There are a bunch of weird usages of sock_create() and friends due
to poor documentation.
1) some subsystems use __sock_create(), but all of them can be
replaced with sock_create_kern()
2) some subsystems use sock_create(), but most of the sockets are
not tied to userspace processes nor exposed via file descriptors
but are (most likely unintentionally) exposed to some BPF hooks
(infiniband, ISDN, iscsi, Xen PV call, ocfs2, smbd)
3) some subsystems use sock_create_kern() and convert the sockets
to hold netns refcnt (cifs, mptcp, nvme, rds, smc, and sunrpc)
The primary goal is to sort out such confusion and provide enough
documentation for future developers to choose an appropriate API.
Before commit 26abe14379f8 ("net: Modify sk_alloc to not reference
count the netns of kernel sockets."), sock_create_kern() held the
netns refcnt, and each caller dropped it if unnecessary:
sock_create_kern(&init_net, ..., &sock);
sk_change_net(sock->sk, net);
But that implicit API change ended up causing a lot of use-after-free
and finally introduced another helper:
sock_create_kern(net, ..., &sock);
sk_net_refcnt_upgrade(sock->sk);
Patch 2 renames sock_create_kern() to __sock_create_kern() to mark it
as a special-purpose API, and Patch 3 restores the original
sock_create_kern() that holds the netns refcnt.
Now, we can simply use sock_create_kern() or __sock_create_kern()
depending on the use case (except for rds).
Changes
v2:
patch 3: s/ret/err/ in sock_create_kern() for clarity
patch 4: newly added
patch 5: drop unnecessary change for sunrpc and updated changelog
v1: https://lore.kernel.org/netdev/20250517035120.55560-1-kuniyu@xxxxxxxxxx/
Kuniyuki Iwashima (7):
socket: Un-export __sock_create().
socket: Rename sock_create_kern() to __sock_create_kern().
socket: Restore sock_create_kern().
smb: client: Add missing net_passive_dec().
socket: Remove kernel socket conversion except for net/rds/.
socket: Replace most sock_create() calls with sock_create_kern().
socket: Clean up kdoc for sock_create() and sock_create_lite().
drivers/block/drbd/drbd_receiver.c | 12 +-
drivers/infiniband/hw/erdma/erdma_cm.c | 6 +-
drivers/infiniband/sw/rxe/rxe_qp.c | 2 +-
drivers/infiniband/sw/siw/siw_cm.c | 6 +-
drivers/isdn/mISDN/l1oip_core.c | 3 +-
drivers/nvme/host/tcp.c | 5 +-
drivers/nvme/target/tcp.c | 5 +-
drivers/soc/qcom/qmi_interface.c | 4 +-
drivers/target/iscsi/iscsi_target_login.c | 7 +-
drivers/xen/pvcalls-back.c | 6 +-
fs/afs/rxrpc.c | 2 +-
fs/dlm/lowcomms.c | 8 +-
fs/ocfs2/cluster/tcp.c | 8 +-
fs/smb/client/connect.c | 11 +-
fs/smb/server/transport_tcp.c | 7 +-
include/linux/net.h | 7 +-
net/9p/trans_fd.c | 9 +-
net/bluetooth/rfcomm/core.c | 3 +-
net/ceph/messenger.c | 6 +-
net/handshake/handshake-test.c | 32 ++--
net/ipv4/af_inet.c | 2 +-
net/ipv4/udp_tunnel_core.c | 2 +-
net/ipv6/ip6_udp_tunnel.c | 2 +-
net/l2tp/l2tp_core.c | 8 +-
net/mctp/test/route-test.c | 6 +-
net/mptcp/pm_kernel.c | 4 +-
net/mptcp/subflow.c | 7 +-
net/netfilter/ipvs/ip_vs_sync.c | 8 +-
net/qrtr/ns.c | 6 +-
net/rds/tcp_connect.c | 8 +-
net/rds/tcp_listen.c | 4 +-
net/rxrpc/rxperf.c | 4 +-
net/sctp/socket.c | 2 +-
net/smc/af_smc.c | 18 +--
net/smc/smc_inet.c | 2 +-
net/socket.c | 138 ++++++++++++------
net/sunrpc/clnt.c | 4 +-
net/sunrpc/svcsock.c | 6 +-
net/sunrpc/xprtsock.c | 12 +-
net/tipc/topsrv.c | 4 +-
net/wireless/nl80211.c | 4 +-
.../selftests/bpf/test_kmods/bpf_testmod.c | 4 +-
42 files changed, 219 insertions(+), 185 deletions(-)
--
2.49.0
