From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from mail-qk1-f177.google.com (mail-qk1-f177.google.com [209.85.222.177]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 06D66431E4E for ; Wed, 1 Jul 2026 22:02:32 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.177 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782943354; cv=none; b=KrrvGrOXsDg3AG8DW2bBSk3/Gxx6bkfGFnki7eW1pQm/16ai2ue/MfHQVHMAseIr3jeLmOMnzhfJPLuNVMYci9WliPSQIubltXyIt5tlVqFee003EFP4rGxqOG6urscOh+rvkFFHh6BHWLms4qY6vEM5ePilZyZcmvHHLjYFEpU= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1782943354; c=relaxed/simple; bh=eVypLHVgpYs6tf8E01MUjLp5Ab/fWW4yiCILeVsBp1U=; h=Mime-Version:Content-Type:Date:Message-Id:From:To:Cc:Subject: References:In-Reply-To; b=uM3ya8VzlahV6nJ9hw5CZzMuJjiCWx2ytCZAm2Brmt3actQph2PDVchPi+sh3itRk09Iiv2YUBo+Z2eakq0UkYCOqhHAeq6LsQ1cUDgeXTtiJK480D3Uz60tyC2Q2xveB2iFkamTpS4W5Hnhh0TgA1WH23W1CCdxALEHeNtKE3c= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=etsalapatis.com; spf=pass smtp.mailfrom=etsalapatis.com; dkim=pass (2048-bit key) header.d=etsalapatis-com.20251104.gappssmtp.com header.i=@etsalapatis-com.20251104.gappssmtp.com header.b=qTzrZfzH; arc=none smtp.client-ip=209.85.222.177 Authentication-Results: smtp.subspace.kernel.org; dmarc=none (p=none dis=none) header.from=etsalapatis.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=etsalapatis.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=etsalapatis-com.20251104.gappssmtp.com header.i=@etsalapatis-com.20251104.gappssmtp.com header.b="qTzrZfzH" Received: by mail-qk1-f177.google.com with SMTP id af79cd13be357-92e4fd65b2bso62520585a.0 for ; Wed, 01 Jul 2026 15:02:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=etsalapatis-com.20251104.gappssmtp.com; s=20251104; t=1782943352; x=1783548152; darn=vger.kernel.org; h=in-reply-to:references:subject:cc:to:from:message-id:date :content-transfer-encoding:mime-version:from:to:cc:subject:date :message-id:reply-to; bh=yLVtzWFR2dQSLkUs2HwYG25dqTS2FGwULXJdwvU+iBE=; b=qTzrZfzHbaUJEWLCbu/VcXgWvZONswmngMnxBrt2qS/5ZcPbLb3JmW0K/35U2V0P8l N8MI2n/fxVrSvevTD743mxXzeoNOj15iOHQYKrm+XnzVMN5tKQC2VPWiOTxHFzhVKdiN rSg2UcD996fuKUzSuKkl/fqw5wSeu/InHrvPUei3F4YAcwOZRM4wCaNSb7eAAjukpzAr KLLGBudhzj+MnJEEzS9TiVu4dPZE6yYYIFgDmxs2tznBHOHpDpjm5cYjRmDdk6j/nys4 3/XA0qvld6PK7DkEhyIwYBahij8c4/byMOUf/PS/GMl1yjH/175U4mIAHfzoxsceCOga 0XPg== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1782943352; x=1783548152; h=in-reply-to:references:subject:cc:to:from:message-id:date :content-transfer-encoding:mime-version:x-gm-gg:x-gm-message-state :from:to:cc:subject:date:message-id:reply-to; bh=yLVtzWFR2dQSLkUs2HwYG25dqTS2FGwULXJdwvU+iBE=; b=sJ01O/hnWoB+1NI5ei57EDwTbMr0Vg8E4L5aLS+dUVRi5QJU8vpf0DMPfnb6qQ/0ic h5IreXwrqxp473TFy3jQuOYvbzmximfmQcHx7oXHbCCguRJmDz15vvWt/P6X3PaelSGm giyIAG3ODtNyEpn9K6G3q/ST8urawZIqJN/oR0PG8XsqfCSWIeLxdAm/UfeRHKfWPUDz oEZeCEy2aVjXsVrgKzDRKwTvuRHrejwfcHfPzHJwry2hUcJRWVZo8pEEW/Dm1kBhb28H ITy/pWmPFpbAo5ykUj5jUw1FAlggJE5H9BZYgY5mb7bmzUNLGYbQlLMjyVMg8G2nV1t6 36OA== X-Forwarded-Encrypted: i=1; AFNElJ8BS+NasHgNjOK/gdUF9A+gxvPNaZrXwfDgdvaBEHAVieXPyrLfFAn9C49vss3CuUJbiGXTntQ=@vger.kernel.org X-Gm-Message-State: AOJu0YwdjTS+TRww1KmQaiTNmHrAsby5az12I1XMOwYUT+vQTTDgJtDG gxG0/fzCvR5gl1SyfdC0lmjN8OkAm815Nfty49crE2QOzcTFpSlol8C6maiBkz6kQfI= X-Gm-Gg: AfdE7clQZ3Kv3d0SH4hyT5vJaTMkz2fxizRCNkdMGdTw7Talo8N3eV7sB7HRlEOJ+VU URfc71T7Wq+y7T94vhPsEZa44lLsVW9YXqGVOpj7l2jrssYEg+35tnF0Nhb/Ls71zog8cW7tBQ4 v6VhTCpxsjf3q7op4daWdscxbH1UvVIFP6IbAVDGrBHGngq2nk3+2zPE+kBWeE0KuBfTZkcwgox yq3EpuNvQjVUvloRMldKwJuv7gDMiYWDn4YxGCxrDs4OjbR3X8BCnbNX7QrwjaS+Gjkm3C4SU7D aMvLsIArQ2eCSnTwCej+ZCJuWzTpLXsXRT3hUn2bbLUc2R/gEsChCx1Nwy+RsRCOb0X/XjyFfHX ihYZHxL6ueo8HIrGlVYWhIEilUQVr2MfsIvvSOJnx0IE4pNyGZkzPp6vSkdePQN5iZHxKbw7PrK YIURYU+1u/q2w= X-Received: by 2002:a05:620a:4489:b0:92e:5fe2:fd35 with SMTP id af79cd13be357-92e7b368d85mr406755685a.32.1782943351824; Wed, 01 Jul 2026 15:02:31 -0700 (PDT) Received: from localhost ([198.58.242.173]) by smtp.gmail.com with ESMTPSA id af79cd13be357-92e80162220sm58215185a.25.2026.07.01.15.02.30 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 01 Jul 2026 15:02:31 -0700 (PDT) Precedence: bulk X-Mailing-List: netdev@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: Mime-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset=UTF-8 Date: Wed, 01 Jul 2026 18:02:29 -0400 Message-Id: From: "Emil Tsalapatis" To: "Sechang Lim" , "Alexei Starovoitov" , "Daniel Borkmann" , "Andrii Nakryiko" , "Eduard Zingerman" , "Kumar Kartikeya Dwivedi" , "John Fastabend" , "David S. Miller" , "Jakub Kicinski" , "Jesper Dangaard Brouer" , "Shuah Khan" Cc: "Martin KaFai Lau" , "Song Liu" , "Yonghong Song" , "Jiri Olsa" , "Emil Tsalapatis" , "Stanislav Fomichev" , "Jiayuan Chen" , "Varun R Mallya" , "Ihor Solodrai" , , , , Subject: Re: [PATCH bpf-next v4 1/2] bpf, sockmap: disallow update and delete from tc, xdp, socket_filter and flow_dissector X-Mailer: aerc 0.21.0-0-g5549850facc2 References: <20260630145410.3648099-1-rhkrqnwk98@gmail.com> <20260630145410.3648099-2-rhkrqnwk98@gmail.com> In-Reply-To: <20260630145410.3648099-2-rhkrqnwk98@gmail.com> On Tue Jun 30, 2026 at 10:54 AM EDT, Sechang Lim wrote: > sock_map_update_common() and __sock_map_delete() hold stab->lock and call > sock_map_unref() -> sock_map_del_link(), which takes sk_callback_lock for > write. That gives the order stab->lock -> sk_callback_lock. > > The reverse order comes from the SK_SKB stream parser. > sk_psock_strp_data_ready() holds sk_callback_lock for read, and after the > verdict tcp_bpf_strp_read_sock() acks the consumed data inline via > __tcp_cleanup_rbuf(). The ACK goes out egress, where a sched_cls program > deletes from the sockmap and takes stab->lock: > > WARNING: possible circular locking dependency detected > ------------------------------------------------------ > syz.9.8824 is trying to acquire lock: > (&stab->lock){+.-.}-{3:3}, at: __sock_map_delete net/core/sock_map.c:42= 1 > but task is already holding lock: > (clock-AF_INET){++.-}-{3:3}, at: sk_psock_strp_data_ready net/core/skms= g.c:1173 > > -> #1 (clock-AF_INET){++.-}-{3:3}: > _raw_write_lock_bh > sock_map_del_link net/core/sock_map.c:167 > sock_map_unref net/core/sock_map.c:184 > sock_map_update_common net/core/sock_map.c:509 > sock_map_update_elem_sys net/core/sock_map.c:588 > map_update_elem kernel/bpf/syscall.c:1805 > > -> #0 (&stab->lock){+.-.}-{3:3}: > _raw_spin_lock_bh > __sock_map_delete net/core/sock_map.c:421 > sock_map_delete_elem net/core/sock_map.c:452 > bpf_prog_06044d24140080b6 > tcx_run net/core/dev.c:4451 > sch_handle_egress net/core/dev.c:4541 > __dev_queue_xmit net/core/dev.c:4808 > ... > tcp_bpf_strp_read_sock net/ipv4/tcp_bpf.c:701 > strp_data_ready net/strparser/strparser.c:402 > sk_psock_strp_data_ready net/core/skmsg.c:1174 > tcp_data_queue net/ipv4/tcp_input.c:5661 > > Possible unsafe locking scenario: > > CPU0 CPU1 > ---- ---- > rlock(clock-AF_INET); > lock(&stab->lock); > lock(clock-AF_INET); > lock(&stab->lock); > > *** DEADLOCK *** > > A tc, xdp, socket_filter or flow_dissector program has no reason to > update or delete a sockmap, and redirect does not go through here. Drop > them from may_update_sockmap() so the verifier rejects it. It also > closes the matching sockhash inversion. > > Suggested-by: John Fastabend > Signed-off-by: Sechang Lim Reviewed-by: Emil Tsalapatis > --- > kernel/bpf/verifier.c | 5 ----- > 1 file changed, 5 deletions(-) > > diff --git a/kernel/bpf/verifier.c b/kernel/bpf/verifier.c > index 25aea4271cd0..83ea3b33ff67 100644 > --- a/kernel/bpf/verifier.c > +++ b/kernel/bpf/verifier.c > @@ -8488,12 +8488,7 @@ static bool may_update_sockmap(struct bpf_verifier= _env *env, int func_id) > if (func_id =3D=3D BPF_FUNC_map_delete_elem) > return true; > break; > - case BPF_PROG_TYPE_SOCKET_FILTER: > - case BPF_PROG_TYPE_SCHED_CLS: > - case BPF_PROG_TYPE_SCHED_ACT: > - case BPF_PROG_TYPE_XDP: > case BPF_PROG_TYPE_SK_REUSEPORT: > - case BPF_PROG_TYPE_FLOW_DISSECTOR: > case BPF_PROG_TYPE_SK_LOOKUP: > return true; > default: