Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp4822195ybl; Wed, 22 Jan 2020 05:24:29 -0800 (PST) X-Google-Smtp-Source: APXvYqwCRgV/M79gtowZpHnIyHWsmPUt5yQ55FujwVGk3NJ+Oa3jF/cVWZ/x42jgoQjai4EOCiav X-Received: by 2002:aca:1a10:: with SMTP id a16mr6896620oia.9.1579699469736; Wed, 22 Jan 2020 05:24:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579699469; cv=none; d=google.com; s=arc-20160816; b=FNKpaEEcmROTtQrYSOsfIB4wkGqSnM66Uqv2NsmP9Bcfiu7D1BQsv/+XCFOg+0gfXK LDERz11R0SdmvfJgTsc0IOCFpfrKlwOFvR6oUpZrCbUIrlJYW29EKgGmgkHPUBDUMf4v 7eOhuulYvdHrBgsWaQ6RTdU5C5aZVoPwrf7aMYzpw7DH6x+so+4yrnOemFaEqUPYlJo/ kRX/W5Hh1/pvX7ZxskJxJ6DhvpxICl7a5OMX5aHdrZZmKThxGKsJLVNHovsl33lgZmZv MDcbLHxnQnYTtoTO4BFWJRPHJuYDIoPiwFU2e2cj2C+3JONp2RTEtU5xWMlFM4Y53g7T iteg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=kRiRPWppNFgblLStrCydg/O1NIj6afnBJb8WlQEM9sE=; b=tOotWdwWjGYXNeAkm0Z9MCeeLUe8MjA+XL+mPWWvTegTRh6DFvOD1NmFosmlmx8o/H VhcPO+W5R37yEIxbNPzCaoUzWjF+kAOAdj2uobRPGHSG91A3oX+oFkZzj6JXlAZT/pEv TVapT2vhIEDi1BYGeA/0TMhirB/xNF9+4pOh1ZPJfn/UwtPyIHWQdbVxZ5W7tC8j6Na3 /7epdAcJma7MOvApO2eTNmdynDcU2QnLCjaZWFHyJNfbp/0VzilaBUFN3AyxrhdvBFOD +fQ+ew+ZYoO2NfgPhJSm00Ejt1gnvzt8poj61vrpsQUXYoXTrTKDYv3jIwOW7EJNFGMn Ik8w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=UMnDOF0D; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j9si24072021otn.294.2020.01.22.05.24.18; Wed, 22 Jan 2020 05:24:29 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=UMnDOF0D; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730412AbgAVNWE (ORCPT + 99 others); Wed, 22 Jan 2020 08:22:04 -0500 Received: from mail.kernel.org ([198.145.29.99]:39426 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729440AbgAVNWD (ORCPT ); Wed, 22 Jan 2020 08:22:03 -0500 Received: from localhost (unknown [84.241.205.26]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id 5D19624688; Wed, 22 Jan 2020 13:22:02 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1579699323; bh=eaBgZMQiR1ktJvSTogygs1ZOXePmbAz1byQHBsb4F9Y=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=UMnDOF0DqFjIs0+vtJ7/mm5FjrTngx6nGssIY+Rg8jE+bRnG/lxtGzkMBvI7L61+0 HLg0oElZaGoJ2kMgyMc/ljdybMQawshpCS0bWnPT3IxL9y2hJtx2579zpLgwAjiSx5 TUXNz8kP0EePVelI6tfVY0NT6dXiXaUJv95sPRNI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, syzbot+83979935eb6304f8cd46@syzkaller.appspotmail.com, John Fastabend , Daniel Borkmann , Jakub Sitnicki , Song Liu Subject: [PATCH 5.4 108/222] bpf: Sockmap/tls, during free we may call tcp_bpf_unhash() in loop Date: Wed, 22 Jan 2020 10:28:14 +0100 Message-Id: <20200122092841.469023967@linuxfoundation.org> X-Mailer: git-send-email 2.25.0 In-Reply-To: <20200122092833.339495161@linuxfoundation.org> References: <20200122092833.339495161@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: John Fastabend commit 4da6a196f93b1af7612340e8c1ad8ce71e18f955 upstream. When a sockmap is free'd and a socket in the map is enabled with tls we tear down the bpf context on the socket, the psock struct and state, and then call tcp_update_ulp(). The tcp_update_ulp() call is to inform the tls stack it needs to update its saved sock ops so that when the tls socket is later destroyed it doesn't try to call the now destroyed psock hooks. This is about keeping stacked ULPs in good shape so they always have the right set of stacked ops. However, recently unhash() hook was removed from TLS side. But, the sockmap/bpf side is not doing any extra work to update the unhash op when is torn down instead expecting TLS side to manage it. So both TLS and sockmap believe the other side is managing the op and instead no one updates the hook so it continues to point at tcp_bpf_unhash(). When unhash hook is called we call tcp_bpf_unhash() which detects the psock has already been destroyed and calls sk->sk_prot_unhash() which calls tcp_bpf_unhash() yet again and so on looping and hanging the core. To fix have sockmap tear down logic fixup the stale pointer. Fixes: 5d92e631b8be ("net/tls: partially revert fix transition through disconnect with close") Reported-by: syzbot+83979935eb6304f8cd46@syzkaller.appspotmail.com Signed-off-by: John Fastabend Signed-off-by: Daniel Borkmann Reviewed-by: Jakub Sitnicki Acked-by: Song Liu Cc: stable@vger.kernel.org Link: https://lore.kernel.org/bpf/20200111061206.8028-2-john.fastabend@gmail.com Signed-off-by: Greg Kroah-Hartman --- include/linux/skmsg.h | 1 + 1 file changed, 1 insertion(+) --- a/include/linux/skmsg.h +++ b/include/linux/skmsg.h @@ -354,6 +354,7 @@ static inline void sk_psock_update_proto static inline void sk_psock_restore_proto(struct sock *sk, struct sk_psock *psock) { + sk->sk_prot->unhash = psock->saved_unhash; sk->sk_write_space = psock->saved_write_space; if (psock->sk_proto) {