git.baikalelectronics.ru Git - kernel.git/commit

author	John Fastabend <john.fastabend@gmail.com>
	Fri, 19 Jul 2019 17:29:19 +0000 (10:29 -0700)
committer	Daniel Borkmann <daniel@iogearbox.net>
	Mon, 22 Jul 2019 14:04:17 +0000 (16:04 +0200)
commit	985668879f8747d65d41814ac490e17c9399b030
tree	08c6b20c0f3f00de939f03be1d6f57e941e78ae3	tree \| snapshot
parent	3fdfa2c176ad0af531e60bfef9e0fad47cc28d22	commit \| diff

bpf: sockmap, sock_map_delete needs to use xchg

__sock_map_delete() may be called from a tcp event such as unhash or
close from the following trace,

  tcp_bpf_close()
    tcp_bpf_remove()
      sk_psock_unlink()
        sock_map_delete_from_link()
          __sock_map_delete()

In this case the sock lock is held but this only protects against
duplicate removals on the TCP side. If the map is free'd then we have
this trace,

  sock_map_free
    xchg()                  <- replaces map entry
    sock_map_unref()
      sk_psock_put()
        sock_map_del_link()

The __sock_map_delete() call however uses a read, test, null over the
map entry which can result in both paths trying to free the map
entry.

To fix use xchg in TCP paths as well so we avoid having two references
to the same map entry.

Fixes: 38506f4bbc9de ("bpf, sockmap: convert to generic sk_msg interface")
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>