[thirdparty/kernel/stable-queue.git] / pending-5.1 / bpf-sockmap-remove-duplicate-queue-free.patch

From 4409871ad3026f4ce3f62a8b6f3fbdf33054b68d Mon Sep 17 00:00:00 2001
From: John Fastabend <john.fastabend@gmail.com>
Date: Mon, 13 May 2019 07:19:37 -0700
Subject: bpf: sockmap remove duplicate queue free

[ Upstream commit c42253cc88206fd0e9868c8b2fd7f9e79f9e0e03 ]

In tcp bpf remove we free the cork list and purge the ingress msg
list. However we do this before the ref count reaches zero so it
could be possible some other access is in progress. In this case
(tcp close and/or tcp_unhash) we happen to also hold the sock
lock so no path exists but lets fix it otherwise it is extremely
fragile and breaks the reference counting rules. Also we already
check the cork list and ingress msg queue and free them once the
ref count reaches zero so its wasteful to check twice.

Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface")
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/ipv4/tcp_bpf.c | 2 --
 1 file changed, 2 deletions(-)

diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
index 1bb7321a256d..4a619c85daed 100644
--- a/net/ipv4/tcp_bpf.c
+++ b/net/ipv4/tcp_bpf.c
@@ -528,8 +528,6 @@ static void tcp_bpf_remove(struct sock *sk, struct sk_psock *psock)
 {
 	struct sk_psock_link *link;
 
-	sk_psock_cork_free(psock);
-	__sk_psock_purge_ingress_msg(psock);
 	while ((link = sk_psock_link_pop(psock))) {
 		sk_psock_unlink(sk, link);
 		sk_psock_free_link(link);
-- 
2.20.1
Commit	Line	Data
fb43722c SL	1	From 4409871ad3026f4ce3f62a8b6f3fbdf33054b68d Mon Sep 17 00:00:00 2001
	2	From: John Fastabend <john.fastabend@gmail.com>
	3	Date: Mon, 13 May 2019 07:19:37 -0700
	4	Subject: bpf: sockmap remove duplicate queue free
	5
	6	[ Upstream commit c42253cc88206fd0e9868c8b2fd7f9e79f9e0e03 ]
	7
	8	In tcp bpf remove we free the cork list and purge the ingress msg
	9	list. However we do this before the ref count reaches zero so it
	10	could be possible some other access is in progress. In this case
	11	(tcp close and/or tcp_unhash) we happen to also hold the sock
	12	lock so no path exists but lets fix it otherwise it is extremely
	13	fragile and breaks the reference counting rules. Also we already
	14	check the cork list and ingress msg queue and free them once the
	15	ref count reaches zero so its wasteful to check twice.
	16
	17	Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface")
	18	Signed-off-by: John Fastabend <john.fastabend@gmail.com>
	19	Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
	20	Signed-off-by: Sasha Levin <sashal@kernel.org>
	21	---
	22	net/ipv4/tcp_bpf.c \| 2 --
	23	1 file changed, 2 deletions(-)
	24
	25	diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
	26	index 1bb7321a256d..4a619c85daed 100644
	27	--- a/net/ipv4/tcp_bpf.c
	28	+++ b/net/ipv4/tcp_bpf.c
	29	@@ -528,8 +528,6 @@ static void tcp_bpf_remove(struct sock sk, struct sk_psock psock)
	30	{
	31	struct sk_psock_link *link;
	32
	33	- sk_psock_cork_free(psock);
	34	- __sk_psock_purge_ingress_msg(psock);
	35	while ((link = sk_psock_link_pop(psock))) {
	36	sk_psock_unlink(sk, link);
	37	sk_psock_free_link(link);
	38	--
	39	2.20.1
	40