From 4661364592dc0d27cbd36e785fdc8ddfd7c276bf Mon Sep 17 00:00:00 2001
From: zhangmingyi <zhangmingyi5@huawei.com>
Date: Sun, 11 Jun 2023 19:23:52 +0800
Subject: [PATCH] bpf: fix bpf_tcp_ingress addr use after free

euleros inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I545NW
CVE: NA

--------------------------------

fix a bug in bpf_tcp_ingress(), addr use after free

Signed-off-by: zhangmingyi <zhangmingyi5@huawei.com>
Reviewed-by: liuxin <liuxin350@huawei.com>
Reviewed-by: wuchangye <wuchangye@huawei.com>
Fixes: 8818e269f18d ("bpf, sockmap: Add sk_rmem_alloc check for sockmap")
Signed-off-by: Liu Jian <liujian56@huawei.com>
---
 net/ipv4/tcp_bpf.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
index ad612109317f..1cff6ae3f6fd 100644
--- a/net/ipv4/tcp_bpf.c
+++ b/net/ipv4/tcp_bpf.c
@@ -138,7 +138,8 @@ static int bpf_tcp_ingress(struct sock *sk, struct sk_psock *psock,
 	if (!ret) {
 		msg->sg.start = i;
 		sk_psock_queue_msg(psock, tmp);
-		atomic_add(tmp->sg.size, &sk->sk_rmem_alloc);
+		if (sk_psock_test_state(psock, SK_PSOCK_TX_ENABLED))
+			atomic_add(tmp->sg.size, &sk->sk_rmem_alloc);
 		sk_psock_data_ready(sk, psock);
 	} else {
 		sk_msg_free(sk, tmp);
-- 
GitLab