inpcb: Fix reuseport lbgroup array resizing
ClosedPublic
Actions

Authored by markj on Feb 21 2025, 9:30 PM.

Details

Reviewers

Commits

rG8b3d2c19d369: inpcb: Fix reuseport lbgroup array resizing

Summary

in_pcblisten() moves an inpcb from the per-group list into the array, at
which point it becomes visible to inpcb lookups in the datapath. It
assumes that there is space in the array for this, but that's not
guaranteed, since in_pcbinslbgrouphash() doesn't reserve space in the
array if the inpcb isn't associated with a listening socket.

We could resize the array in in_pcblisten(), but that would introduce a
failure case where there currently is none. Instead, keep track of the
number of pending inpcbs as well, and modify in_pcbinslbgrouphash() to
reserve space for each pending (i.e., not-yet-listening) inpcb.

Reported by: netchild
Fixes: 7cbb6b6e28db ("inpcb: Close some SO_REUSEPORT_LB races, part 2")

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Not Applicable

Unit

Tests Not Applicable

Event Timeline

markj created this revision.Feb 21 2025, 9:30 PM

Herald added subscribers: melifaro, imp. · View Herald TranscriptFeb 21 2025, 9:30 PM

markj requested review of this revision.Feb 21 2025, 9:30 PM

Harbormaster completed remote builds in B62577: Diff 151317.Feb 21 2025, 9:30 PM

How does this manifests self? It writes beyond array, I guess. Could this be the fix to the syzkaller panic reported today?

This revision is now accepted and ready to land.Feb 22 2025, 1:54 AM

In my case I got
panic: invalid local group size 16 and count 16

In D49100#1119544, @glebius wrote:

How does this manifests self? It writes beyond array, I guess. Could this be the fix to the syzkaller panic reported today?

Yes, or it's caught by the KASSERT check in in_pcblbgroup_insert().

I don't think it's related to the syzkaller panic: we would see this assertion failure instead, and in the logs for those panics I see no use of SO_REUSEPORT_LB.