Re: [PATCH net] net: guard timestamp cmsgs to real error queue skbs

public inbox for netdev@vger.kernel.org 
 help / color / mirror / Atom feed

From: Willem de Bruijn <willemdebruijn.kernel@gmail•com>
To: Kyle Zeng <kylebot@openai•com>,  netdev@vger•kernel.org
Cc: uniyuki Iwashima <kuniyu@google•com>,  Kyle Zeng <kylebot@openai•com>
Subject: Re: [PATCH net] net: guard timestamp cmsgs to real error queue skbs
Date: Mon, 08 Jun 2026 17:00:00 -0400	[thread overview]
Message-ID: <willemdebruijn.kernel.fb60798ea1d4@gmail.com> (raw)
In-Reply-To: <20260607021819.49698-1-kylebot@openai.com>

Kyle Zeng wrote:
> skb_is_err_queue() treats PACKET_OUTGOING as the sole marker for an skb
> from sk_error_queue. That assumption is not true for AF_PACKET sockets:
> outgoing packet taps are also delivered to packet sockets with
> skb->pkt_type == PACKET_OUTGOING, but their skb->cb is owned by AF_PACKET
> instead of struct sock_exterr_skb.
> 
> If such an skb is received with timestamping enabled, the generic
> timestamp cmsg path can read AF_PACKET control-buffer state as
> sock_exterr_skb::opt_stats. With SO_RXQ_OVFL enabled, the packet drop
> counter overlaps opt_stats. An odd drop count makes the path emit
> SCM_TIMESTAMPING_OPT_STATS with skb->len and skb->data. For non-linear
> skbs this copies past the linear head and can trigger hardened usercopy or
> disclose adjacent heap contents.
> 
> Keep skb_is_err_queue() local to net/socket.c, but make it verify that
> the PACKET_OUTGOING marker is paired with the sock_rmem_free destructor
> installed by sock_queue_err_skb(). AF_PACKET receive skbs use normal
> receive ownership and no longer pass as error-queue skbs, while legitimate
> sk_error_queue entries keep the PACKET_OUTGOING marker and sock_rmem_free
> ownership.
> 
> Fixes: 8605330aac5a ("tcp: fix SCM_TIMESTAMPING_OPT_STATS for normal skbs")
> Signed-off-by: Kyle Zeng <kylebot@openai•com>

Reviewed-by: Willem de Bruijn <willemb@google•com>

     prev parent reply	other threads:[~2026-06-08 21:00 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-06-07  2:18 [PATCH net] net: guard timestamp cmsgs to real error queue skbs Kyle Zeng
2026-06-08  3:20 ` Kuniyuki Iwashima
2026-06-08 10:26 ` Jason Xing
2026-06-08 21:00 ` Willem de Bruijn [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=willemdebruijn.kernel.fb60798ea1d4@gmail.com \
    --to=willemdebruijn.kernel@gmail$(echo .)com \
    --cc=kuniyu@google$(echo .)com \
    --cc=kylebot@openai$(echo .)com \
    --cc=netdev@vger$(echo .)kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox