Skip to content

Commit e19b551

Browse files
dmantipovNipaLocal
dmantipov
authored and
NipaLocal
committed
net: sockmap: avoid race between sock_map_destroy() and sk_psock_put()
Syzbot has triggered the following race condition: On CPU0, 'sk_psock_drop()' (most likely scheduled from 'sock_map_unref()' called by 'sock_map_update_common()') is running at [1]: void sk_psock_drop(struct sock *sk, struct sk_psock *psock) { write_lock_bh(&sk->sk_callback_lock); sk_psock_restore_proto(sk, psock); [1] rcu_assign_sk_user_data(sk, NULL); [2] ... } If 'sock_map_destroy()' is scheduled on CPU1 at the same time, psock is always NULL at [3]. But, since [1] may be is in progress during [4], the value of 'saved_destroy' at this point is undefined: void sock_map_destroy(struct sock *sk) { void (*saved_destroy)(struct sock *sk); struct sk_psock *psock; rcu_read_lock(); psock = sk_psock_get(sk); [3] if (unlikely(!psock)) { rcu_read_unlock(); saved_destroy = READ_ONCE(sk->sk_prot)->destroy; [4] } else { saved_destroy = psock->saved_destroy; [5] sock_map_remove_links(sk, psock); rcu_read_unlock(); sk_psock_stop(psock); sk_psock_put(sk, psock); } if (WARN_ON_ONCE(saved_destroy == sock_map_destroy)) return; if (saved_destroy) saved_destroy(sk); } Fix this issue in 3 steps: 1. Prefer 'sk_psock()' over 'sk_psock_get()' at [3]. Since zero refcount is ignored, 'psock' is non-NULL until [2] is completed. 2. Add read lock around [5], to make sure that [1] is not in progress when the former is executed. 3. Since 'sk_psock()' does not adjust reference counting, drop 'sk_psock_put()' and redundant 'sk_psock_stop()' (which is executed by 'sk_psock_drop()' anyway). Fixes: 5b4a79b ("bpf, sockmap: Don't let sock_map_{close,destroy,unhash} call itself") Reported-by: [email protected] Closes: https://syzkaller.appspot.com/bug?extid=f363afac6b0ace576f45 Signed-off-by: Dmitry Antipov <[email protected]> Signed-off-by: NipaLocal <nipa@local>
1 parent b5109b6 commit e19b551

File tree

1 file changed

+3
-3
lines changed

1 file changed

+3
-3
lines changed

net/core/sock_map.c

Lines changed: 3 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -1650,16 +1650,16 @@ void sock_map_destroy(struct sock *sk)
16501650
struct sk_psock *psock;
16511651

16521652
rcu_read_lock();
1653-
psock = sk_psock_get(sk);
1653+
psock = sk_psock(sk);
16541654
if (unlikely(!psock)) {
16551655
rcu_read_unlock();
16561656
saved_destroy = READ_ONCE(sk->sk_prot)->destroy;
16571657
} else {
1658+
read_lock_bh(&sk->sk_callback_lock);
16581659
saved_destroy = psock->saved_destroy;
1660+
read_unlock_bh(&sk->sk_callback_lock);
16591661
sock_map_remove_links(sk, psock);
16601662
rcu_read_unlock();
1661-
sk_psock_stop(psock);
1662-
sk_psock_put(sk, psock);
16631663
}
16641664
if (WARN_ON_ONCE(saved_destroy == sock_map_destroy))
16651665
return;

0 commit comments

Comments
 (0)