From mboxrd@z Thu Jan  1 00:00:00 1970
From: John Fastabend <john.fastabend@gmail.com>
Subject: Re: [bpf-next PATCH] bpf: sockhash fix race with bpf_tcp_close and
 map delete
Date: Sat, 26 May 2018 21:36:16 -0700
Message-ID: <26e7a154-9d7d-8547-4c39-dd85d72efaa0@gmail.com>
References: <20180525173712.4004.70590.stgit@john-Precision-Tower-5810>
 <1a7bab54-809a-dae4-a0f7-ea1fab2e8c7a@iogearbox.net>
Mime-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 7bit
Cc: netdev@vger.kernel.org
To: Daniel Borkmann <daniel@iogearbox.net>, ast@kernel.org
Return-path: <netdev-owner@vger.kernel.org>
Received: from mail-io0-f193.google.com ([209.85.223.193]:41902 "EHLO
        mail-io0-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1750728AbeE0Eg3 (ORCPT
        <rfc822;netdev@vger.kernel.org>); Sun, 27 May 2018 00:36:29 -0400
Received: by mail-io0-f193.google.com with SMTP id z5-v6so8199785iob.8
        for <netdev@vger.kernel.org>; Sat, 26 May 2018 21:36:29 -0700 (PDT)
In-Reply-To: <1a7bab54-809a-dae4-a0f7-ea1fab2e8c7a@iogearbox.net>
Content-Language: en-US
Sender: netdev-owner@vger.kernel.org
List-ID: <netdev.vger.kernel.org>

On 05/26/2018 01:30 AM, Daniel Borkmann wrote:
> Hi John,
> 
> On 05/25/2018 07:37 PM, John Fastabend wrote:
>> syzbot reported two related splats, a use after free and null
>> pointer dereference, when a TCP socket is closed while the map is
>> also being removed.
>>
>> The psock keeps a reference to all map slots that have a reference
>> to the sock so that when the sock is closed we can clean up any
>> outstanding sock{map|hash} entries. This avoids pinning a sock
>> forever if the map owner fails to do proper cleanup. However, the
>> result is we have two paths that can free an entry in the map. Even
>> the comment in the sock{map|hash} tear down function, sock_hash_free()
>> notes this:
>>
>>  At this point no update, lookup or delete operations can happen.
>>  However, be aware we can still get a socket state event updates,
>>  and data ready callbacks that reference the psock from sk_user_data.
>>
>> Both removal paths omitted taking the hash bucket lock resulting
>> in the case where we have two references that are in the process
>> of being free'd.
>>
>> Reported-by: syzbot+a761b81c211794fa1072@syzkaller.appspotmail.com
>> Signed-off-by: John Fastabend <john.fastabend@gmail.com>
> 

Fixes: 81110384441a ("bpf: sockmap, add hash map support")