bpf: sockmap, duplicates release calls may NULL sk_prot

It is possible to have multiple ULP tcp_release call paths in flight if a sock is closed and simultaneously being removed from the sockmap control path. The result would be setting the sk_prot to the saved values on the first iteration and then on the second iteration setting the value to NULL. This patch resolves this by ensuring we only reset the sk_prot pointer if we have a valid saved state to set. Fixes: 4f738adb ("bpf: create tcp_bpf_ulp allowing BPF to monitor socket TX/RX data") Signed-off-by: N John Fastabend <john.fastabend@gmail.com> Signed-off-by: N Daniel Borkmann <daniel@iogearbox.net>

bpf: sockmap, duplicates release calls may NULL sk_prot
It is possible to have multiple ULP tcp_release call paths in flight if a sock is closed and simultaneously being removed from the sockmap control path. The result would be setting the sk_prot to the saved values on the first iteration and then on the second iteration setting the value to NULL. This patch resolves this by ensuring we only reset the sk_prot pointer if we have a valid saved state to set. Fixes: 4f738adb ("bpf: create tcp_bpf_ulp allowing BPF to monitor socket TX/RX data") Signed-off-by: N John Fastabend <john.fastabend@gmail.com> Signed-off-by: N Daniel Borkmann <daniel@iogearbox.net>
0e94d87f · John Fastabend · Daniel Borkmann · 820ed3fb · 0e94d87f
显示空白变更内容
内联并排

Showing with 4 addition and 2 deletion

kernel/bpf/sockmap.c kernel/bpf/sockmap.c +4 -2

未找到文件。
--- a/kernel/bpf/sockmap.c
+++ b/kernel/bpf/sockmap.c
@@ -182,8 +182,10 @@ static void bpf_tcp_release(struct sock *sk)
 		psock->cork = NULL;
 	}
+	if (psock->sk_proto) {
 		sk->sk_prot = psock->sk_proto;
 		psock->sk_proto = NULL;
+	}
 out:
 	rcu_read_unlock();
 }