From: Jakub Sitnicki <jakub@cloudflare.com>
To: John Fastabend <john.fastabend@gmail.com>
Cc: rivendell7@gmail.com, kuniyu@amazon.com, bpf@vger.kernel.org,
netdev@vger.kernel.org
Subject: Re: [PATCH bpf 1/5] bpf: sockmap, fix proto update hook to avoid dup calls
Date: Tue, 02 Jan 2024 13:00:09 +0100 [thread overview]
Message-ID: <87zfxoueqe.fsf@cloudflare.com> (raw)
In-Reply-To: <20231221232327.43678-2-john.fastabend@gmail.com>
On Thu, Dec 21, 2023 at 03:23 PM -08, John Fastabend wrote:
> When sockets are added to a sockmap or sockhash we allocate and init a
> psock. Then update the proto ops with sock_map_init_proto the flow is
>
> sock_hash_update_common
> sock_map_link
> psock = sock_map_psock_get_checked() <-returns existing psock
> sock_map_init_proto(sk, psock) <- updates sk_proto
>
> If the socket is already in a map this results in the sock_map_init_proto
> being called multiple times on the same socket. We do this because when
> a socket is added to multiple maps this might result in a new set of BPF
> programs being attached to the socket requiring an updated ops struct.
>
> This creates a rule where it must be safe to call psock_update_sk_prot
> multiple times. When we added a fix for UAF through unix sockets in patch
> 4dd9a38a753fc we broke this rule by adding a sock_hold in that path
> to ensure the sock is not released. The result is if a af_unix stream sock
> is placed in multiple maps it results in a memory leak because we call
> sock_hold multiple times with only a single sock_put on it.
>
> Fixes: 4dd9a38a753fc ("bpf: sockmap, fix proto update hook to avoid dup calls")
> Rebported-by: Xingwei Lee <xrivendell7@gmail.com>
Nit: Typo ^
> Signed-off-by: John Fastabend <john.fastabend@gmail.com>
> ---
[...]
next prev parent reply other threads:[~2024-01-02 12:00 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-12-21 23:23 [PATCH bpf 0/5] fix sockmap + stream af_unix memleak John Fastabend
2023-12-21 23:23 ` [PATCH bpf 1/5] bpf: sockmap, fix proto update hook to avoid dup calls John Fastabend
2024-01-02 12:00 ` Jakub Sitnicki [this message]
2024-01-04 1:00 ` Martin KaFai Lau
2024-01-04 3:47 ` John Fastabend
2023-12-21 23:23 ` [PATCH bpf 2/5] bpf: sockmap, added comments describing update proto rules John Fastabend
2023-12-21 23:23 ` [PATCH bpf 3/5] bpf: sockmap, add tests for proto updates many to single map John Fastabend
2023-12-21 23:23 ` [PATCH bpf 4/5] bpf: sockmap, add tests for proto updates single socket to many map John Fastabend
2023-12-21 23:23 ` [PATCH bpf 5/5] bpf: sockmap, add tests for proto updates replace socket John Fastabend
2024-01-02 15:18 ` [PATCH bpf 0/5] fix sockmap + stream af_unix memleak Jakub Sitnicki
2024-01-02 23:49 ` John Fastabend
2024-01-04 1:00 ` patchwork-bot+netdevbpf
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87zfxoueqe.fsf@cloudflare.com \
--to=jakub@cloudflare.com \
--cc=bpf@vger.kernel.org \
--cc=john.fastabend@gmail.com \
--cc=kuniyu@amazon.com \
--cc=netdev@vger.kernel.org \
--cc=rivendell7@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.