From mboxrd@z Thu Jan 1 00:00:00 1970 From: Daniel Borkmann Subject: Re: [bpf-next PATCH] bpf: sockhash fix race with bpf_tcp_close and map delete Date: Sat, 26 May 2018 10:30:59 +0200 Message-ID: <1a7bab54-809a-dae4-a0f7-ea1fab2e8c7a@iogearbox.net> References: <20180525173712.4004.70590.stgit@john-Precision-Tower-5810> Mime-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org To: John Fastabend , ast@kernel.org Return-path: Received: from www62.your-server.de ([213.133.104.62]:37218 "EHLO www62.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1031239AbeEZIbC (ORCPT ); Sat, 26 May 2018 04:31:02 -0400 In-Reply-To: <20180525173712.4004.70590.stgit@john-Precision-Tower-5810> Content-Language: en-US Sender: netdev-owner@vger.kernel.org List-ID: Hi John, On 05/25/2018 07:37 PM, John Fastabend wrote: > syzbot reported two related splats, a use after free and null > pointer dereference, when a TCP socket is closed while the map is > also being removed. > > The psock keeps a reference to all map slots that have a reference > to the sock so that when the sock is closed we can clean up any > outstanding sock{map|hash} entries. This avoids pinning a sock > forever if the map owner fails to do proper cleanup. However, the > result is we have two paths that can free an entry in the map. Even > the comment in the sock{map|hash} tear down function, sock_hash_free() > notes this: > > At this point no update, lookup or delete operations can happen. > However, be aware we can still get a socket state event updates, > and data ready callbacks that reference the psock from sk_user_data. > > Both removal paths omitted taking the hash bucket lock resulting > in the case where we have two references that are in the process > of being free'd. > > Reported-by: syzbot+a761b81c211794fa1072@syzkaller.appspotmail.com > Signed-off-by: John Fastabend Could you also shortly reply with a Fixes: tag so we can track all fixes for the original commit. Thanks, Daniel P.s.: still waiting on net-next to get fast-forwarded, then I'll fast-forward bpf-next and process the queue.