Sun Jun 14 07:49:10 2026
Received: from mail-pj1-f48.google.com (mail-pj1-f48.google.com
 [209.85.216.48])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 7BF57362137
	for <linux-kernel@vger.kernel.org>; Fri,  1 May 2026 07:41:36 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org;
 arc=none smtp.client-ip=209.85.216.48
ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1777621297; cv=none;
 b=N/a8At2fUeRMpCLPXphQSahgK+AzDqvcqk5+lzj4lHiQANXExYMXbX+0S+SPW5X+n1cAQY4GqapmYRAa/2d0EI4tUBe5HjVOEA8JfRVVVvZoaIKTk4SjorjycMppPeAuEGIU43yGy0AswCZsJQRf5l+YDDK/7LItUGLVsX41ZC8=
ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1777621297; c=relaxed/simple;
	bh=vYAz+GFVJG00m+N0rNeEFR8ISwPXEVv1wwb2oqmGd0U=;
	h=From:To:Cc:Subject:Date:Message-Id:MIME-Version;
 b=Riy2kpUBwT+E/QVD7XRR0OC3uhS98U6tbKByrQQY7+nm7KlkrEmDg5qGD3hVBhIXkWjaQ/kU8INHHurlP9umsadpbDSizEvfIw/D2lA7pdYatF9PMQ/HJX/sU71KaRLfyGVJipl8PIKW/7vT/vYuMj+NG4NOMK18CGeCMgncObU=
ARC-Authentication-Results: i=1; smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com;
 spf=pass smtp.mailfrom=gmail.com;
 dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b=ee4Wweie; arc=none smtp.client-ip=209.85.216.48
Authentication-Results: smtp.subspace.kernel.org;
 dmarc=pass (p=none dis=none) header.from=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
 spf=pass smtp.mailfrom=gmail.com
Authentication-Results: smtp.subspace.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com
 header.b="ee4Wweie"
Received: by mail-pj1-f48.google.com with SMTP id
 98e67ed59e1d1-35d99031e4eso1415506a91.1
        for <linux-kernel@vger.kernel.org>;
 Fri, 01 May 2026 00:41:36 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20251104; t=1777621296; x=1778226096;
 darn=vger.kernel.org;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:from:to:cc:subject:date:message-id:reply-to;
        bh=B6Y3sVzofFaYqh9OvqIh9FB2/uppgN0RArsWV/LlugY=;
        b=ee4WweieDAwtdiHg6xEhQOrzbzVn7W6kdBZV60PjuecJyDErAjjrqgxFWttFuzPOYh
         JxsmTCfGpGM209sZbRMjVHewUX8F9NTXIy6XWF+gPcwPx9jaM5YD24dz6HTbIPxCOtTx
         gPHJOBRTjnNn9uJhONFsLh2f9B6WB29TPXawKP7LFCenWvRoxlzKRvEZU4L7+JKwlavq
         bRgSKbhCpFR7xy5mlMH/9KVzRpQuEO/ue7r+/QWAiPVxAQNfvo8c2xwg7u3vn1Akd5sH
         I7Vh6kKDJQFJTFZ5+Sjg68qWZ+5EMcjp7P6NvFJOx0Tf/S3rXksq3il9+PG88803Pp8F
         nkRw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20251104; t=1777621296; x=1778226096;
        h=content-transfer-encoding:mime-version:message-id:date:subject:cc
         :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date
         :message-id:reply-to;
        bh=B6Y3sVzofFaYqh9OvqIh9FB2/uppgN0RArsWV/LlugY=;
        b=YXODaZggY/9MfZAfxhnBPtI+9Qn0RikqRF7u5I2wrl2YEWKPgPZZA+pqPSRvOhoQcx
         RrXpLMwq6rPOKlwibaa2POeFgRMRbqQXh0RvTc8vLAgLKvRLo/w9KH4zGr3++gNi8F2D
         s88Ekxo+j/+1R8G4GTN0yGH6W7NCX/oEoIpRPAvZf7dWVKGWzq8gPc8yjVcMhbLj47ZK
         OjH91kKPNyLzD8dp5Q8i2HGAlZpy9G8TfbIqhsXjJfUdqG3Vyh/cphI3Njooj2Wefvxk
         vzkMzD+BdHQG+VsasOPPpK8bZcP1RBrPDYZOwJyo92XuTQUcqeq+tllbn2Cr3fAc4JMp
         am6g==
X-Forwarded-Encrypted: i=1;
 AFNElJ+/bWZ2PSZQT9ub3SOUwgNumJ8hNyV7Jlzsvwpu3EPv2+HEKhyT2E0MyqI+ioxVV5mxsJ0vFqH1HpL94K4=@vger.kernel.org
X-Gm-Message-State: AOJu0YzotZ0jd1xyUf7jzn55JnfPN0cuE39eJ9wemg287faXl2PY96HW
	ySF8bCUB8JHuvWMYaY1027JhMD4+ggQBs1SvrSsFWyNBWhrB6xxDfZMd
X-Gm-Gg: AeBDietI2bUA2rTo2CCbzX7bTmCzBLQJrVibGspfifxDavLX2iXqY0wvWdQmYe2ycjM
	PZcsEMPrnWcI9KaOXocQo/zhin8ixRb1yPm+AA343XecTBSdNaVpL+2PvFGqGboonfgzsAu9Si1
	5Bbi2rRsuAiCZkrpZSZIH85Ol4cWwvKnmKJ3dJs2l9bwM404cg1m8RTWARyqsY9T/BE6x+GH7zE
	GgKj7nd/v+FtB6+V7D4EnFpOGxtdP/JUKURcjzFSEeaPeqGSEPuKDY9MU38dHYgX6Qz840tnaaM
	Lt4pFe69LbOcXdBi+ZWmooroMG3Pw0YwOdATR13C3TXsMdQVn6ITUNfrz/5cAARRdVc0td1W2tn
	as2Qja89uUx+TrgEWIs5/PMiTiJyxPb1dDI1E1lGb4IOV2Vep7S7LNnSg0MQuWWSv85JBfF9b11
	HNsiXMhLp5wQs1ZVqsFs0UFDaqL4p1pKJ5lZMiYZWw8hCKBhudYlHLkJKB
X-Received: by 2002:a17:90a:fc4f:b0:35e:58d3:3284 with SMTP id
 98e67ed59e1d1-364c2fec747mr6090438a91.9.1777621295742;
        Fri, 01 May 2026 00:41:35 -0700 (PDT)
Received: from csl-conti-dell7858.ntu.edu.sg ([155.69.195.57])
        by smtp.gmail.com with ESMTPSA id
 98e67ed59e1d1-364ebf12bcesm1502347a91.7.2026.05.01.00.41.32
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Fri, 01 May 2026 00:41:35 -0700 (PDT)
From: Maoyi Xie <maoyixie.tju@gmail.com>
X-Google-Original-From: Maoyi Xie <maoyi.xie@ntu.edu.sg>
To: netdev@vger.kernel.org
Cc: willemdebruijn.kernel@gmail.com,
	willemb@google.com,
	edumazet@google.com,
	pabeni@redhat.com,
	kuba@kernel.org,
	davem@davemloft.net,
	dsahern@kernel.org,
	kuznet@ms2.inr.ac.ru,
	linux-kernel@vger.kernel.org,
	stable@vger.kernel.org
Subject: [PATCH net v4] ipv6: flowlabel: enforce per-netns limit for
 unprivileged callers
Date: Fri,  1 May 2026 15:41:30 +0800
Message-Id: <20260501074130.3532402-1-maoyi.xie@ntu.edu.sg>
X-Mailer: git-send-email 2.34.1
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Content-Type: text/plain; charset="utf-8"

fl_size, fl_ht and ip6_fl_lock in net/ipv6/ip6_flowlabel.c are file
scope and shared across netns. mem_check() reads fl_size to decide
whether to deny non-CAP_NET_ADMIN callers; capable() runs against
init_user_ns, so an unprivileged user in any non-init userns can
push fl_size past FL_MAX_SIZE - FL_MAX_SIZE/4 and starve every
other unprivileged userns on the host.

Add struct netns_ipv6::flowlabel_count, bumped and decremented next
to fl_size in fl_intern, ip6_fl_gc and ip6_fl_purge. The new field
is placed in the existing 4-byte hole after ipmr_seq, so struct
netns_ipv6 stays the same size on 64-bit builds.

mem_check() folds an extra FL_MAX_SIZE/8 ceiling into the existing
non-CAP_NET_ADMIN conditional.

Bump FL_MAX_SIZE from 4096 to 8192. It has been 4096 since the file
was added; machines and connection counts have grown. The new
per-netns ceiling is then 1024 flowlabels, half of FL_MAX_SIZE/4.

CAP_NET_ADMIN against init_user_ns still bypasses both caps.

Fixes: 1da177e4c3f4 ("Linux-2.6.12-rc2")
Suggested-by: Willem de Bruijn <willemb@google.com>
Cc: stable@vger.kernel.org # v5.15+
Signed-off-by: Maoyi Xie <maoyi.xie@ntu.edu.sg>
---
v4 (this submission, addressing v3 review by Willem):
    - rephrased the flowlabel_count placement note: dropped the
      flowlabel_has_excl cacheline argument; replaced with the
      simpler "fills the existing 4-byte hole after ipmr_seq" fact.
    - reordered atomic_dec(&...flowlabel_count) to sit immediately
      after atomic_dec(&fl_size) in ip6_fl_gc and ip6_fl_purge so
      the pairing is visually obvious. Both decs now happen before
      fl_free(fl) since fl_free invalidates fl->fl_net. fl_intern
      was already in this order.
v3: addressed Willem's review on the private security@ thread;
    merged FL_MAX_SIZE doubling, dropped test data, moved
    flowlabel_count near ipmr_seq, inlined fl->fl_net in ip6_fl_gc.
v2: per-netns counter + cap, sent to security@ as a 2-patch series.
v1: fix-shape sketch in original disclosure.

 include/net/netns/ipv6.h |  1 +
 net/ipv6/ip6_flowlabel.c | 14 ++++++++++----
 2 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/include/net/netns/ipv6.h b/include/net/netns/ipv6.h
index 34bdb1308..329482373 100644
--- a/include/net/netns/ipv6.h
+++ b/include/net/netns/ipv6.h
@@ -119,6 +119,7 @@ struct netns_ipv6 {
 	struct fib_notifier_ops	*notifier_ops;
 	struct fib_notifier_ops	*ip6mr_notifier_ops;
 	unsigned int ipmr_seq; /* protected by rtnl_mutex */
+	atomic_t		flowlabel_count;
 	struct {
 		struct hlist_head head;
 		spinlock_t	lock;
diff --git a/net/ipv6/ip6_flowlabel.c b/net/ipv6/ip6_flowlabel.c
index c92f98c6f..360109cad 100644
--- a/net/ipv6/ip6_flowlabel.c
+++ b/net/ipv6/ip6_flowlabel.c
@@ -36,7 +36,7 @@
 /* FL hash table */
=20
 #define FL_MAX_PER_SOCK	32
-#define FL_MAX_SIZE	4096
+#define FL_MAX_SIZE	8192
 #define FL_HASH_MASK	255
 #define FL_HASH(l)	(ntohl(l)&FL_HASH_MASK)
=20
@@ -162,8 +162,9 @@ static void ip6_fl_gc(struct timer_list *unused)
 				ttd =3D fl->expires;
 				if (time_after_eq(now, ttd)) {
 					*flp =3D fl->next;
-					fl_free(fl);
 					atomic_dec(&fl_size);
+					atomic_dec(&fl->fl_net->ipv6.flowlabel_count);
+					fl_free(fl);
 					continue;
 				}
 				if (!sched || time_before(ttd, sched))
@@ -195,8 +196,9 @@ static void __net_exit ip6_fl_purge(struct net *net)
 			if (net_eq(fl->fl_net, net) &&
 			    atomic_read(&fl->users) =3D=3D 0) {
 				*flp =3D fl->next;
-				fl_free(fl);
 				atomic_dec(&fl_size);
+				atomic_dec(&net->ipv6.flowlabel_count);
+				fl_free(fl);
 				continue;
 			}
 			flp =3D &fl->next;
@@ -245,6 +247,7 @@ static struct ip6_flowlabel *fl_intern(struct net *net,
 	fl->next =3D fl_ht[FL_HASH(fl->label)];
 	rcu_assign_pointer(fl_ht[FL_HASH(fl->label)], fl);
 	atomic_inc(&fl_size);
+	atomic_inc(&net->ipv6.flowlabel_count);
 	spin_unlock_bh(&ip6_fl_lock);
 	rcu_read_unlock();
 	return NULL;
@@ -464,6 +467,7 @@ fl_create(struct net *net, struct sock *sk, struct in6_=
flowlabel_req *freq,
=20
 static int mem_check(struct sock *sk)
 {
+	struct net *net =3D sock_net(sk);
 	int room =3D FL_MAX_SIZE - atomic_read(&fl_size);
 	struct ipv6_fl_socklist *sfl;
 	int count =3D 0;
@@ -478,7 +482,9 @@ static int mem_check(struct sock *sk)
=20
 	if (room <=3D 0 ||
 	    ((count >=3D FL_MAX_PER_SOCK ||
-	      (count > 0 && room < FL_MAX_SIZE/2) || room < FL_MAX_SIZE/4) &&
+	      (count > 0 && room < FL_MAX_SIZE/2) ||
+	      room < FL_MAX_SIZE/4 ||
+	      atomic_read(&net->ipv6.flowlabel_count) >=3D FL_MAX_SIZE/8) &&
 	     !capable(CAP_NET_ADMIN)))
 		return -ENOBUFS;
=20
--=20
2.34.1