Re: [PATCH bpf v2] bpf: Fix the kernel crash caused by bpf_setsockopt().

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Martin KaFai Lau <martin.lau@linux.dev>
To: Kui-Feng Lee <kuifeng@meta.com>
Cc: bpf@vger.kernel.org, ast@kernel.org, song@kernel.org,
	kernel-team@meta.com
Subject: Re: [PATCH bpf v2] bpf: Fix the kernel crash caused by bpf_setsockopt().
Date: Thu, 26 Jan 2023 23:33:51 -0800	[thread overview]
Message-ID: <b7e314d9-ca96-520c-6923-885baebf20b5@linux.dev> (raw)
In-Reply-To: <20230127001732.4162630-1-kuifeng@meta.com>

On 1/26/23 4:17 PM, Kui-Feng Lee wrote:
> The kernel crash was caused by a BPF program attached to the
> "lsm_cgroup/socket_sock_rcv_skb" hook, which performed a call to
> `bpf_setsockopt()` in order to set the TCP_NODELAY flag as an
> example. Flags like TCP_NODELAY can prompt the kernel to flush a
> socket's outgoing queue, and this hook
> "lsm_cgroup/socket_sock_rcv_skb" is frequently triggered by
> softirqs. The issue was that in certain circumstances, when
> `tcp_write_xmit()` was called to flush the queue, it would also allow
> BH (bottom-half) to run. This could lead to our program attempting to
> flush the same socket recursively, which caused a `skbuf` to be
> unlinked twice.
> 
> `security_sock_rcv_skb()` is triggered by `tcp_filter()`. This occurs
> before the sock ownership is checked in `tcp_v4_rcv()`. Consequently,
> if a bpf program runs on `security_sock_rcv_skb()` while under softirq
> conditions, it may not possess the lock needed for `bpf_setsoppt()`,
> thus presenting an issue.

Fixed a few minor things like s/bpf_setsoppt/bpf_setsockopt/
and s/skbuf/skbuff/.

Applied. Thanks.

next prev parent reply	other threads:[~2023-01-27  7:34 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2023-01-27  0:17 [PATCH bpf v2] bpf: Fix the kernel crash caused by bpf_setsockopt() Kui-Feng Lee
2023-01-27  7:33 ` Martin KaFai Lau [this message]
2023-01-27  7:40 ` patchwork-bot+netdevbpf

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=b7e314d9-ca96-520c-6923-885baebf20b5@linux.dev \
    --to=martin.lau@linux.dev \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=kernel-team@meta.com \
    --cc=kuifeng@meta.com \
    --cc=song@kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.