inpcb: Fix reuseport lbgroup array resizing
Needs ReviewPublic
Actions

Authored by markj on Fri, Feb 21, 9:30 PM.

Details

Reviewers

Summary

in_pcblisten() moves an inpcb from the per-group list into the array, at
which point it becomes visible to inpcb lookups in the datapath. It
assumes that there is space in the array for this, but that's not
guaranteed, since in_pcbinslbgrouphash() doesn't reserve space in the
array if the inpcb isn't associated with a listening socket.

We could resize the array in in_pcblisten(), but that would introduce a
failure case where there currently is none. Instead, keep track of the
number of pending inpcbs as well, and modify in_pcbinslbgrouphash() to
reserve space for each pending (i.e., not-yet-listening) inpcb.

Reported by: netchild
Fixes: 7cbb6b6e28db ("inpcb: Close some SO_REUSEPORT_LB races, part 2")

Diff Detail

Repository

rG FreeBSD src repository

Lint

Lint Skipped

Unit

Tests Skipped

Build Status

Buildable 62577
Build 59461: arc lint + arc unit

Event Timeline

markj created this revision.Fri, Feb 21, 9:30 PM

Herald added subscribers: melifaro, imp. · View Herald TranscriptFri, Feb 21, 9:30 PM

markj requested review of this revision.Fri, Feb 21, 9:30 PM

Harbormaster completed remote builds in B62577: Diff 151317.Fri, Feb 21, 9:30 PM

How does this manifests self? It writes beyond array, I guess. Could this be the fix to the syzkaller panic reported today?

This revision is now accepted and ready to land.Sat, Feb 22, 1:54 AM

In my case I got
panic: invalid local group size 16 and count 16

In D49100#1119544, @glebius wrote:

How does this manifests self? It writes beyond array, I guess. Could this be the fix to the syzkaller panic reported today?

Yes, or it's caught by the KASSERT check in in_pcblbgroup_insert().

I don't think it's related to the syzkaller panic: we would see this assertion failure instead, and in the logs for those panics I see no use of SO_REUSEPORT_LB.