Re: [PATCH bpf-next v5] bpf, sockmap: avoid using sk_socket after free when sending

bpf.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: John Fastabend <john.fastabend@gmail.com>
To: Jiayuan Chen <jiayuan.chen@linux.dev>
Cc: bpf@vger.kernel.org, Michal Luczaj <mhal@rbox.co>,
	Jakub Sitnicki <jakub@cloudflare.com>,
	"David S. Miller" <davem@davemloft.net>,
	Eric Dumazet <edumazet@google.com>,
	Jakub Kicinski <kuba@kernel.org>, Paolo Abeni <pabeni@redhat.com>,
	Simon Horman <horms@kernel.org>,
	Alexei Starovoitov <ast@kernel.org>,
	Cong Wang <cong.wang@bytedance.com>,
	netdev@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH bpf-next v5] bpf, sockmap: avoid using sk_socket after free when sending
Date: Wed, 14 May 2025 22:53:56 -0700	[thread overview]
Message-ID: <20250515055356.bgevcqwkyv3q7acr@gmail.com> (raw)
In-Reply-To: <20250508061825.51896-1-jiayuan.chen@linux.dev>

On 2025-05-08 14:18:25, Jiayuan Chen wrote:
> The sk->sk_socket is not locked or referenced in backlog thread, and
> during the call to skb_send_sock(), there is a race condition with
> the release of sk_socket. All types of sockets(tcp/udp/unix/vsock)
> will be affected.
> 
> Race conditions:
> '''
> CPU0                               CPU1
> 
> backlog::skb_send_sock
>   sendmsg_unlocked
>     sock_sendmsg
>       sock_sendmsg_nosec
>                                    close(fd):
>                                      ...
>                                      ops->release() -> sock_map_close()
>                                      sk_socket->ops = NULL
>                                      free(socket)
>       sock->ops->sendmsg
>             ^
>             panic here
> '''
> 
> The ref of psock become 0 after sock_map_close() executed.
> '''
> void sock_map_close()
> {
>     ...
>     if (likely(psock)) {
>     ...
>     // !! here we remove psock and the ref of psock become 0
>     sock_map_remove_links(sk, psock)
>     psock = sk_psock_get(sk);
>     if (unlikely(!psock))
>         goto no_psock; <=== Control jumps here via goto
>         ...
>         cancel_delayed_work_sync(&psock->work); <=== not executed
>         sk_psock_put(sk, psock);
>         ...
> }
> '''
> 
> Based on the fact that we already wait for the workqueue to finish in
> sock_map_close() if psock is held, we simply increase the psock
> reference count to avoid race conditions.
> 
> With this patch, if the backlog thread is running, sock_map_close() will
> wait for the backlog thread to complete and cancel all pending work.
> 
> If no backlog running, any pending work that hasn't started by then will
> fail when invoked by sk_psock_get(), as the psock reference count have
> been zeroed, and sk_psock_drop() will cancel all jobs via
> cancel_delayed_work_sync().
> 
> In summary, we require synchronization to coordinate the backlog thread
> and close() thread.
> 
> The panic I catched:
> '''
> Workqueue: events sk_psock_backlog
> RIP: 0010:sock_sendmsg+0x21d/0x440
> RAX: 0000000000000000 RBX: ffffc9000521fad8 RCX: 0000000000000001
> ...
> Call Trace:
>  <TASK>
>  ? die_addr+0x40/0xa0
>  ? exc_general_protection+0x14c/0x230
>  ? asm_exc_general_protection+0x26/0x30
>  ? sock_sendmsg+0x21d/0x440
>  ? sock_sendmsg+0x3e0/0x440
>  ? __pfx_sock_sendmsg+0x10/0x10
>  __skb_send_sock+0x543/0xb70
>  sk_psock_backlog+0x247/0xb80
> ...
> '''
> 
> Reported-by: Michal Luczaj <mhal@rbox.co>
> Fixes: 799aa7f98d53 ("skmsg: Avoid lock_sock() in sk_psock_backlog()")
> Signed-off-by: Jiayuan Chen <jiayuan.chen@linux.dev>

Is the fixes tag actually,

 4b4647add7d3c sock_map: avoid race between sock_map_close and sk_psock_put

Before that we should call the cancel correctly?

Thanks,
John

next prev parent reply	other threads:[~2025-05-15  5:54 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-05-08  6:18 [PATCH bpf-next v5] bpf, sockmap: avoid using sk_socket after free when sending Jiayuan Chen
2025-05-15  5:53 ` John Fastabend [this message]
2025-05-15  6:04   ` Jiayuan Chen

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20250515055356.bgevcqwkyv3q7acr@gmail.com \
    --to=john.fastabend@gmail.com \
    --cc=ast@kernel.org \
    --cc=bpf@vger.kernel.org \
    --cc=cong.wang@bytedance.com \
    --cc=davem@davemloft.net \
    --cc=edumazet@google.com \
    --cc=horms@kernel.org \
    --cc=jakub@cloudflare.com \
    --cc=jiayuan.chen@linux.dev \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=mhal@rbox.co \
    --cc=netdev@vger.kernel.org \
    --cc=pabeni@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).