From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-6.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH,MAILING_LIST_MULTI,SIGNED_OFF_BY, SPF_HELO_NONE,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 0FAE9C7618F for ; Mon, 15 Jul 2019 20:49:39 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id D5AA12145D for ; Mon, 15 Jul 2019 20:49:38 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="Mt//Z6oj" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732382AbfGOUti (ORCPT ); Mon, 15 Jul 2019 16:49:38 -0400 Received: from mail-ot1-f68.google.com ([209.85.210.68]:40949 "EHLO mail-ot1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1729505AbfGOUti (ORCPT ); Mon, 15 Jul 2019 16:49:38 -0400 Received: by mail-ot1-f68.google.com with SMTP id y20so2595937otk.7; Mon, 15 Jul 2019 13:49:37 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=subject:from:to:cc:date:message-id:in-reply-to:references :user-agent:mime-version:content-transfer-encoding; bh=ZHj7FzG6KKRySBDBc7TLYiAyMZ+JKkfDT3AI7gRaHYQ=; b=Mt//Z6ojehdLRVZBQxlCutK6O9L5omSoMegkQTdhEZP6Q7s04Y4PvQAXrgrc3BCawd hGJMZAakxhxLUJhPoHp/lTI4GECdjUZIEObeTU5MJruCYURri6QNjWphmKgNmgU5ZzQA VFyyhfirSahfcBVF8LzNx3kY+8GJb4qgbaMt42u5Jp8/FJCOB+JKC0y3DAzBlsK9/r7E jDqGBxru+pQr3RFu7faSR95PA51KraZhDVPrc7/lvaOFE1y5izXUpcIIRsl3OFx5Rfi0 CXipNfseLMejqrLdmgKXnr7RPuIEqCeHhMTmzKxbHVmQVi1/U8XlmOB6mzgagzCMoCns fOjg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:from:to:cc:date:message-id:in-reply-to :references:user-agent:mime-version:content-transfer-encoding; bh=ZHj7FzG6KKRySBDBc7TLYiAyMZ+JKkfDT3AI7gRaHYQ=; b=mWihltdDWo4xYboR/JI7V0ppjTKGTgMfVeFkSI0UPxGpwPFHJnm3bJTIq+rGfoW5c/ TzKY64TNXhdLiaF0WHL/MA798rrUe+6uN4vcJkncA3SUdyh82D6EMqqh8x6K6PY+X0tl FA0KU76VyEnHVsyvNs/PHRTxWCFh9AYgi28WRaGOeCwvyp3jJf54C01XTIF0bUo8L8/+ bmPFntIuMk1FJAer6XzjIcL9t6WlnO7bYqfO3745IlFGxuIJ8TNoPYqbFByJtaRMd7eB uBW/hrVgSNSrsE7qQe4mYFjOumuMH+i5hX3nkFtoyLZfkis3qvY9/urv8w8Vx40g1VmL CsaA== X-Gm-Message-State: APjAAAUXsw9At+DwyL24jj24NDGT4qy1Gv45kKX+0P7GuStHiTnO2aoy BWjn5wFVqruygavvGKPXwvA= X-Google-Smtp-Source: APXvYqygiZIHfhM2/ndiQzWwnORwOI00rpzymuG4yHtWBM8FxSllf08V/erRJpNnB8kaGf3ElvX0ow== X-Received: by 2002:a9d:7e6:: with SMTP id 93mr22157851oto.143.1563223777358; Mon, 15 Jul 2019 13:49:37 -0700 (PDT) Received: from [127.0.1.1] ([99.0.85.34]) by smtp.gmail.com with ESMTPSA id d22sm6381356oig.38.2019.07.15.13.49.36 (version=TLS1_3 cipher=AEAD-AES256-GCM-SHA384 bits=256/256); Mon, 15 Jul 2019 13:49:36 -0700 (PDT) Subject: [bpf PATCH v3 5/8] bpf: sockmap, sock_map_delete needs to use xchg From: John Fastabend To: jakub.kicinski@netronome.com, ast@kernel.org, daniel@iogearbox.net Cc: netdev@vger.kernel.org, edumazet@google.com, john.fastabend@gmail.com, bpf@vger.kernel.org Date: Mon, 15 Jul 2019 13:49:35 -0700 Message-ID: <156322377575.18678.9230942769643387694.stgit@john-XPS-13-9370> In-Reply-To: <156322373173.18678.6003379631139659856.stgit@john-XPS-13-9370> References: <156322373173.18678.6003379631139659856.stgit@john-XPS-13-9370> User-Agent: StGit/0.17.1-dirty MIME-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Sender: bpf-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: bpf@vger.kernel.org __sock_map_delete() may be called from a tcp event such as unhash or close from the following trace, tcp_bpf_close() tcp_bpf_remove() sk_psock_unlink() sock_map_delete_from_link() __sock_map_delete() In this case the sock lock is held but this only protects against duplicate removals on the TCP side. If the map is free'd then we have this trace, sock_map_free xchg() <- replaces map entry sock_map_unref() sk_psock_put() sock_map_del_link() The __sock_map_delete() call however uses a read, test, null over the map entry which can result in both paths trying to free the map entry. To fix use xchg in TCP paths as well so we avoid having two references to the same map entry. Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: John Fastabend --- net/core/sock_map.c | 14 +++++++++----- 1 file changed, 9 insertions(+), 5 deletions(-) diff --git a/net/core/sock_map.c b/net/core/sock_map.c index 52d4faeee18b..28702f2e9a4a 100644 --- a/net/core/sock_map.c +++ b/net/core/sock_map.c @@ -276,16 +276,20 @@ static int __sock_map_delete(struct bpf_stab *stab, struct sock *sk_test, struct sock **psk) { struct sock *sk; + int err = 0; raw_spin_lock_bh(&stab->lock); sk = *psk; if (!sk_test || sk_test == sk) - *psk = NULL; + sk = xchg(psk, NULL); + + if (likely(sk)) + sock_map_unref(sk, psk); + else + err = -EINVAL; + raw_spin_unlock_bh(&stab->lock); - if (unlikely(!sk)) - return -EINVAL; - sock_map_unref(sk, psk); - return 0; + return err; } static void sock_map_delete_from_link(struct bpf_map *map, struct sock *sk,