[PATCH v2] netlabel: fix RCU annotation for IPv4 options on socket creation

Paul Moore paul at paul-moore.com
Tue Apr 30 23:30:47 UTC 2024 

On Mon, Apr 29, 2024 at 6:10 AM Davide Caratti <dcaratti at redhat.com> wrote:
> On Thu, Apr 25, 2024 at 05:01:36PM -0400, Paul Moore wrote:
> > On Apr 24, 2024 Davide Caratti <dcaratti at redhat.com> wrote:

...

> > > @@ -1876,18 +1878,15 @@ int cipso_v4_sock_setattr(struct sock *sk,
> > >
> > >     sk_inet = inet_sk(sk);
> > >
> > > -   old = rcu_dereference_protected(sk_inet->inet_opt,
> > > -                                   lockdep_sock_is_held(sk));
> > > +   old = rcu_replace_pointer(sk_inet->inet_opt, opt, slock_held);
> > >     if (inet_test_bit(IS_ICSK, sk)) {
> > >             sk_conn = inet_csk(sk);
> > >             if (old)
> > >                     sk_conn->icsk_ext_hdr_len -= old->opt.optlen;
> > > -           sk_conn->icsk_ext_hdr_len += opt->opt.optlen;
> > > +           sk_conn->icsk_ext_hdr_len += opt_len;
> > >             sk_conn->icsk_sync_mss(sk, sk_conn->icsk_pmtu_cookie);
> > >     }
> > > -   rcu_assign_pointer(sk_inet->inet_opt, opt);
> > > -   if (old)
> > > -           kfree_rcu(old, rcu);
> > > +   kfree_rcu(old, rcu);
> >
> > Thanks for sticking with this and posting a v2.
> >
> > These changes look okay to me, but considering the 'Fixes:' tag and the
> > RCU splat it is reasonable to expect that this is going to be backported
> > to the various stable trees.  With that in mind, I think we should try
> > to keep the immediate fix as simple as possible, saving the other
> > changes for a separate patch.  This means sticking with
> > rcu_dereference_protected() and omitting the opt_len optimization; both
> > can be done in a second patch without the 'Fixes:' marking.
> >
> > Unless I missing something and those changes are somehow part of the
> > fix?
>
> just checked, rcu_replace_pointer() can be used also in the oldest LTS
> but I'm not sure if kfree_rcu(NULL, ...) is ok. I agree to keep
> rcu_dereference_protected(), and the useless NULL check - I will
> follow-up with another patch (targeting net-next), after this one is
> merged.

The issue isn't so much about if a particular function is available in
an older kernel, it is more about keeping the patch focused on a
single immediate purpose both to limit any unintended behaviors and
for the simple reason that smaller patches are almost always easier to
port by hand if needed.

-- 
paul-moore.com

More information about the Linux-security-module-archive mailing list