Page MenuHomeFreeBSD
Differential D49100

inpcb: Fix reuseport lbgroup array resizing
AcceptedPublic
Actions

Authored by markj on Fri, Feb 21, 9:30 PM.

Details

Reviewers
glebius
Summary

in_pcblisten() moves an inpcb from the per-group list into the array, at
which point it becomes visible to inpcb lookups in the datapath. It
assumes that there is space in the array for this, but that's not
guaranteed, since in_pcbinslbgrouphash() doesn't reserve space in the
array if the inpcb isn't associated with a listening socket.

We could resize the array in in_pcblisten(), but that would introduce a
failure case where there currently is none. Instead, keep track of the
number of pending inpcbs as well, and modify in_pcbinslbgrouphash() to
reserve space for each pending (i.e., not-yet-listening) inpcb.

Reported by: netchild
Fixes: 7cbb6b6e28db ("inpcb: Close some SO_REUSEPORT_LB races, part 2")

Diff Detail

Repository
rG FreeBSD src repository
Lint
Lint Skipped
Unit
Tests Skipped
Build Status
Buildable 62577
Build 59461: arc lint + arc unit

Event Timeline

markj created this revision.Fri, Feb 21, 9:30 PM
Herald added subscribers: melifaro, imp. · View Herald TranscriptFri, Feb 21, 9:30 PM
markj requested review of this revision.Fri, Feb 21, 9:30 PM
Harbormaster completed remote builds in B62577: Diff 151317.Fri, Feb 21, 9:30 PM
glebius accepted this revision.Sat, Feb 22, 1:54 AM

How does this manifests self? It writes beyond array, I guess. Could this be the fix to the syzkaller panic reported today?

This revision is now accepted and ready to land.Sat, Feb 22, 1:54 AM
netchild added a subscriber: netchild.Sat, Feb 22, 11:02 AM

In my case I got
panic: invalid local group size 16 and count 16

Revision Contents
Changeset List

PathSize
sys/
netinet/
7 lines
1 line

Diff 151317

View Options

sys/netinet/in_pcb.c

Loading...
View Options

sys/netinet/in_pcb_var.h

Loading...