From: Jakub Sitnicki Date: Tue, 21 Jan 2020 12:31:47 +0000 (+0100) Subject: net, sk_msg: Don't check if sock is locked when tearing down psock X-Git-Tag: baikal/mips/sdk5.9~14509^2~34 X-Git-Url: https://git.baikalelectronics.ru/sdk/?a=commitdiff_plain;h=cd3b979330d9c7c76a62da297e08743b3cd9e0ee;p=kernel.git net, sk_msg: Don't check if sock is locked when tearing down psock As John Fastabend reports [0], psock state tear-down can happen on receive path *after* unlocking the socket, if the only other psock user, that is sockmap or sockhash, releases its psock reference before tcp_bpf_recvmsg does so: tcp_bpf_recvmsg() psock = sk_psock_get(sk) <- refcnt 2 lock_sock(sk); ... sock_map_free() <- refcnt 1 release_sock(sk) sk_psock_put() <- refcnt 0 Remove the lockdep check for socket lock in psock tear-down that got introduced in 5fc6321e4997 ("bpf: Sockmap, ensure sock lock held during tear down"). [0] https://lore.kernel.org/netdev/5e25dc995d7d_74082aaee6e465b441@john-XPS-13-9370.notmuch/ Fixes: 5fc6321e4997 ("bpf: Sockmap, ensure sock lock held during tear down") Reported-by: syzbot+d73682fcf7fee6982fe3@syzkaller.appspotmail.com Suggested-by: John Fastabend Signed-off-by: Jakub Sitnicki Acked-by: John Fastabend Acked-by: Daniel Borkmann Signed-off-by: David S. Miller --- diff --git a/net/core/skmsg.c b/net/core/skmsg.c index 3866d7e20c07a..ded2d52276786 100644 --- a/net/core/skmsg.c +++ b/net/core/skmsg.c @@ -594,8 +594,6 @@ EXPORT_SYMBOL_GPL(sk_psock_destroy); void sk_psock_drop(struct sock *sk, struct sk_psock *psock) { - sock_owned_by_me(sk); - sk_psock_cork_free(psock); sk_psock_zap_ingress(psock);