From: Stanislav Fomichev <stfomichev@gmail.com>
To: Cong Wang <xiyou.wangcong@gmail.com>
Cc: Dong Chenchen <dongchenchen2@huawei.com>,
edumazet@google.com, kuniyu@amazon.com, pabeni@redhat.com,
willemb@google.com, john.fastabend@gmail.com,
jakub@cloudflare.com, davem@davemloft.net, kuba@kernel.org,
horms@kernel.org, daniel@iogearbox.net, netdev@vger.kernel.org,
bpf@vger.kernel.org, zhangchangzhong@huawei.com,
weiyongjun1@huawei.com
Subject: Re: [PATCH net] bpf, sockmap: Restore sk_prot ops when psock is removed from sockmap
Date: Wed, 5 Mar 2025 11:35:18 -0800 [thread overview]
Message-ID: <Z8indgh3Gv0ChOIX@mini-arch> (raw)
In-Reply-To: <Z8iUG8aTF9Kww09z@pop-os.localdomain>
On 03/05, Cong Wang wrote:
> On Wed, Mar 05, 2025 at 10:02:34PM +0800, Dong Chenchen wrote:
> > WARNING: CPU: 0 PID: 6558 at net/core/sock_map.c:1703 sock_map_close+0x3c4/0x480
> > Modules linked in:
> > CPU: 0 UID: 0 PID: 6558 Comm: syz-executor.14 Not tainted 6.14.0-rc5+ #238
> > RIP: 0010:sock_map_close+0x3c4/0x480
> > Call Trace:
> > <TASK>
> > inet_release+0x144/0x280
> > __sock_release+0xb8/0x270
> > sock_close+0x1e/0x30
> > __fput+0x3c6/0xb30
> > __fput_sync+0x7b/0x90
> > __x64_sys_close+0x90/0x120
> > do_syscall_64+0x5d/0x170
> > entry_SYSCALL_64_after_hwframe+0x76/0x7e
> >
> > The root cause is:
> > sock_hash_update_common
> > sock_map_unref
> > sock_map_del_link
> > psock->psock_update_sk_prot(sk, psock, false);
> > //false won't restore proto
> > sk_psock_put
> > rcu_assign_sk_user_data(sk, NULL);
> > inet_release
> > sk->sk_prot->close
> > sock_map_close
> > WARN(sk->sk_prot->close == sock_map_close)
> >
> > When psock is removed from sockmap, sock_map_del_link() still set
> > sk->sk_prot to bpf proto instead of restore it (for incorrect restore
> > value). sock release will triger warning of sock_map_close() for
> > recurse after psock drop.
>
> But sk_psock_drop() restores it with sk_psock_restore_proto() after the
> psock reference count goes to zero. So how could the above happen?
[..]
> By the way, it would be perfect if you could add a test case for it
> together with this patch (a followup patch is fine too).
There is tools/testing/selftests/bpf/test_maps.c that gets broken by this
patch:
Failed map_fd_msg update sockmap -16
---
pw-bot: cr
next prev parent reply other threads:[~2025-03-05 19:35 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-05 14:02 [PATCH net] bpf, sockmap: Restore sk_prot ops when psock is removed from sockmap Dong Chenchen
2025-03-05 18:12 ` Cong Wang
2025-03-05 19:35 ` Stanislav Fomichev [this message]
2025-03-06 5:06 ` Jiayuan Chen
2025-03-07 13:18 ` dongchenchen (A)
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z8indgh3Gv0ChOIX@mini-arch \
--to=stfomichev@gmail.com \
--cc=bpf@vger.kernel.org \
--cc=daniel@iogearbox.net \
--cc=davem@davemloft.net \
--cc=dongchenchen2@huawei.com \
--cc=edumazet@google.com \
--cc=horms@kernel.org \
--cc=jakub@cloudflare.com \
--cc=john.fastabend@gmail.com \
--cc=kuba@kernel.org \
--cc=kuniyu@amazon.com \
--cc=netdev@vger.kernel.org \
--cc=pabeni@redhat.com \
--cc=weiyongjun1@huawei.com \
--cc=willemb@google.com \
--cc=xiyou.wangcong@gmail.com \
--cc=zhangchangzhong@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.