diff options
| author | John Fastabend <john.fastabend@gmail.com> | 2018-04-02 15:50:52 -0400 |
|---|---|---|
| committer | Daniel Borkmann <daniel@iogearbox.net> | 2018-04-04 05:04:31 -0400 |
| commit | 0e94d87fcfc81883b72574a5cc4638bd87adbb10 (patch) | |
| tree | dff6c545309c53c46efa7f6444ec5abe7b0c2b9e /kernel | |
| parent | 820ed3fb2e6e986144465082d041e6a403a94135 (diff) | |
bpf: sockmap, duplicates release calls may NULL sk_prot
It is possible to have multiple ULP tcp_release call paths in flight
if a sock is closed and simultaneously being removed from the sockmap
control path. The result would be setting the sk_prot to the saved
values on the first iteration and then on the second iteration setting
the value to NULL.
This patch resolves this by ensuring we only reset the sk_prot pointer
if we have a valid saved state to set.
Fixes: 4f738adba30a7 ("bpf: create tcp_bpf_ulp allowing BPF to monitor socket TX/RX data")
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Diffstat (limited to 'kernel')
| -rw-r--r-- | kernel/bpf/sockmap.c | 6 |
1 files changed, 4 insertions, 2 deletions
diff --git a/kernel/bpf/sockmap.c b/kernel/bpf/sockmap.c index 8ddf326b3ade..8dd9210d7db7 100644 --- a/kernel/bpf/sockmap.c +++ b/kernel/bpf/sockmap.c | |||
| @@ -182,8 +182,10 @@ static void bpf_tcp_release(struct sock *sk) | |||
| 182 | psock->cork = NULL; | 182 | psock->cork = NULL; |
| 183 | } | 183 | } |
| 184 | 184 | ||
| 185 | sk->sk_prot = psock->sk_proto; | 185 | if (psock->sk_proto) { |
| 186 | psock->sk_proto = NULL; | 186 | sk->sk_prot = psock->sk_proto; |
| 187 | psock->sk_proto = NULL; | ||
| 188 | } | ||
| 187 | out: | 189 | out: |
| 188 | rcu_read_unlock(); | 190 | rcu_read_unlock(); |
| 189 | } | 191 | } |