* [Patch bpf] sock_map: fix a NULL pointer dereference in sock_map_link_update_prog()
@ 2024-10-26 18:55 Cong Wang
2024-10-28 5:58 ` Yonghong Song
2024-10-29 2:00 ` patchwork-bot+netdevbpf
0 siblings, 2 replies; 4+ messages in thread
From: Cong Wang @ 2024-10-26 18:55 UTC (permalink / raw)
To: netdev
Cc: bpf, Cong Wang, Ruan Bonan, Yonghong Song, John Fastabend,
Jakub Sitnicki
From: Cong Wang <cong.wang@bytedance.com>
The following race condition could trigger a NULL pointer dereference:
sock_map_link_detach(): sock_map_link_update_prog():
mutex_lock(&sockmap_mutex);
...
sockmap_link->map = NULL;
mutex_unlock(&sockmap_mutex);
mutex_lock(&sockmap_mutex);
...
sock_map_prog_link_lookup(sockmap_link->map);
mutex_unlock(&sockmap_mutex);
<continue>
Fix it by adding a NULL pointer check. In this specific case, it makes
no sense to update a link which is being released.
Reported-by: Ruan Bonan <bonan.ruan@u.nus.edu>
Fixes: 699c23f02c65 ("bpf: Add bpf_link support for sk_msg and sk_skb progs")
Cc: Yonghong Song <yonghong.song@linux.dev>
Cc: John Fastabend <john.fastabend@gmail.com>
Cc: Jakub Sitnicki <jakub@cloudflare.com>
Signed-off-by: Cong Wang <cong.wang@bytedance.com>
---
net/core/sock_map.c | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/net/core/sock_map.c b/net/core/sock_map.c
index 07d6aa4e39ef..9fca4db52f57 100644
--- a/net/core/sock_map.c
+++ b/net/core/sock_map.c
@@ -1760,6 +1760,10 @@ static int sock_map_link_update_prog(struct bpf_link *link,
ret = -EINVAL;
goto out;
}
+ if (!sockmap_link->map) {
+ ret = -EINVAL;
+ goto out;
+ }
ret = sock_map_prog_link_lookup(sockmap_link->map, &pprog, &plink,
sockmap_link->attach_type);
--
2.34.1
^ permalink raw reply related [flat|nested] 4+ messages in thread* Re: [Patch bpf] sock_map: fix a NULL pointer dereference in sock_map_link_update_prog()
2024-10-26 18:55 [Patch bpf] sock_map: fix a NULL pointer dereference in sock_map_link_update_prog() Cong Wang
@ 2024-10-28 5:58 ` Yonghong Song
2024-10-29 1:57 ` Martin KaFai Lau
2024-10-29 2:00 ` patchwork-bot+netdevbpf
1 sibling, 1 reply; 4+ messages in thread
From: Yonghong Song @ 2024-10-28 5:58 UTC (permalink / raw)
To: Cong Wang, netdev
Cc: bpf, Cong Wang, Ruan Bonan, John Fastabend, Jakub Sitnicki
On 10/26/24 11:55 AM, Cong Wang wrote:
> From: Cong Wang <cong.wang@bytedance.com>
>
> The following race condition could trigger a NULL pointer dereference:
>
> sock_map_link_detach(): sock_map_link_update_prog():
> mutex_lock(&sockmap_mutex);
> ...
> sockmap_link->map = NULL;
> mutex_unlock(&sockmap_mutex);
> mutex_lock(&sockmap_mutex);
> ...
> sock_map_prog_link_lookup(sockmap_link->map);
> mutex_unlock(&sockmap_mutex);
> <continue>
>
> Fix it by adding a NULL pointer check. In this specific case, it makes
> no sense to update a link which is being released.
>
> Reported-by: Ruan Bonan <bonan.ruan@u.nus.edu>
> Fixes: 699c23f02c65 ("bpf: Add bpf_link support for sk_msg and sk_skb progs")
> Cc: Yonghong Song <yonghong.song@linux.dev>
> Cc: John Fastabend <john.fastabend@gmail.com>
> Cc: Jakub Sitnicki <jakub@cloudflare.com>
> Signed-off-by: Cong Wang <cong.wang@bytedance.com>
> ---
> net/core/sock_map.c | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/net/core/sock_map.c b/net/core/sock_map.c
> index 07d6aa4e39ef..9fca4db52f57 100644
> --- a/net/core/sock_map.c
> +++ b/net/core/sock_map.c
> @@ -1760,6 +1760,10 @@ static int sock_map_link_update_prog(struct bpf_link *link,
> ret = -EINVAL;
> goto out;
> }
> + if (!sockmap_link->map) {
> + ret = -EINVAL;
Thanks for the fix. Maybe we should use -ENOENT as the return error code?
In this case, update_prog failed due to sockmap_link->map == NULL which is
equivalent to no 'entry' to update.
> + goto out;
> + }
>
> ret = sock_map_prog_link_lookup(sockmap_link->map, &pprog, &plink,
> sockmap_link->attach_type);
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [Patch bpf] sock_map: fix a NULL pointer dereference in sock_map_link_update_prog()
2024-10-28 5:58 ` Yonghong Song
@ 2024-10-29 1:57 ` Martin KaFai Lau
0 siblings, 0 replies; 4+ messages in thread
From: Martin KaFai Lau @ 2024-10-29 1:57 UTC (permalink / raw)
To: Yonghong Song, Cong Wang
Cc: bpf, Cong Wang, Ruan Bonan, John Fastabend, Jakub Sitnicki,
netdev
On 10/27/24 10:58 PM, Yonghong Song wrote:
>
> On 10/26/24 11:55 AM, Cong Wang wrote:
>> From: Cong Wang <cong.wang@bytedance.com>
>>
>> The following race condition could trigger a NULL pointer dereference:
>>
>> sock_map_link_detach(): sock_map_link_update_prog():
>> mutex_lock(&sockmap_mutex);
>> ...
>> sockmap_link->map = NULL;
>> mutex_unlock(&sockmap_mutex);
>> mutex_lock(&sockmap_mutex);
>> ...
>> sock_map_prog_link_lookup(sockmap_link->map);
>> mutex_unlock(&sockmap_mutex);
>> <continue>
>>
>> Fix it by adding a NULL pointer check. In this specific case, it makes
>> no sense to update a link which is being released.
>>
>> Reported-by: Ruan Bonan <bonan.ruan@u.nus.edu>
>> Fixes: 699c23f02c65 ("bpf: Add bpf_link support for sk_msg and sk_skb progs")
>> Cc: Yonghong Song <yonghong.song@linux.dev>
>> Cc: John Fastabend <john.fastabend@gmail.com>
>> Cc: Jakub Sitnicki <jakub@cloudflare.com>
>> Signed-off-by: Cong Wang <cong.wang@bytedance.com>
>> ---
>> net/core/sock_map.c | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/net/core/sock_map.c b/net/core/sock_map.c
>> index 07d6aa4e39ef..9fca4db52f57 100644
>> --- a/net/core/sock_map.c
>> +++ b/net/core/sock_map.c
>> @@ -1760,6 +1760,10 @@ static int sock_map_link_update_prog(struct bpf_link
>> *link,
>> ret = -EINVAL;
>> goto out;
>> }
>> + if (!sockmap_link->map) {
>> + ret = -EINVAL;
>
> Thanks for the fix. Maybe we should use -ENOENT as the return error code?
> In this case, update_prog failed due to sockmap_link->map == NULL which is
> equivalent to no 'entry' to update.
The fix lgtm. Regarding the error value, the tcx/bpf_struct_ops/cgroup's
update_prog uses -ENOLINK. I changed it to -ENOLINK for consistency. Applied.
Thanks.
>
>> + goto out;
>> + }
>> ret = sock_map_prog_link_lookup(sockmap_link->map, &pprog, &plink,
>> sockmap_link->attach_type);
>
^ permalink raw reply [flat|nested] 4+ messages in thread
* Re: [Patch bpf] sock_map: fix a NULL pointer dereference in sock_map_link_update_prog()
2024-10-26 18:55 [Patch bpf] sock_map: fix a NULL pointer dereference in sock_map_link_update_prog() Cong Wang
2024-10-28 5:58 ` Yonghong Song
@ 2024-10-29 2:00 ` patchwork-bot+netdevbpf
1 sibling, 0 replies; 4+ messages in thread
From: patchwork-bot+netdevbpf @ 2024-10-29 2:00 UTC (permalink / raw)
To: Cong Wang
Cc: netdev, bpf, cong.wang, bonan.ruan, yonghong.song, john.fastabend,
jakub
Hello:
This patch was applied to bpf/bpf.git (master)
by Martin KaFai Lau <martin.lau@kernel.org>:
On Sat, 26 Oct 2024 11:55:22 -0700 you wrote:
> From: Cong Wang <cong.wang@bytedance.com>
>
> The following race condition could trigger a NULL pointer dereference:
>
> sock_map_link_detach(): sock_map_link_update_prog():
> mutex_lock(&sockmap_mutex);
> ...
> sockmap_link->map = NULL;
> mutex_unlock(&sockmap_mutex);
> mutex_lock(&sockmap_mutex);
> ...
> sock_map_prog_link_lookup(sockmap_link->map);
> mutex_unlock(&sockmap_mutex);
> <continue>
>
> [...]
Here is the summary with links:
- [bpf] sock_map: fix a NULL pointer dereference in sock_map_link_update_prog()
https://git.kernel.org/bpf/bpf/c/740be3b9a6d7
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2024-10-29 2:00 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2024-10-26 18:55 [Patch bpf] sock_map: fix a NULL pointer dereference in sock_map_link_update_prog() Cong Wang
2024-10-28 5:58 ` Yonghong Song
2024-10-29 1:57 ` Martin KaFai Lau
2024-10-29 2:00 ` patchwork-bot+netdevbpf
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox