superrob1500
/
mirror-linux
mirror of https://github.com/torvalds/linux
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
mirror-linux/include/net
History
Maoyi Xie e68eadffb7 ipv6: flowlabel: enforce per-netns limit for unprivileged callers 
fl_size, fl_ht and ip6_fl_lock in net/ipv6/ip6_flowlabel.c are
file scope and shared across netns. mem_check() reads fl_size to
decide whether to deny non-CAP_NET_ADMIN callers. capable() runs
against init_user_ns, so an unprivileged user in any non-init
userns can push fl_size past FL_MAX_SIZE - FL_MAX_SIZE / 4 and
starve every other unprivileged userns on the host.

Add struct netns_ipv6::flowlabel_count, bumped and decremented
next to fl_size in fl_intern, ip6_fl_gc and ip6_fl_purge. The new
field fills the existing 4-byte hole after ipmr_seq, so struct
netns_ipv6 stays the same size on 64-bit builds.

Bump FL_MAX_SIZE from 4096 to 8192. It has been 4096 since the
file was added. Machines and connection counts have grown.

mem_check() folds an extra per-netns ceiling into the existing
non-CAP_NET_ADMIN conditional. The ceiling is half of the total
budget that unprivileged callers have ever been able to use, i.e.
(FL_MAX_SIZE - FL_MAX_SIZE / 4) / 2 = 3072 entries. With
FL_MAX_SIZE doubled, this preserves the original per-user reach
of 3K (what an unprivileged caller could already obtain before
this change), while forcing an attacker to spread allocations
across at least two netns to exhaust the global non-CAP_NET_ADMIN
budget.

CAP_NET_ADMIN against init_user_ns still bypasses both caps.

The previous patch took ip6_fl_lock across mem_check and
fl_intern, so the new flowlabel_count read in mem_check and the
new flowlabel_count++ in fl_intern run under the same critical
section. flowlabel_count is therefore plain int, like fl_size.

Fixes: 1da177e4c3 ("Linux-2.6.12-rc2")
Suggested-by: Willem de Bruijn <willemb@google.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Cc: stable@vger.kernel.org # v5.15+
Signed-off-by: Maoyi Xie <maoyi.xie@ntu.edu.sg>
Link: https://patch.msgid.link/20260506082416.2259567-3-maoyixie.tju@gmail.com
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
 		2026-05-08 14:59:14 -07:00
..
9p 9p: document missing enum values in kernel-doc comments 2026-04-16 02:57:01 +00:00
bluetooth Bluetooth: l2cap: defer conn param update to avoid conn->lock/hdev->lock inversion 2026-05-06 16:20:51 -04:00
iucv treewide: Replace kmalloc with kmalloc_obj for non-scalar types 2026-02-21 01:02:28 -08:00
libeth libeth, idpf: use truesize as XDP RxQ info frag_size 2026-03-05 08:02:05 -08:00
mana net: mana: Fix crash from unvalidated SHM offset read from BAR0 during FLR 2026-05-05 15:43:08 +02:00
netfilter netfilter: flowtable: fix inline pppoe encapsulation in xmit path 2026-05-01 01:24:01 +02:00
netns ipv6: flowlabel: enforce per-netns limit for unprivileged callers 2026-05-08 14:59:14 -07:00
nfc nfc: nci: Fix race between rfkill and nci_unregister_device(). 2026-01-28 19:32:26 -08:00
page_pool net: Slightly simplify net_mp_{open,close}_rxq 2026-04-09 18:21:46 -07:00
phonet phonet: Convert phonet_routes.lock to spinlock_t. 2024-10-24 16:03:40 +02:00
phy net: phy: realtek: add dummy PHY driver for RTL8127ATF 2026-01-12 19:29:11 -08:00
psp psp: add stats from psp spec to driver facing api 2025-11-07 18:53:57 -08:00
sctp sctp: Remove unused declaration sctp_auth_init_hmacs() 2025-11-14 18:00:34 -08:00
tc_act net/sched: act_ife: Fix metalist update behavior 2026-03-05 07:54:08 -08:00
6lowpan.h
Space.h drivers: net: 8390: wd80x3: Remove this driver 2026-04-23 15:57:10 -07:00
act_api.h net/sched: Only allow act_ct to bind to clsact/ingress qdiscs and shared blocks 2026-02-27 19:06:21 -08:00
addrconf.h ipv6: addrconf: reduce default temp_valid_lft to 2 days 2026-02-17 17:12:06 -08:00
af_ieee802154.h
af_rxrpc.h rxrpc: Remove deadcode 2025-04-24 17:03:45 -07:00
af_unix.h af_unix: Introduce SO_INQ. 2025-07-08 18:05:25 -07:00
af_vsock.h vsock: add G2H fallback for CIDs not owned by H2G transport 2026-03-12 10:59:36 +01:00
ah.h
aligned_data.h udp: move udp_memory_allocated into net_aligned_data 2025-07-02 14:22:02 -07:00
amt.h
arp.h
ax25.h net: remove ax25 and amateur radio (hamradio) subsystem 2026-04-23 10:24:02 -07:00
ax88796.h
bareudp.h
bond_3ad.h bonding: 3ad: implement proper RCU rules for port->aggregator 2026-04-29 18:32:02 -07:00
bond_alb.h bonding: Correct spelling in headers 2024-08-26 09:37:22 -07:00
bond_options.h bonding: add support for per-port LACP actor priority 2025-09-09 10:56:02 +02:00
bonding.h bonding: remove unused bond_is_first_slave and bond_is_last_slave macros 2026-04-08 19:07:08 -07:00
bpf_sk_storage.h
busy_poll.h net: gro: decouple GRO from the NAPI layer 2025-02-27 14:03:14 +01:00
calipso.h move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
can.h can: add CAN skb extension infrastructure 2026-02-05 11:58:39 +01:00
cfg80211-wext.h
cfg80211.h wifi: nl80211: Add a notification to notify NAN channel evacuation 2026-03-25 20:56:55 +01:00
cfg802154.h
checksum.h net: Fix checksum update for ILA adj-transport 2025-05-30 19:53:51 -07:00
cipso_ipv4.h move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
cls_cgroup.h net/cls_cgroup: Fix task_get_classid() during qdisc run 2025-09-14 11:55:04 -07:00
codel.h
codel_impl.h codel: annotate data-races in codel_dump_stats() 2026-04-08 19:18:52 -07:00
codel_qdisc.h
compat.h
datalink.h
dcbevent.h
dcbnl.h
devlink.h devlink: Add port-level resource registration infrastructure 2026-04-08 19:55:38 -07:00
dropreason-core.h ipv6: Implement limits on extension header parsing 2026-04-30 17:21:45 -07:00
dropreason-qdisc.h net: sched: sch_dualpi2: use qdisc_dequeue_drop() for dequeue drops 2026-02-28 15:31:35 -08:00
dropreason.h net: sched: introduce qdisc-specific drop reason tracing 2026-02-28 15:31:34 -08:00
dsa.h net: dsa: add bridge member iteration macro 2026-04-06 18:30:33 -07:00
dsa_stubs.h
dscp.h
dsfield.h
dst.h inet: add dst4_mtu() and dst6_mtu() helpers 2026-02-02 17:49:29 -08:00
dst_cache.h net: Correct spelling in headers 2024-08-26 09:37:23 -07:00
dst_metadata.h net: dst_metadata: fix IP_DF bit not extracted from tunnel headers 2025-09-14 14:28:12 -07:00
dst_ops.h
eee.h net: simplify eeecfg_mac_can_tx_lpi 2024-11-13 18:49:50 -08:00
erspan.h net: Correct spelling in headers 2024-08-26 09:37:23 -07:00
esp.h
espintcp.h
ethoc.h
failover.h
fib_notifier.h net: do not acquire rtnl in fib_seq_sum() 2024-10-11 15:35:05 -07:00
fib_rules.h net: fib_rules: Fix iif / oif matching on L3 master device 2025-04-15 17:54:56 -07:00
firewire.h
flow.h ipv4: Convert ->flowi4_tos to dscp_t. 2025-08-26 17:34:31 -07:00
flow_dissector.h flow_dissector: cleanup FLOW_DISSECTOR_KEY_ENC_FLAGS 2024-07-15 09:14:39 -07:00
flow_offload.h net: dsa: eliminate local type for tc policers 2026-02-10 15:30:11 +01:00
fou.h
fq.h
fq_impl.h Convert 'alloc_obj' family to use the new default GFP_KERNEL argument 2026-02-21 17:09:51 -08:00
garp.h
gen_stats.h
genetlink.h genetlink: fix typo in comment 2025-09-03 15:16:49 -07:00
geneve.h
gre.h
gro.h gro: inline tcp6_gro_complete() 2026-01-21 19:28:32 -08:00
gro_cells.h
gso.h
gtp.h
gue.h
handshake.h
hotdata.h net-sysfs: use rps_tag_ptr and remove metadata from rps_sock_flow_table 2026-03-04 16:54:09 -08:00
hwbm.h net: Correct spelling in headers 2024-08-26 09:37:23 -07:00
icmp.h ipv4: icmp: Pass IPv4 control block structure as an argument to __icmp_send() 2025-09-11 12:22:38 +02:00
ieee8021q.h
ieee80211_radiotap.h wifi: mac80211: add RX flag to report radiotap VHT information 2025-10-30 08:38:51 +01:00
ieee802154_netdev.h
if_inet6.h
ife.h
inet6_connection_sock.h tcp: move inet6_csk_update_pmtu() to tcp_ipv6.c 2026-02-24 17:47:27 -08:00
inet6_hashtables.h tcp: Initialise ehash secrets during connect() and listen(). 2026-03-05 18:50:05 -08:00
inet_common.h net: remove addr_len argument of recvmsg() handlers 2026-03-02 18:17:17 -08:00
inet_connection_sock.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2026-02-26 10:23:00 -08:00
inet_dscp.h ipv4: Convert ->flowi4_tos to dscp_t. 2025-08-26 17:34:31 -07:00
inet_ecn.h tcp: ECT_1_NEGOTIATION and NEEDS_ACCECN identifiers 2026-02-03 15:13:24 +01:00
inet_frag.h inet: frags: flush pending skbs in fqdir_pre_exit() 2025-12-10 01:15:27 -08:00
inet_hashtables.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2026-03-26 12:09:57 -07:00
inet_sock.h ipv6: colocate inet6_cork in inet_cork_full 2026-02-02 17:49:30 -08:00
inet_timewait_sock.h tcp: Update bind bucket state on port release 2025-09-23 10:12:15 +02:00
inetpeer.h inetpeer: remove create argument of inet_getpeer() 2024-12-17 19:37:00 -08:00
ioam6.h ipv6: ioam: fix heap buffer overflow in __ioam6_fill_trace_data() 2026-02-13 12:24:05 -08:00
ip.h net: remove EXPORT_IPV6_MOD() and EXPORT_IPV6_MOD_GPL() macros 2026-03-29 11:21:22 -07:00
ip6_checksum.h udp: move udp6_csum_init() back to net/ipv6/udp.c 2026-02-24 16:30:40 -08:00
ip6_fib.h ipv6: remove ipv6_stub infrastructure completely 2026-03-29 11:21:24 -07:00
ip6_route.h ipv6: prepare headers for ipv6_stub removal 2026-03-29 11:21:23 -07:00
ip6_tunnel.h net: dropreason: add SKB_DROP_REASON_RECURSION_LIMIT 2026-03-14 08:38:06 -07:00
ip_fib.h net: ipv4: fix ARM64 alignment fault in multipath hash seed 2026-03-03 17:20:37 -08:00
ip_tunnels.h net: increase IP_TUNNEL_RECURSION_LIMIT to 5 2026-04-03 15:52:10 -07:00
ip_vs.h ipvs: Guard access of HK_TYPE_KTHREAD cpumask with RCU 2026-05-05 01:52:55 +02:00
ipcomp.h xfrm: ipcomp: Use crypto_acomp interface 2025-03-21 17:36:49 +08:00
ipconfig.h
ipv6.h ipv6: Implement limits on extension header parsing 2026-04-30 17:21:45 -07:00
ipv6_frag.h inet: frags: flush pending skbs in fqdir_pre_exit() 2025-12-10 01:15:27 -08:00
iw_handler.h Revert "wifi: cfg80211: unexport wireless_nlevent_flush()" 2024-10-09 08:53:01 +02:00
kcm.h net: kcm: Fix race condition in kcm_unattach() 2025-08-13 18:18:33 -07:00
l3mdev.h net: l3mdev: use skb_dst_dev_rcu() in l3mdev_l3_out() 2026-02-02 17:09:11 -08:00
lag.h
lapb.h net: lapb: increase LAPB_HEADER_LEN 2024-12-06 17:43:08 -08:00
llc.h
llc_c_ac.h
llc_c_ev.h
llc_c_st.h llc: Constify struct llc_conn_state_trans 2024-07-15 08:51:01 -07:00
llc_conn.h
llc_if.h
llc_pdu.h net: Correct spelling in headers 2024-08-26 09:37:23 -07:00
llc_s_ac.h
llc_s_ev.h
llc_s_st.h llc: Constify struct llc_sap_state_trans 2024-07-15 08:51:19 -07:00
llc_sap.h
lwtunnel.h net: dst: annotate data-races around dst->output 2025-07-02 14:32:30 -07:00
mac80211.h wifi: mac80211: add NAN peer schedule support 2026-04-07 15:36:03 +02:00
mac802154.h move asm/unaligned.h to linux/unaligned.h 2024-10-02 17:23:23 -04:00
macsec.h net: macsec: Add endianness annotations in salt struct 2025-01-20 12:20:42 +00:00
mctp.h net: mctp: fix don't require received header reserved bits to be zero 2026-04-20 11:46:57 -07:00
mctpdevice.h net: mctp: Expose transport binding identifier via IFLA attribute 2024-11-09 09:04:54 -08:00
mip6.h
mld.h
mpls.h
mpls_iptunnel.h
mptcp.h mptcp: sched: remove mptcp_sched_data 2025-04-15 08:21:46 -07:00
mrp.h
ncsi.h
ndisc.h ipv6: remove ipv6_stub infrastructure completely 2026-03-29 11:21:24 -07:00
neighbour.h neighbour: Convert rwlock of struct neigh_table to spinlock. 2025-10-24 17:57:20 -07:00
neighbour_tables.h neighbour: Create netdev->neighbour association 2024-11-09 13:22:57 -08:00
net_debug.h Kbuild updates for v6.13 2024-11-30 13:41:50 -08:00
net_failover.h
net_namespace.h kernfs: pass struct ns_common instead of const void * for namespace tags 2026-04-09 14:36:52 +02:00
net_ratelimit.h
net_shaper.h net-shapers: implement NL get operation 2024-10-10 08:30:22 -07:00
net_trackers.h
netdev_lock.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-05-22 09:42:41 -07:00
netdev_netlink.h net: add granular lock for the netdev netlink socket 2025-03-12 13:32:35 -07:00
netdev_queues.h net: Proxy netdev_queue_get_dma_dev for leased queues 2026-04-09 18:21:46 -07:00
netdev_rx_queue.h net: remove the netif_get_rx_queue_lease_locked() helpers 2026-04-09 18:26:28 -07:00
netevent.h
netkit.h
netlabel.h Networking changes for 6.13. 2024-11-21 08:28:08 -08:00
netlink.h netlink: add a nla_nest_end_safe() helper 2026-04-12 11:23:50 -07:00
netmem.h net: add net_iov_init() and use it to initialize ->page_type 2026-04-29 16:40:08 -07:00
netprio_cgroup.h
nexthop.h ipv6: Protect nh->f6i_list with spinlock and flag. 2025-04-24 09:29:56 +02:00
nl802154.h nl802154: fix some kernel-doc warnings 2025-10-20 17:13:40 -07:00
nsh.h
pfcp.h net: pfcp: fix typo in message_priority field name 2025-06-13 18:17:08 -07:00
pie.h net/sched: sch_pie: annotate data-races in pie_dump_stats() 2026-04-22 21:12:47 -07:00
ping.h net: remove addr_len argument of recvmsg() handlers 2026-03-02 18:17:17 -08:00
pkt_cls.h net: sched: fix TCF_LAYER_TRANSPORT handling in tcf_get_base_ptr() 2025-11-24 18:53:14 -08:00
pkt_sched.h net/sched: don't use dynamic lockdep keys with clsact/ingress/noqueue 2026-02-05 09:32:45 -08:00
pptp.h
proto_memory.h net: Allow opt-out from global protocol memory accounting. 2025-10-16 12:04:47 -07:00
protocol.h
psample.h
psnap.h
psp.h psp: base PSP device support 2025-09-18 12:32:06 +02:00
raw.h net: use NUMA drop counters for softnet_data.dropped 2025-09-14 11:35:17 -07:00
rawv6.h
red.h net: sched: Correct spelling in headers 2024-08-26 09:37:23 -07:00
regulatory.h net: Correct spelling in headers 2024-08-26 09:37:23 -07:00
request_sock.h tcp: move __reqsk_free() out of line 2026-02-05 09:23:06 -08:00
rose.h net: remove ax25 and amateur radio (hamradio) subsystem 2026-04-23 10:24:02 -07:00
route.h net: use dst_dev_rcu() in sk_setup_caps() 2025-08-29 19:36:32 -07:00
rpl.h
rps-types.h net: add rps_tag_ptr type and helpers 2026-03-04 16:54:09 -08:00
rps.h net-sysfs: use rps_tag_ptr and remove metadata from rps_dev_flow_table 2026-03-04 16:54:10 -08:00
rsi_91x.h
rstreason.h net: Retire DCCP socket. 2025-04-11 18:58:10 -07:00
rtnetlink.h rtnetlink: Remove "net" from newlink params 2025-02-21 15:28:03 -08:00
rtnh.h
sch_generic.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2026-04-14 12:04:00 -07:00
sch_priv.h net/sched: Export mq functions for reuse 2026-01-13 11:54:29 +01:00
scm.h af_unix/scm: fix whitespace errors 2025-07-04 09:32:35 +02:00
secure_seq.h tcp: secure_seq: add back ports to TS offset 2026-03-04 17:44:35 -08:00
seg6.h
seg6_hmac.h ipv6: sr: Prepare HMAC key ahead of time 2025-08-26 18:11:29 -07:00
seg6_local.h
selftests.h net: selftests: export packet creation helpers for driver use 2025-11-06 13:38:11 +01:00
slhc_vj.h
smc.h net/smc: bpf: Introduce generic hook for handshake flow 2025-11-10 11:19:41 -08:00
snmp.h net: snmp: remove SNMP_MIB_SENTINEL 2025-09-08 18:06:21 -07:00
sock.h Networking changes for 7.1. 2026-04-14 18:36:10 -07:00
sock_reuseport.h net: core: annotate socks of struct sock_reuseport with __counted_by 2024-08-02 17:16:59 -07:00
stp.h
strparser.h strparser: Remove unused __strp_unpause 2025-05-05 16:48:12 -07:00
switchdev.h bridge: No DEV_PATH_BR_VLAN_UNTAG_HW for dsa foreign 2026-03-19 13:14:00 +01:00
tc_wrapper.h net/sched: refine indirect call mitigation in tc_wrapper.h 2026-03-09 19:31:41 -07:00
tcp.h tcp: add data-races annotations around tp->reordering, tp->snd_cwnd 2026-04-18 11:10:12 -07:00
tcp_ao.h tcp: Free TCP-AO/TCP-MD5 info/keys without RCU 2025-09-11 19:05:56 -07:00
tcp_ecn.h tcp: annotate data-races around tp->delivered and tp->delivered_ce 2026-04-18 11:10:12 -07:00
tcp_states.h
tcx.h bpf: Remove location field in tcx_link 2025-07-11 11:00:57 -07:00
timewait_sock.h tcp: Remove timewait_sock_ops.twsk_destructor(). 2025-08-25 17:53:35 -07:00
tipc.h
tls.h Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2025-10-31 06:46:03 -07:00
tls_prot.h
tls_toe.h
transp_v6.h ipv6: Retire UDP-Lite. 2026-03-13 18:57:44 -07:00
tso.h net: tso: Introduce tso_dma_map and helpers 2026-04-12 10:54:31 -07:00
tun_proto.h
udp.h udp: Don't pass udptable to IPv4 socket lookup functions. 2026-03-13 18:57:46 -07:00
udp_tunnel.h ipv6: remove ipv6_stub infrastructure completely 2026-03-29 11:21:24 -07:00
vsock_addr.h net: Convert proto_ops connect() callbacks to use sockaddr_unsized 2025-11-04 19:10:32 -08:00
vxlan.h vxlan: Support MC routing in the underlay 2025-06-17 18:18:46 -07:00
wext.h
x25.h net/x25: Remove unused x25_terminate_link() 2025-07-14 17:19:13 -07:00
x25device.h
xdp.h bpf-next-for-netdev 2025-09-24 10:22:37 -07:00
xdp_priv.h
xdp_sock.h xsk: fix XDP_UMEM_SG_FLAG issues 2026-04-06 18:43:51 -07:00
xdp_sock_drv.h xsk: respect tailroom for ZC setups 2026-04-06 18:43:51 -07:00
xfrm.h xfrm: reduce struct sec_path size 2026-02-10 20:21:48 -08:00
xsk_buff_pool.h xsk: remove repeated defines 2026-03-16 19:28:21 -07:00