Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp968876pxb; Wed, 6 Apr 2022 05:36:45 -0700 (PDT) X-Google-Smtp-Source: ABdhPJyKrPQQx7dLFtOxj3OtD3miG0Rynmpq3cZzIlzviKSgC+sxwBNm8mHtRfwmQykhKEO1zxA4 X-Received: by 2002:a17:90a:294f:b0:1ca:aa69:4f01 with SMTP id x15-20020a17090a294f00b001caaa694f01mr9728811pjf.169.1649248605682; Wed, 06 Apr 2022 05:36:45 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1649248605; cv=none; d=google.com; s=arc-20160816; b=SOoGlFjScr7kpK7aHLp/Tava3gMgBhyMXz3jU4ZEeN89bdOpXCrNQQM6SN/yokDUVp dROZQeNJcJFfx2dqbJQCAzEyDmeXFAhhRPzMfjJEWbLopDjCgYJXRM0XHOzc+hCAZ20X 4gKTKhBa1NVaMNwXv4A4p4uDwBPpUXMVTLuuTWEaz5bDkxcU4UvfYIOLHHt6b5LjatOF QtF/9yTmb8ghRB6yMIfCUOyE8I4EPpqacefqDSW1Rx0OkYTOYTMn98pinScQjdXVv36p oPLCy9DOEgoIh+DUzEtEzbZf1vuWMshgMrlc58BNTLxe5KqXxsnI5eG4uiVfoQ3Gnsmy 3L4Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=nvD6157dvDk+FUr3rvEes88A89gUrPjZHk9pD8bhlmw=; b=m29RmRqmP6inVES4Oya4hUgiZlsdtLeDZnphKG+kys/0GqRFxDHWaPcEs5n+YoMCMQ foy3YjeAA08gioufmmp3aRM65/xWsMvAHiRu+Npl4zauwFJNWhO2HhAK2GguKPxcumAv EzO3PRshTAKm+zzYgcnlUIT/JfL5LJHrjp0/9y2RZCzwyhf2knAqmsg911MbOKcd7TzB TYBDNkiAeYKb+c3nB+bNKQdueS3KTvucr+uzix/rQQxHXirdfd8JIbMP/Sa4jD3LYdot zH0GOtfUZPeT1GtcsHpnuRbiCw1R1QzRO00CvIGyxEUjbQ3pkbZiG/3+PCltzqnHEIjW 9s2g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=LY4huCou; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19]) by mx.google.com with ESMTPS id h5-20020a170902f54500b00156c0b0a42asi6304125plf.113.2022.04.06.05.36.44 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Wed, 06 Apr 2022 05:36:45 -0700 (PDT) Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=LY4huCou; spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id E31164D93A1; Wed, 6 Apr 2022 02:12:39 -0700 (PDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1582512AbiDEXsE (ORCPT + 99 others); Tue, 5 Apr 2022 19:48:04 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47296 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1349402AbiDEJts (ORCPT ); Tue, 5 Apr 2022 05:49:48 -0400 Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0E66917A81; Tue, 5 Apr 2022 02:44:58 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by dfw.source.kernel.org (Postfix) with ESMTPS id 577F261675; Tue, 5 Apr 2022 09:44:58 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6584FC385A2; Tue, 5 Apr 2022 09:44:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1649151897; bh=vZCYosMR3xAeEcqaIxxhaQzuSAuF9vWSVdw/VukUcbY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=LY4huCouIcDyL0SQCuaCjHVfRUfuWm6MdnKHGvjOB6vYpBwNv2WNaF5LmJxzOvQ52 ZFRgvxKB9WB20n9HuiN69exyZw/i0u9Ge2dC8H+m1JWHXOkUf+GSiwdRI+LbGFipI+ AZl8ndbmL6tDmJFi6lAlZyZqIO7mywWJ8YkKoYEI= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Wang Yufen , Daniel Borkmann , John Fastabend , Sasha Levin Subject: [PATCH 5.15 543/913] bpf, sockmap: Fix double uncharge the mem of sk_msg Date: Tue, 5 Apr 2022 09:26:45 +0200 Message-Id: <20220405070356.125960097@linuxfoundation.org> X-Mailer: git-send-email 2.35.1 In-Reply-To: <20220405070339.801210740@linuxfoundation.org> References: <20220405070339.801210740@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE autolearn=no autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Wang Yufen [ Upstream commit 2486ab434b2c2a14e9237296db00b1e1b7ae3273 ] If tcp_bpf_sendmsg is running during a tear down operation, psock may be freed. tcp_bpf_sendmsg() tcp_bpf_send_verdict() sk_msg_return() tcp_bpf_sendmsg_redir() unlikely(!psock)) sk_msg_free() The mem of msg has been uncharged in tcp_bpf_send_verdict() by sk_msg_return(), and would be uncharged by sk_msg_free() again. When psock is null, we can simply returning an error code, this would then trigger the sk_msg_free_nocharge in the error path of __SK_REDIRECT and would have the side effect of throwing an error up to user space. This would be a slight change in behavior from user side but would look the same as an error if the redirect on the socket threw an error. This issue can cause the following info: WARNING: CPU: 0 PID: 2136 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260 Call Trace: __sk_destruct+0x24/0x1f0 sk_psock_destroy+0x19b/0x1c0 process_one_work+0x1b3/0x3c0 worker_thread+0x30/0x350 ? process_one_work+0x3c0/0x3c0 kthread+0xe6/0x110 ? kthread_complete_and_exit+0x20/0x20 ret_from_fork+0x22/0x30 Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: Wang Yufen Signed-off-by: Daniel Borkmann Acked-by: John Fastabend Link: https://lore.kernel.org/bpf/20220304081145.2037182-5-wangyufen@huawei.com Signed-off-by: Sasha Levin --- net/ipv4/tcp_bpf.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c index 304800c60427..1cdcb4df0eb7 100644 --- a/net/ipv4/tcp_bpf.c +++ b/net/ipv4/tcp_bpf.c @@ -138,10 +138,9 @@ int tcp_bpf_sendmsg_redir(struct sock *sk, struct sk_msg *msg, struct sk_psock *psock = sk_psock_get(sk); int ret; - if (unlikely(!psock)) { - sk_msg_free(sk, msg); - return 0; - } + if (unlikely(!psock)) + return -EPIPE; + ret = ingress ? bpf_tcp_ingress(sk, psock, msg, bytes, flags) : tcp_bpf_push_locked(sk, msg, bytes, flags, false); sk_psock_put(sk, psock); -- 2.34.1