Received: by 2002:ab2:6a05:0:b0:1f8:1780:a4ed with SMTP id w5csp1400307lqo;
        Sun, 12 May 2024 00:21:55 -0700 (PDT)
X-Forwarded-Encrypted: i=3; AJvYcCX47V1gVIaqPp0AXf0efy4NZGLy3Om0M2jiDvw269jm6FJSlC6dtOSLJbQr6EWYllM7065oSiGuyTLhqKocOS5UHyhXsxuFowkCl327xQ==
X-Google-Smtp-Source: AGHT+IEnuuXqGSrh/efTzDb8T5wX3BeTny7KYrxd4oytB7A41wV5MiHVlophphsqNnYf7+77lduL
X-Received: by 2002:ac8:7d82:0:b0:43a:cbd5:7599 with SMTP id d75a77b69052e-43dfdb290ccmr80858861cf.21.1715498515289;
        Sun, 12 May 2024 00:21:55 -0700 (PDT)
ARC-Seal: i=2; a=rsa-sha256; t=1715498515; cv=pass;
        d=google.com; s=arc-20160816;
        b=tEly08nWJTjIWS0c/8UThKhZrEMGV+IUAucgkgi4/wqGUi09CpTl3U6iP/OAcaWQar
         iGRKmPLHCbgz0qUY+3Pw70q1Hlz1rPslZtUMHF9/ONs3g9yGzpaxrFTnax7fPcxwhc76
         QGHvtHuyKXXvl/WQjugSYCO6ni8lL1IfPzX3kuTLdGhXopkvm5YW0JF+cV9E4SRXn0GI
         y9FK/Al7C8jgJQe3pRumnuMznH9MabIWfiFd7u6tHe+qAqd47Oyn3c7jNKM+VgWOM/tY
         CIXbj0RSAlf040ZOXyP5CeWGJuxoVbYJ04lY3k3ROUFukcBP5esAUUrbKtJSig4TToHw
         sHPw==
ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=content-transfer-encoding:subject:from:cc:to:content-language
         :user-agent:mime-version:list-unsubscribe:list-subscribe:list-id
         :precedence:date:message-id;
        bh=h3TDfawbPQaGSYlYXHgaaOJI8nXRhR0Sq4t4u2wTLXQ=;
        fh=PZEsQ3N1yKIacaPg/q8dbDTXsROkpQltX7UqoeBOYtE=;
        b=Yt19y7dTt5OkYTT67GlNSXRAkzAhZm2XBaEhE9xAcfhuN6yC2aYVtTyX2vcMSvx3M8
         Y1xVE9WjjduOBM3kitzpW2MPK3u4ZKmMk2SzYc2XZ2xqdNsubTbSF1pz5oacdQv8Xtzc
         n/Df8AjVx+sZkf3omOrnY6Eedkivc6GbLutYX5H4Q9dqF+vtaaSMbrEjyWSp7rf/oo2A
         fqLFOKC0FupZ+LqaY0XqvJdDhbHWWf7TSVhUluv8c8LOZEaAT7Cia9AP0zHQPRIOZ3w2
         VN6jp9sD7DVYFzlImIdiRmeIeWcsmVK5mfTTv7XBcM15tOTnSBSkmv3FJ5qG2HlZpbHN
         tKdA==;
        dara=google.com
ARC-Authentication-Results: i=2; mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=i-love.sakura.ne.jp);
       spf=pass (google.com: domain of linux-kernel+bounces-176811-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-176811-linux.lists.archive=gmail.com@vger.kernel.org"
Return-Path: <linux-kernel+bounces-176811-linux.lists.archive=gmail.com@vger.kernel.org>
Received: from ny.mirrors.kernel.org (ny.mirrors.kernel.org. [147.75.199.223])
        by mx.google.com with ESMTPS id d75a77b69052e-43df56b1414si54335361cf.556.2024.05.12.00.21.55
        for <linux.lists.archive@gmail.com>
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Sun, 12 May 2024 00:21:55 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel+bounces-176811-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) client-ip=147.75.199.223;
Authentication-Results: mx.google.com;
       arc=pass (i=1 spf=pass spfdomain=i-love.sakura.ne.jp);
       spf=pass (google.com: domain of linux-kernel+bounces-176811-linux.lists.archive=gmail.com@vger.kernel.org designates 147.75.199.223 as permitted sender) smtp.mailfrom="linux-kernel+bounces-176811-linux.lists.archive=gmail.com@vger.kernel.org"
Received: from smtp.subspace.kernel.org (wormhole.subspace.kernel.org [52.25.139.140])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by ny.mirrors.kernel.org (Postfix) with ESMTPS id 098D21C20A75
	for <linux.lists.archive@gmail.com>; Sun, 12 May 2024 07:21:55 +0000 (UTC)
Received: from localhost.localdomain (localhost.localdomain [127.0.0.1])
	by smtp.subspace.kernel.org (Postfix) with ESMTP id 930B4101F2;
	Sun, 12 May 2024 07:21:49 +0000 (UTC)
Received: from www262.sakura.ne.jp (www262.sakura.ne.jp [202.181.97.72])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.subspace.kernel.org (Postfix) with ESMTPS id 907CAE556
	for <linux-kernel@vger.kernel.org>; Sun, 12 May 2024 07:21:46 +0000 (UTC)
Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=202.181.97.72
ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116;
	t=1715498509; cv=none; b=Ed0h9+MI3dt+9FLLZMwhBU90pzrpXJiAbRh32A8+KblDH3wPL3mLa84U1odgwnxsQX6TP4SJeIvCe0xfQVMzioK9gvkmd7Fi3d1lME/ZOBCPoZQshoGX90omkqr6n5vOIsXVoTm/Y8Z2J3yUFgpuKOb+jrIjt1lUPZVTVaUnsjs=
ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org;
	s=arc-20240116; t=1715498509; c=relaxed/simple;
	bh=66Jqedg9cXpHoydTVuNznaoG+hIkMQD7XMiOtPkepiU=;
	h=Message-ID:Date:MIME-Version:To:Cc:From:Subject:Content-Type; b=uZvM32iR5x/rYW5m/FJ4HQhhPxfbea07IfWRg3QRs2tqa437iV6qdz/HRSqokAux1IVRvFApGj7EmALY1xB9zsQDrvIHbMiwx9rsMRXr8P0RsLDcPVlOmO/c54Xo+/IxX+z45lQnhJ3Ei34yQYuEGxc8TROZRl0KmLYzN70slX4=
ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=I-love.SAKURA.ne.jp; spf=pass smtp.mailfrom=I-love.SAKURA.ne.jp; arc=none smtp.client-ip=202.181.97.72
Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=I-love.SAKURA.ne.jp
Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=I-love.SAKURA.ne.jp
Received: from fsav116.sakura.ne.jp (fsav116.sakura.ne.jp [27.133.134.243])
	by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTP id 44C7LiBq058242;
	Sun, 12 May 2024 16:21:44 +0900 (JST)
	(envelope-from penguin-kernel@I-love.SAKURA.ne.jp)
Received: from www262.sakura.ne.jp (202.181.97.72)
 by fsav116.sakura.ne.jp (F-Secure/fsigk_smtp/550/fsav116.sakura.ne.jp);
 Sun, 12 May 2024 16:21:44 +0900 (JST)
X-Virus-Status: clean(F-Secure/fsigk_smtp/550/fsav116.sakura.ne.jp)
Received: from [192.168.1.6] (M106072142033.v4.enabler.ne.jp [106.72.142.33])
	(authenticated bits=0)
	by www262.sakura.ne.jp (8.15.2/8.15.2) with ESMTPSA id 44C7Li58058238
	(version=TLSv1.2 cipher=AES256-GCM-SHA384 bits=256 verify=NO);
	Sun, 12 May 2024 16:21:44 +0900 (JST)
	(envelope-from penguin-kernel@I-love.SAKURA.ne.jp)
Message-ID: <838e7959-a360-4ac1-b36a-a3469236129b@I-love.SAKURA.ne.jp>
Date: Sun, 12 May 2024 16:21:44 +0900
Precedence: bulk
X-Mailing-List: linux-kernel@vger.kernel.org
List-Id: <linux-kernel.vger.kernel.org>
List-Subscribe: <mailto:linux-kernel+subscribe@vger.kernel.org>
List-Unsubscribe: <mailto:linux-kernel+unsubscribe@vger.kernel.org>
MIME-Version: 1.0
User-Agent: Mozilla Thunderbird
Content-Language: en-US
To: John Fastabend <john.fastabend@gmail.com>,
        Jakub Sitnicki <jakub@cloudflare.com>
Cc: "David S. Miller" <davem@davemloft.net>,
        Eric Dumazet <edumazet@google.com>, Jakub Kicinski <kuba@kernel.org>,
        Paolo Abeni <pabeni@redhat.com>,
        Network Development
 <netdev@vger.kernel.org>,
        bpf <bpf@vger.kernel.org>, LKML <linux-kernel@vger.kernel.org>
From: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
Subject: [PATCH] bpf, sockmap: defer sk_psock_free_link() using RCU
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit

If a BPF program is attached to kfree() event, calling kfree()
with psock->link_lock held triggers lockdep warning.

Defer kfree() using RCU so that the attached BPF program runs
without holding psock->link_lock.

Reported-by: syzbot+ec941d6e24f633a59172@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=ec941d6e24f633a59172
Tested-by: syzbot+ec941d6e24f633a59172@syzkaller.appspotmail.com
Reported-by: syzbot+a4ed4041b9bea8177ac3@syzkaller.appspotmail.com
Closes: https://syzkaller.appspot.com/bug?extid=a4ed4041b9bea8177ac3
Tested-by: syzbot+a4ed4041b9bea8177ac3@syzkaller.appspotmail.com
Signed-off-by: Tetsuo Handa <penguin-kernel@I-love.SAKURA.ne.jp>
---
 include/linux/skmsg.h | 7 +++++--
 net/core/skmsg.c      | 2 ++
 net/core/sock_map.c   | 2 ++
 3 files changed, 9 insertions(+), 2 deletions(-)

diff --git a/include/linux/skmsg.h b/include/linux/skmsg.h
index a509caf823d6..66590f20b777 100644
--- a/include/linux/skmsg.h
+++ b/include/linux/skmsg.h
@@ -66,7 +66,10 @@ enum sk_psock_state_bits {
 };
 
 struct sk_psock_link {
-	struct list_head		list;
+	union {
+		struct list_head	list;
+		struct rcu_head		rcu;
+	};
 	struct bpf_map			*map;
 	void				*link_raw;
 };
@@ -418,7 +421,7 @@ static inline struct sk_psock_link *sk_psock_init_link(void)
 
 static inline void sk_psock_free_link(struct sk_psock_link *link)
 {
-	kfree(link);
+	kfree_rcu(link, rcu);
 }
 
 struct sk_psock_link *sk_psock_link_pop(struct sk_psock *psock);
diff --git a/net/core/skmsg.c b/net/core/skmsg.c
index fd20aae30be2..9cebfeecd3c9 100644
--- a/net/core/skmsg.c
+++ b/net/core/skmsg.c
@@ -791,10 +791,12 @@ static void sk_psock_link_destroy(struct sk_psock *psock)
 {
 	struct sk_psock_link *link, *tmp;
 
+	rcu_read_lock();
 	list_for_each_entry_safe(link, tmp, &psock->link, list) {
 		list_del(&link->list);
 		sk_psock_free_link(link);
 	}
+	rcu_read_unlock();
 }
 
 void sk_psock_stop(struct sk_psock *psock)
diff --git a/net/core/sock_map.c b/net/core/sock_map.c
index 8598466a3805..8bec4b7a8ec7 100644
--- a/net/core/sock_map.c
+++ b/net/core/sock_map.c
@@ -142,6 +142,7 @@ static void sock_map_del_link(struct sock *sk,
 	bool strp_stop = false, verdict_stop = false;
 	struct sk_psock_link *link, *tmp;
 
+	rcu_read_lock();
 	spin_lock_bh(&psock->link_lock);
 	list_for_each_entry_safe(link, tmp, &psock->link, list) {
 		if (link->link_raw == link_raw) {
@@ -159,6 +160,7 @@ static void sock_map_del_link(struct sock *sk,
 		}
 	}
 	spin_unlock_bh(&psock->link_lock);
+	rcu_read_unlock();
 	if (strp_stop || verdict_stop) {
 		write_lock_bh(&sk->sk_callback_lock);
 		if (strp_stop)
-- 
2.34.1