• John Fastabend's avatar
    bpf: sockmap, sock_map_delete needs to use xchg · 45a4521d
    John Fastabend authored
    __sock_map_delete() may be called from a tcp event such as unhash or
    close from the following trace,
    
      tcp_bpf_close()
        tcp_bpf_remove()
          sk_psock_unlink()
            sock_map_delete_from_link()
              __sock_map_delete()
    
    In this case the sock lock is held but this only protects against
    duplicate removals on the TCP side. If the map is free'd then we have
    this trace,
    
      sock_map_free
        xchg()                  <- replaces map entry
        sock_map_unref()
          sk_psock_put()
            sock_map_del_link()
    
    The __sock_map_delete() call however uses a read, test, null over the
    map entry which can result in both paths trying to free the map
    entry.
    
    To fix use xchg in TCP paths as well so we avoid having two references
    to the same map entry.
    
    Fixes: 604326b4 ("bpf, sockmap: convert to generic sk_msg interface")
    Signed-off-by: default avatarJohn Fastabend <john.fastabend@gmail.com>
    Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
    45a4521d
sock_map.c 23.6 KB