releases/6.6.72/sctp-sysctl-auth_enable-avoid-using-current-nsproxy.patch - pub/scm/linux/kernel/git/stable/stable-queue - Git at Google

 From 15649fd5415eda664ef35780c2013adeb5d9c695 Mon Sep 17 00:00:00 2001
 From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
 Date: Wed, 8 Jan 2025 16:34:34 +0100
 Subject: sctp: sysctl: auth_enable: avoid using current->nsproxy

 From: Matthieu Baerts (NGI0) <matttbe@kernel.org>

 commit 15649fd5415eda664ef35780c2013adeb5d9c695 upstream.

 As mentioned in a previous commit of this series, using the 'net'
 structure via 'current' is not recommended for different reasons:

 - Inconsistency: getting info from the reader's/writer's netns vs only
   from the opener's netns.

 - current->nsproxy can be NULL in some cases, resulting in an 'Oops'
   (null-ptr-deref), e.g. when the current task is exiting, as spotted by
   syzbot [1] using acct(2).

 The 'net' structure can be obtained from the table->data using
 container_of().

 Note that table->data could also be used directly, but that would
 increase the size of this fix, while 'sctp.ctl_sock' still needs to be
 retrieved from 'net' structure.

 Fixes: b14878ccb7fa ("net: sctp: cache auth_enable per endpoint")
 Cc: stable@vger.kernel.org
 Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1]
 Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
 Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
 Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-6-5df34b2083e8@kernel.org
 Signed-off-by: Jakub Kicinski <kuba@kernel.org>
 Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
 ---
  net/sctp/sysctl.c |    2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

 --- a/net/sctp/sysctl.c
 +++ b/net/sctp/sysctl.c
 @@ -503,7 +503,7 @@ static int proc_sctp_do_alpha_beta(struc
  static int proc_sctp_do_auth(struct ctl_table *ctl, int write,
  			     void *buffer, size_t *lenp, loff_t *ppos)
  {
 -	struct net *net = current->nsproxy->net_ns;
 +	struct net *net = container_of(ctl->data, struct net, sctp.auth_enable);
  	struct ctl_table tbl;
  	int new_value, ret;
	From 15649fd5415eda664ef35780c2013adeb5d9c695 Mon Sep 17 00:00:00 2001
	From: "Matthieu Baerts (NGI0)" <matttbe@kernel.org>
	Date: Wed, 8 Jan 2025 16:34:34 +0100
	Subject: sctp: sysctl: auth_enable: avoid using current->nsproxy

	From: Matthieu Baerts (NGI0) <matttbe@kernel.org>

	commit 15649fd5415eda664ef35780c2013adeb5d9c695 upstream.

	As mentioned in a previous commit of this series, using the 'net'
	structure via 'current' is not recommended for different reasons:

	- Inconsistency: getting info from the reader's/writer's netns vs only
	from the opener's netns.

	- current->nsproxy can be NULL in some cases, resulting in an 'Oops'
	(null-ptr-deref), e.g. when the current task is exiting, as spotted by
	syzbot [1] using acct(2).

	The 'net' structure can be obtained from the table->data using
	container_of().

	Note that table->data could also be used directly, but that would
	increase the size of this fix, while 'sctp.ctl_sock' still needs to be
	retrieved from 'net' structure.

	Fixes: b14878ccb7fa ("net: sctp: cache auth_enable per endpoint")
	Cc: stable@vger.kernel.org
	Link: https://lore.kernel.org/67769ecb.050a0220.3a8527.003f.GAE@google.com [1]
	Suggested-by: Al Viro <viro@zeniv.linux.org.uk>
	Signed-off-by: Matthieu Baerts (NGI0) <matttbe@kernel.org>
	Link: https://patch.msgid.link/20250108-net-sysctl-current-nsproxy-v1-6-5df34b2083e8@kernel.org
	Signed-off-by: Jakub Kicinski <kuba@kernel.org>
	Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	---
	net/sctp/sysctl.c \| 2 +-
	1 file changed, 1 insertion(+), 1 deletion(-)

	--- a/net/sctp/sysctl.c
	+++ b/net/sctp/sysctl.c
	@@ -503,7 +503,7 @@ static int proc_sctp_do_alpha_beta(struc
	static int proc_sctp_do_auth(struct ctl_table *ctl, int write,
	void buffer, size_t lenp, loff_t *ppos)
	{
	- struct net *net = current->nsproxy->net_ns;
	+ struct net *net = container_of(ctl->data, struct net, sctp.auth_enable);
	struct ctl_table tbl;
	int new_value, ret;