bpf: sockmap, fix smap_list_map_remove when psock is in many maps

If a hashmap is free'd with open socks it removes the reference to the hash entry from the psock. If that is the last reference to the psock then it will also be free'd by the reference counting logic. However the current logic that removes the hash reference from the list of references is broken. In smap_list_remove() we first check if the sockmap entry matches and then check if the hashmap entry matches. But, the sockmap entry sill always match because its NULL in this case which causes the first entry to be removed from the list. If this is always the "right" entry (because the user adds/removes entries in order) then everything is OK but otherwise a subsequent bpf_tcp_close() may reference a free'd object. To fix this create two list handlers one for sockmap and one for sockhash. Reported-by: syzbot+0ce137753c78f7b6acc1@syzkaller.appspotmail.com Fixes: 81110384441a ("bpf: sockmap, add hash map support") Acked-by: Martin KaFai Lau <kafai@fb.com> Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
author: John Fastabend <john.fastabend@gmail.com> 2018-06-30 09:17:41 -0400
committer: Daniel Borkmann <daniel@iogearbox.net> 2018-06-30 19:21:31 -0400
commit: 54fedb42c6537dcb0102e4a58a88456a6286999d (patch)
tree: 5ba57be260f4c18e7977edd75f5e60d3ce3859b6
parent: 9901c5d77e969d8215a8e8d087ef02e6feddc84c (diff)
1 files changed, 22 insertions, 12 deletions
diff --git a/kernel/bpf/sockmap.c b/kernel/bpf/sockmap.c
index bfdfbd199c3b..65a937ed5762 100644
--- a/kernel/bpf/sockmap.c
+++ b/kernel/bpf/sockmap.c
@@ -1602,17 +1602,27 @@ free_stab:
        return ERR_PTR(err);
 }
-static void smap_list_remove(struct smap_psock *psock,
+static void smap_list_map_remove(struct smap_psock *psock,
-                             struct sock **entry,
+                                 struct sock **entry)
-                             struct htab_elem *hash_link)
 {
        struct smap_psock_map_entry *e, *tmp;
        list_for_each_entry_safe(e, tmp, &psock->maps, list) {
-                if (e->entry == entry || e->hash_link == hash_link) {
+                if (e->entry == entry)
+                        list_del(&e->list);
+        }
+}
+static void smap_list_hash_remove(struct smap_psock *psock,
+                                  struct htab_elem *hash_link)
+{
+        struct smap_psock_map_entry *e, *tmp;
+        list_for_each_entry_safe(e, tmp, &psock->maps, list) {
+                struct htab_elem *c = e->hash_link;
+                if (c == hash_link)
                        list_del(&e->list);
-                        break;
-                }
        }
 }
@@ -1647,7 +1657,7 @@ static void sock_map_free(struct bpf_map *map)
                 * to be null and queued for garbage collection.
                 */
                if (likely(psock)) {
-                        smap_list_remove(psock, &stab->sock_map[i], NULL);
+                        smap_list_map_remove(psock, &stab->sock_map[i]);
                        smap_release_sock(psock, sock);
                }
                write_unlock_bh(&sock->sk_callback_lock);
@@ -1706,7 +1716,7 @@ static int sock_map_delete_elem(struct bpf_map *map, void *key)
        if (psock->bpf_parse)
                smap_stop_sock(psock, sock);
-        smap_list_remove(psock, &stab->sock_map[k], NULL);
+        smap_list_map_remove(psock, &stab->sock_map[k]);
        smap_release_sock(psock, sock);
 out:
        write_unlock_bh(&sock->sk_callback_lock);
@@ -1908,7 +1918,7 @@ static int sock_map_ctx_update_elem(struct bpf_sock_ops_kern *skops,
                struct smap_psock *opsock = smap_psock_sk(osock);
                write_lock_bh(&osock->sk_callback_lock);
-                smap_list_remove(opsock, &stab->sock_map[i], NULL);
+                smap_list_map_remove(opsock, &stab->sock_map[i]);
                smap_release_sock(opsock, osock);
                write_unlock_bh(&osock->sk_callback_lock);
        }
@@ -2142,7 +2152,7 @@ static void sock_hash_free(struct bpf_map *map)
                         * (psock) to be null and queued for garbage collection.
                         */
                        if (likely(psock)) {
-                                smap_list_remove(psock, NULL, l);
+                                smap_list_hash_remove(psock, l);
                                smap_release_sock(psock, sock);
                        }
                        write_unlock_bh(&sock->sk_callback_lock);
@@ -2322,7 +2332,7 @@ static int sock_hash_ctx_update_elem(struct bpf_sock_ops_kern *skops,
                psock = smap_psock_sk(l_old->sk);
                hlist_del_rcu(&l_old->hash_node);
-                smap_list_remove(psock, NULL, l_old);
+                smap_list_hash_remove(psock, l_old);
                smap_release_sock(psock, l_old->sk);
                free_htab_elem(htab, l_old);
        }
@@ -2390,7 +2400,7 @@ static int sock_hash_delete_elem(struct bpf_map *map, void *key)
                 * to be null and queued for garbage collection.
                 */
                if (likely(psock)) {
-                        smap_list_remove(psock, NULL, l);
+                        smap_list_hash_remove(psock, l);
                        smap_release_sock(psock, sock);
                }
                write_unlock_bh(&sock->sk_callback_lock);
author	John Fastabend <john.fastabend@gmail.com>	2018-06-30 09:17:41 -0400
committer	Daniel Borkmann <daniel@iogearbox.net>	2018-06-30 19:21:31 -0400
commit	54fedb42c6537dcb0102e4a58a88456a6286999d (patch)
tree	5ba57be260f4c18e7977edd75f5e60d3ce3859b6
parent	9901c5d77e969d8215a8e8d087ef02e6feddc84c (diff)