From: Jakub Sitnicki <jakub@cloudflare.com>
To: bpf@vger.kernel.org
Cc: John Fastabend <john.fastabend@gmail.com>,
Martin KaFai Lau <kafai@fb.com>,
netdev@vger.kernel.org, kernel-team@cloudflare.com
Subject: [RFC bpf-next 3/5] bpf, sockmap: Don't let child socket inherit psock or its ops on copy
Date: Tue, 22 Oct 2019 13:37:28 +0200 [thread overview]
Message-ID: <20191022113730.29303-4-jakub@cloudflare.com> (raw)
In-Reply-To: <20191022113730.29303-1-jakub@cloudflare.com>
New sockets cloned from listening sockets that are in a sockmap must not
inherit the psock that has the link to the sockmap. Otherwise child sockets
unintentionally share the sockmap entry with the listening socket, which
leads to double-free on socket close.
Prevent it by overloading the accept callback. In it we restore the
protocol and write buffer callbacks and clear the pointer to psock.
Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com>
---
net/ipv4/tcp_bpf.c | 30 ++++++++++++++++++++++++++++++
1 file changed, 30 insertions(+)
diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
index 8a56e09cfb0e..5838aaba4ce0 100644
--- a/net/ipv4/tcp_bpf.c
+++ b/net/ipv4/tcp_bpf.c
@@ -582,6 +582,35 @@ static void tcp_bpf_close(struct sock *sk, long timeout)
saved_close(sk, timeout);
}
+static struct sock *tcp_bpf_accept(struct sock *sk, int flags, int *err,
+ bool kern)
+{
+ void (*saved_write_space)(struct sock *sk);
+ struct proto *saved_proto;
+ struct sk_psock *psock;
+ struct sock *child;
+
+ rcu_read_lock();
+ psock = sk_psock(sk);
+ if (unlikely(!psock)) {
+ rcu_read_unlock();
+ return sk->sk_prot->accept(sk, flags, err, kern);
+ }
+ saved_proto = psock->sk_proto;
+ saved_write_space = psock->saved_write_space;
+ rcu_read_unlock();
+
+ child = saved_proto->accept(sk, flags, err, kern);
+ if (!child)
+ return NULL;
+
+ /* Child must not inherit psock or its ops. */
+ rcu_assign_sk_user_data(child, NULL);
+ child->sk_prot = saved_proto;
+ child->sk_write_space = saved_write_space;
+ return child;
+}
+
enum {
TCP_BPF_IPV4,
TCP_BPF_IPV6,
@@ -606,6 +635,7 @@ static void tcp_bpf_rebuild_protos(struct proto prot[TCP_BPF_NUM_CFGS],
prot[TCP_BPF_BASE].close = tcp_bpf_close;
prot[TCP_BPF_BASE].recvmsg = tcp_bpf_recvmsg;
prot[TCP_BPF_BASE].stream_memory_read = tcp_bpf_stream_read;
+ prot[TCP_BPF_BASE].accept = tcp_bpf_accept;
prot[TCP_BPF_TX] = prot[TCP_BPF_BASE];
prot[TCP_BPF_TX].sendmsg = tcp_bpf_sendmsg;
--
2.20.1
next prev parent reply other threads:[~2019-10-22 11:37 UTC|newest]
Thread overview: 21+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-10-22 11:37 [RFC bpf-next 0/5] Extend SOCKMAP to store listening sockets Jakub Sitnicki
2019-10-22 11:37 ` [RFC bpf-next 1/5] bpf, sockmap: Let BPF helpers use lookup operation on SOCKMAP Jakub Sitnicki
2019-10-24 16:59 ` John Fastabend
2019-10-22 11:37 ` [RFC bpf-next 2/5] bpf, sockmap: Allow inserting listening TCP sockets into SOCKMAP Jakub Sitnicki
2019-10-24 17:06 ` John Fastabend
2019-10-25 9:41 ` Jakub Sitnicki
2019-10-22 11:37 ` Jakub Sitnicki [this message]
2019-10-22 11:37 ` [RFC bpf-next 4/5] bpf: Allow selecting reuseport socket from a SOCKMAP Jakub Sitnicki
2019-10-22 11:37 ` [RFC bpf-next 5/5] selftests/bpf: Extend SK_REUSEPORT tests to cover SOCKMAP Jakub Sitnicki
2019-10-24 16:12 ` [RFC bpf-next 0/5] Extend SOCKMAP to store listening sockets Alexei Starovoitov
2019-10-24 16:56 ` John Fastabend
2019-10-25 9:26 ` Jakub Sitnicki
2019-10-25 14:18 ` John Fastabend
2019-10-28 5:52 ` Martin Lau
2019-10-28 12:35 ` Jakub Sitnicki
2019-10-28 19:04 ` John Fastabend
2019-10-29 8:56 ` Jakub Sitnicki
2019-10-28 20:42 ` Martin Lau
2019-10-28 21:05 ` John Fastabend
2019-10-28 21:38 ` Martin Lau
2019-10-29 8:52 ` Jakub Sitnicki
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20191022113730.29303-4-jakub@cloudflare.com \
--to=jakub@cloudflare.com \
--cc=bpf@vger.kernel.org \
--cc=john.fastabend@gmail.com \
--cc=kafai@fb.com \
--cc=kernel-team@cloudflare.com \
--cc=netdev@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.