Received: by 2002:ac0:a582:0:0:0:0:0 with SMTP id m2-v6csp3942648imm; Mon, 8 Oct 2018 12:04:11 -0700 (PDT) X-Google-Smtp-Source: ACcGV63iHv0OHBZBCpeBC9N2bE6X1lrXOEhPuPXq+B5lNhOOW0XOB9wOenmhJCh0TWpT1MFAcJyY X-Received: by 2002:a17:902:5ac9:: with SMTP id g9-v6mr25590660plm.311.1539025451176; Mon, 08 Oct 2018 12:04:11 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1539025451; cv=none; d=google.com; s=arc-20160816; b=kXe34JmJpm6S4EmxscEqoVYfWzc4TDhYjRkgdTGvcXFOX6DE0Lmt7/ej7+xEO89qTC SZNvjDl7tX5U5grnrflmtZeSeRuteR/t1/Jn3QQ+cQaDP38G5exy7r0OMMZMjhdEIgyG pkWyr/a5UtUO05iEjvrCiHvOTLUiALq6srj/i+RJHMvZaF/cjOwa9Rbv3zSK2l4c4odS rquV9gVnPHe8KbBrE6/Y+Q7S9/3FUArG/jwogzgGM9iK9aspSPxHFGLeiQ6Rz+tjAtOi fBK/DjqVP2BUHwqgPPKMBpwfDCOhBvwpsPUDa9w6zwzdWdGM9wqQxvbSQ4QcsKZ8Vgd5 Qnyg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=s0biqlB0PaCpJqFKsKjvQy0n9Qn8vEh7aHMfpFrE2So=; b=irJYbFc9liVfiPnGtMF2lRu6aqdow6X+51DSt/TmFP7nd8sc5pjG3C1cpxC6U5M1wg L/5GQbJfhR05e9Vg7aOlZBs+kyEh3OItwmPzEIo00HQel6n7qJV1Kz9rbqecRCo+LEQM Sr6ANoA56kTGp/3P6RiUbLpLJosaNPjJ895QlCZzD2GspQ5enlNYamU/6C+udfe1fkWI EtqXAdvYEcAZ7bS44OCnQkPJqC7OwF2x5PLWyVMkkQoJGzKsa/1hyTLBrGu2WCtImpeq oC/PVNzccEtHC1w95VP/qFiVkHsngifZ9T2Bhl/ZKXClNhmprV1GptOgMe49zNgZd3Gv wE3g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=R8Csqcc9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id t7-v6si11993473pfb.16.2018.10.08.12.03.56; Mon, 08 Oct 2018 12:04:11 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=R8Csqcc9; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731353AbeJICAR (ORCPT + 99 others); Mon, 8 Oct 2018 22:00:17 -0400 Received: from mail.kernel.org ([198.145.29.99]:48878 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1727510AbeJICAQ (ORCPT ); Mon, 8 Oct 2018 22:00:16 -0400 Received: from localhost (ip-213-127-77-176.ip.prioritytelecom.net [213.127.77.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 148FC2087D; Mon, 8 Oct 2018 18:47:09 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1539024430; bh=3LsNPwVUyyOvfHyKsE0eXKcxjjXdszt8tL8VxKBBLGY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=R8Csqcc9wnzeWD0sN99AiZz1vaYrMmP1Q6CKKwRSE49qBdOV8i5zp263SQn/5HsS0 SoAsOwNFiuX9ACGnGQpT9xHOdK2qKQZR4Hz4tFYKe44sPM6XP5iOzop6YMzxG46U9P 4nbDTyMunzoSJEqtr57d4kdylr9sqxNnTg7JRa3A= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Daniel Borkmann , John Fastabend , Alexei Starovoitov , Sasha Levin Subject: [PATCH 4.18 012/168] bpf, sockmap: fix potential use after free in bpf_tcp_close Date: Mon, 8 Oct 2018 20:29:52 +0200 Message-Id: <20181008175620.507636913@linuxfoundation.org> X-Mailer: git-send-email 2.19.0 In-Reply-To: <20181008175620.043587728@linuxfoundation.org> References: <20181008175620.043587728@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.18-stable review patch. If anyone has any objections, please let me know. ------------------ From: Daniel Borkmann [ Upstream commit e06fa9c16ce4b740996189fa5610eabcee734e6c ] bpf_tcp_close() we pop the psock linkage to a map via psock_map_pop(). A parallel update on the sock hash map can happen between psock_map_pop() and lookup_elem_raw() where we override the element under link->hash / link->key. In bpf_tcp_close()'s lookup_elem_raw() we subsequently only test whether an element is present, but we do not test whether the element is infact the element we were looking for. We lock the sock in bpf_tcp_close() during that time, so do we hold the lock in sock_hash_update_elem(). However, the latter locks the sock which is newly updated, not the one we're purging from the hash table. This means that while one CPU is doing the lookup from bpf_tcp_close(), another CPU is doing the map update in parallel, dropped our sock from the hlist and released the psock. Subsequently the first CPU will find the new sock and attempts to drop and release the old sock yet another time. Fix is that we need to check the elements for a match after lookup, similar as we do in the sock map. Note that the hash tab elems are freed via RCU, so access to their link->hash / link->key is fine since we're under RCU read side there. Fixes: e9db4ef6bf4c ("bpf: sockhash fix omitted bucket lock in sock_close") Signed-off-by: Daniel Borkmann Acked-by: John Fastabend Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin Signed-off-by: Greg Kroah-Hartman --- kernel/bpf/sockmap.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- a/kernel/bpf/sockmap.c +++ b/kernel/bpf/sockmap.c @@ -369,7 +369,7 @@ static void bpf_tcp_close(struct sock *s /* If another thread deleted this object skip deletion. * The refcnt on psock may or may not be zero. */ - if (l) { + if (l && l == link) { hlist_del_rcu(&link->hash_node); smap_release_sock(psock, link->sk); free_htab_elem(htab, link);