Received: by 2002:a05:6a10:2726:0:0:0:0 with SMTP id ib38csp968876pxb;
        Wed, 6 Apr 2022 05:36:45 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJyKrPQQx7dLFtOxj3OtD3miG0Rynmpq3cZzIlzviKSgC+sxwBNm8mHtRfwmQykhKEO1zxA4
X-Received: by 2002:a17:90a:294f:b0:1ca:aa69:4f01 with SMTP id x15-20020a17090a294f00b001caaa694f01mr9728811pjf.169.1649248605682;
        Wed, 06 Apr 2022 05:36:45 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1649248605; cv=none;
        d=google.com; s=arc-20160816;
        b=SOoGlFjScr7kpK7aHLp/Tava3gMgBhyMXz3jU4ZEeN89bdOpXCrNQQM6SN/yokDUVp
         dROZQeNJcJFfx2dqbJQCAzEyDmeXFAhhRPzMfjJEWbLopDjCgYJXRM0XHOzc+hCAZ20X
         4gKTKhBa1NVaMNwXv4A4p4uDwBPpUXMVTLuuTWEaz5bDkxcU4UvfYIOLHHt6b5LjatOF
         QtF/9yTmb8ghRB6yMIfCUOyE8I4EPpqacefqDSW1Rx0OkYTOYTMn98pinScQjdXVv36p
         oPLCy9DOEgoIh+DUzEtEzbZf1vuWMshgMrlc58BNTLxe5KqXxsnI5eG4uiVfoQ3Gnsmy
         3L4Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=nvD6157dvDk+FUr3rvEes88A89gUrPjZHk9pD8bhlmw=;
        b=m29RmRqmP6inVES4Oya4hUgiZlsdtLeDZnphKG+kys/0GqRFxDHWaPcEs5n+YoMCMQ
         foy3YjeAA08gioufmmp3aRM65/xWsMvAHiRu+Npl4zauwFJNWhO2HhAK2GguKPxcumAv
         EzO3PRshTAKm+zzYgcnlUIT/JfL5LJHrjp0/9y2RZCzwyhf2knAqmsg911MbOKcd7TzB
         TYBDNkiAeYKb+c3nB+bNKQdueS3KTvucr+uzix/rQQxHXirdfd8JIbMP/Sa4jD3LYdot
         zH0GOtfUZPeT1GtcsHpnuRbiCw1R1QzRO00CvIGyxEUjbQ3pkbZiG/3+PCltzqnHEIjW
         9s2g==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=LY4huCou;
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from lindbergh.monkeyblade.net (lindbergh.monkeyblade.net. [23.128.96.19])
        by mx.google.com with ESMTPS id h5-20020a170902f54500b00156c0b0a42asi6304125plf.113.2022.04.06.05.36.44
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 06 Apr 2022 05:36:45 -0700 (PDT)
Received-SPF: softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) client-ip=23.128.96.19;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=LY4huCou;
       spf=softfail (google.com: domain of transitioning linux-kernel-owner@vger.kernel.org does not designate 23.128.96.19 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: from vger.kernel.org (vger.kernel.org [23.128.96.18])
	by lindbergh.monkeyblade.net (Postfix) with ESMTP id E31164D93A1;
	Wed,  6 Apr 2022 02:12:39 -0700 (PDT)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1582512AbiDEXsE (ORCPT <rfc822;02joepater06@gmail.com>
        + 99 others); Tue, 5 Apr 2022 19:48:04 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47296 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1349402AbiDEJts (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 5 Apr 2022 05:49:48 -0400
Received: from dfw.source.kernel.org (dfw.source.kernel.org [139.178.84.217])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 0E66917A81;
        Tue,  5 Apr 2022 02:44:58 -0700 (PDT)
Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by dfw.source.kernel.org (Postfix) with ESMTPS id 577F261675;
        Tue,  5 Apr 2022 09:44:58 +0000 (UTC)
Received: by smtp.kernel.org (Postfix) with ESMTPSA id 6584FC385A2;
        Tue,  5 Apr 2022 09:44:57 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1649151897;
        bh=vZCYosMR3xAeEcqaIxxhaQzuSAuF9vWSVdw/VukUcbY=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=LY4huCouIcDyL0SQCuaCjHVfRUfuWm6MdnKHGvjOB6vYpBwNv2WNaF5LmJxzOvQ52
         ZFRgvxKB9WB20n9HuiN69exyZw/i0u9Ge2dC8H+m1JWHXOkUf+GSiwdRI+LbGFipI+
         AZl8ndbmL6tDmJFi6lAlZyZqIO7mywWJ8YkKoYEI=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Wang Yufen <wangyufen@huawei.com>,
        Daniel Borkmann <daniel@iogearbox.net>,
        John Fastabend <john.fastabend@gmail.com>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.15 543/913] bpf, sockmap: Fix double uncharge the mem of sk_msg
Date:   Tue,  5 Apr 2022 09:26:45 +0200
Message-Id: <20220405070356.125960097@linuxfoundation.org>
X-Mailer: git-send-email 2.35.1
In-Reply-To: <20220405070339.801210740@linuxfoundation.org>
References: <20220405070339.801210740@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
X-Spam-Status: No, score=-2.0 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
	DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
	MAILING_LIST_MULTI,RDNS_NONE,SPF_HELO_NONE,T_SCC_BODY_TEXT_LINE
	autolearn=no autolearn_force=no version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
	lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Wang Yufen <wangyufen@huawei.com>

[ Upstream commit 2486ab434b2c2a14e9237296db00b1e1b7ae3273 ]

If tcp_bpf_sendmsg is running during a tear down operation, psock may be
freed.

tcp_bpf_sendmsg()
 tcp_bpf_send_verdict()
  sk_msg_return()
  tcp_bpf_sendmsg_redir()
   unlikely(!psock))
     sk_msg_free()

The mem of msg has been uncharged in tcp_bpf_send_verdict() by
sk_msg_return(), and would be uncharged by sk_msg_free() again. When psock
is null, we can simply returning an error code, this would then trigger
the sk_msg_free_nocharge in the error path of __SK_REDIRECT and would have
the side effect of throwing an error up to user space. This would be a
slight change in behavior from user side but would look the same as an
error if the redirect on the socket threw an error.

This issue can cause the following info:
WARNING: CPU: 0 PID: 2136 at net/ipv4/af_inet.c:155 inet_sock_destruct+0x13c/0x260
Call Trace:
 <TASK>
 __sk_destruct+0x24/0x1f0
 sk_psock_destroy+0x19b/0x1c0
 process_one_work+0x1b3/0x3c0
 worker_thread+0x30/0x350
 ? process_one_work+0x3c0/0x3c0
 kthread+0xe6/0x110
 ? kthread_complete_and_exit+0x20/0x20
 ret_from_fork+0x22/0x30
 </TASK>

Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface")
Signed-off-by: Wang Yufen <wangyufen@huawei.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Acked-by: John Fastabend <john.fastabend@gmail.com>
Link: https://lore.kernel.org/bpf/20220304081145.2037182-5-wangyufen@huawei.com
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ipv4/tcp_bpf.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
index 304800c60427..1cdcb4df0eb7 100644
--- a/net/ipv4/tcp_bpf.c
+++ b/net/ipv4/tcp_bpf.c
@@ -138,10 +138,9 @@ int tcp_bpf_sendmsg_redir(struct sock *sk, struct sk_msg *msg,
 	struct sk_psock *psock = sk_psock_get(sk);
 	int ret;
 
-	if (unlikely(!psock)) {
-		sk_msg_free(sk, msg);
-		return 0;
-	}
+	if (unlikely(!psock))
+		return -EPIPE;
+
 	ret = ingress ? bpf_tcp_ingress(sk, psock, msg, bytes, flags) :
 			tcp_bpf_push_locked(sk, msg, bytes, flags, false);
 	sk_psock_put(sk, psock);
-- 
2.34.1