git.ipfire.org Git - thirdparty/kernel/stable.git/commit

author	Michal Luczaj <mhal@rbox.co>
	Mon, 2 Dec 2024 11:29:23 +0000 (12:29 +0100)
committer	Greg Kroah-Hartman <gregkh@linuxfoundation.org>
	Thu, 19 Dec 2024 17:13:10 +0000 (18:13 +0100)
commit	2bd517bafc38f7cb3fe1dc81e2fa915821f2d074
tree	86a88653e6966b41995c79525f62f150a5af2acb	tree \| snapshot
parent	bf2318e288f636a882eea39f7e1015623629f168	commit \| diff

bpf, sockmap: Fix update element with same

commit 75e072a390da9a22e7ae4a4e8434dfca5da499fb upstream.

Consider a sockmap entry being updated with the same socket:

osk = stab->sks[idx];
sock_map_add_link(psock, link, map, &stab->sks[idx]);
stab->sks[idx] = sk;
if (osk)
sock_map_unref(osk, &stab->sks[idx]);

Due to sock_map_unref(), which invokes sock_map_del_link(), all the
psock's links for stab->sks[idx] are torn:

list_for_each_entry_safe(link, tmp, &psock->link, list) {
if (link->link_raw == link_raw) {
...
list_del(&link->list);
sk_psock_free_link(link);
}
}

And that includes the new link sock_map_add_link() added just before
the unref.

This results in a sockmap holding a socket, but without the respective
link. This in turn means that close(sock) won't trigger the cleanup,
i.e. a closed socket will not be automatically removed from the sockmap.

Stop tearing the links when a matching link_raw is found.

Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface")
Signed-off-by: Michal Luczaj <mhal@rbox.co>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Reviewed-by: John Fastabend <john.fastabend@gmail.com>
Link: https://lore.kernel.org/bpf/20241202-sockmap-replace-v1-1-1e88579e7bd5@rbox.co
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>