Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp5231913ybl; Tue, 27 Aug 2019 01:13:16 -0700 (PDT) X-Google-Smtp-Source: APXvYqxI/BEDGy/xhRxiUijpvB572v9oydDtAwW/3SOhKCkUcNc6s4PTwUURt0W6t27I6rQcH7A3 X-Received: by 2002:a17:90a:630a:: with SMTP id e10mr23613364pjj.25.1566893596425; Tue, 27 Aug 2019 01:13:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1566893596; cv=none; d=google.com; s=arc-20160816; b=oApVgDWccy9lGtPapwzhtviTmP3f0fBkKeFRaedjxmP9XmXb/t3Vzy6huLy6FINIe1 zIyA/wOHTyxvA9oVKIGjBVggtC/6/CNyxVZSC9DhWkzgHlHnvNu5Xi8GG1bCGG/nwc/X ZcFN+VcGFjt6QhJbl5wHnN01Q7V1Hl9b2IrEk6g5JWJoI/eJWnck6Tj0dLES6Fa4t3IH cPktf6M/v7NVx5B4+zQarsB2Gw5ohdRbF3Qu6l7Pinedg8spunkzXuElf63z8qO7irNj QCSJnXA7CzoSzQQAr7Yb12BXh7oUKqfsZLDk7R8FbymqyWSuXAJqBUrIFeLUlv5WM+rN VYVA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=YQT2CyxeetzjfIWE9k+dPR/jLgnzfH9tPUdLy6u8ebI=; b=OouZ6JunMkm+l8jra3Q4eak0Wfp+/UEySkBD2WlYAkRKZj9gSMUWTil4+phlCA3RFA nJHmfB6vlowp6Jz+NT0JRJ6ionV2/PYlYbZohnJYOFw+UEU72s2TB+WRBzn6DVg8rzfa 9XTYsPp91dF4m/1VuCmJkXOAEuN+COjQ/RnCf1KPyGG2pmZMX0eAbj5o5FeluAO8y0in UIDeaZJzGil1vt0x4h4vxCEDEXlge8JXLcXbSqhe91MbR7dOZbIDVBoBIFa69CJBh7tG e/zUUnr7yWj/pXfVc9SEUe/qcOjXtmAgRyMHkOiNI1hCGGr+HN0zu95iZ9MV0Fa/4n+2 df+Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=HUHHp5qB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id r16si11212431pgv.466.2019.08.27.01.13.01; Tue, 27 Aug 2019 01:13:16 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=HUHHp5qB; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731981AbfH0IC3 (ORCPT + 99 others); Tue, 27 Aug 2019 04:02:29 -0400 Received: from mail.kernel.org ([198.145.29.99]:59042 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731872AbfH0ICM (ORCPT ); Tue, 27 Aug 2019 04:02:12 -0400 Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5A7722189D; Tue, 27 Aug 2019 08:02:11 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1566892931; bh=pGPT17zemIypPs4484MhBsruKNxsWbR1OeIuUDDVENw=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=HUHHp5qBW/PWFZOqNADm6NNTHPfJWdm4eiSL1DeL8wpI1iJXnJ6E4p2zNdRiVTvMV vG9M0UxLZ2hrjj2NlxTAlWjygwuO0d0li8Rrc0q2RFhj+W6HXVm9x8YsL5S7BP6H+a wmF1jmrijLfLczagEEs5WGOg95C/X4+Rn3KtwFeQ= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, John Fastabend , Daniel Borkmann , Sasha Levin Subject: [PATCH 5.2 021/162] bpf: sockmap, sock_map_delete needs to use xchg Date: Tue, 27 Aug 2019 09:49:09 +0200 Message-Id: <20190827072739.059531604@linuxfoundation.org> X-Mailer: git-send-email 2.23.0 In-Reply-To: <20190827072738.093683223@linuxfoundation.org> References: <20190827072738.093683223@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org [ Upstream commit 45a4521dcbd92e71c9e53031b40e34211d3b4feb ] __sock_map_delete() may be called from a tcp event such as unhash or close from the following trace, tcp_bpf_close() tcp_bpf_remove() sk_psock_unlink() sock_map_delete_from_link() __sock_map_delete() In this case the sock lock is held but this only protects against duplicate removals on the TCP side. If the map is free'd then we have this trace, sock_map_free xchg() <- replaces map entry sock_map_unref() sk_psock_put() sock_map_del_link() The __sock_map_delete() call however uses a read, test, null over the map entry which can result in both paths trying to free the map entry. To fix use xchg in TCP paths as well so we avoid having two references to the same map entry. Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: John Fastabend Signed-off-by: Daniel Borkmann Signed-off-by: Sasha Levin --- net/core/sock_map.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/net/core/sock_map.c b/net/core/sock_map.c index be6092ac69f8a..1d40e040320d2 100644 --- a/net/core/sock_map.c +++ b/net/core/sock_map.c @@ -281,16 +281,20 @@ static int __sock_map_delete(struct bpf_stab *stab, struct sock *sk_test, struct sock **psk) { struct sock *sk; + int err = 0; raw_spin_lock_bh(&stab->lock); sk = *psk; if (!sk_test || sk_test == sk) - *psk = NULL; + sk = xchg(psk, NULL); + + if (likely(sk)) + sock_map_unref(sk, psk); + else + err = -EINVAL; + raw_spin_unlock_bh(&stab->lock); - if (unlikely(!sk)) - return -EINVAL; - sock_map_unref(sk, psk); - return 0; + return err; } static void sock_map_delete_from_link(struct bpf_map *map, struct sock *sk, -- 2.20.1