| From 0b2dc83906cf1e694e48003eae5df8fa63f76fd9 Mon Sep 17 00:00:00 2001 |
| From: Jakub Sitnicki <jakub@cloudflare.com> |
| Date: Thu, 6 Feb 2020 12:16:51 +0100 |
| Subject: bpf, sockhash: Synchronize_rcu before free'ing map |
| |
| From: Jakub Sitnicki <jakub@cloudflare.com> |
| |
| commit 0b2dc83906cf1e694e48003eae5df8fa63f76fd9 upstream. |
| |
| We need to have a synchronize_rcu before free'ing the sockhash because any |
| outstanding psock references will have a pointer to the map and when they |
| use it, this could trigger a use after free. |
| |
| This is a sister fix for sockhash, following commit 2bb90e5cc90e ("bpf: |
| sockmap, synchronize_rcu before free'ing map") which addressed sockmap, |
| which comes from a manual audit. |
| |
| Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface") |
| Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com> |
| Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> |
| Acked-by: John Fastabend <john.fastabend@gmail.com> |
| Link: https://lore.kernel.org/bpf/20200206111652.694507-3-jakub@cloudflare.com |
| Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org> |
| |
| --- |
| net/core/sock_map.c | 4 ++++ |
| 1 file changed, 4 insertions(+) |
| |
| --- a/net/core/sock_map.c |
| +++ b/net/core/sock_map.c |
| @@ -250,6 +250,7 @@ static void sock_map_free(struct bpf_map |
| } |
| raw_spin_unlock_bh(&stab->lock); |
| |
| + /* wait for psock readers accessing its map link */ |
| synchronize_rcu(); |
| |
| bpf_map_area_free(stab->sks); |
| @@ -873,6 +874,9 @@ static void sock_hash_free(struct bpf_ma |
| raw_spin_unlock_bh(&bucket->lock); |
| } |
| |
| + /* wait for psock readers accessing its map link */ |
| + synchronize_rcu(); |
| + |
| bpf_map_area_free(htab->buckets); |
| kfree(htab); |
| } |
