leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity
697fb80a53
linux/net/core
History
John Fastabend 697fb80a53 bpf: Fix sockmap calling sleepable function in teardown path 
syzbot reproduced the bug ...

 BUG: sleeping function called from invalid context at kernel/workqueue.c:3010

... with the following stack trace fragment ...

 start_flush_work kernel/workqueue.c:3010 [inline]
 __flush_work+0x109/0xb10 kernel/workqueue.c:3074
 __cancel_work_timer+0x3f9/0x570 kernel/workqueue.c:3162
 sk_psock_stop+0x4cb/0x630 net/core/skmsg.c:802
 sock_map_destroy+0x333/0x760 net/core/sock_map.c:1581
 inet_csk_destroy_sock+0x196/0x440 net/ipv4/inet_connection_sock.c:1130
 __tcp_close+0xd5b/0x12b0 net/ipv4/tcp.c:2897
 tcp_close+0x29/0xc0 net/ipv4/tcp.c:2909

... introduced by d8616ee2af. Do a quick trace of the code path and the
bug is obvious:

   inet_csk_destroy_sock(sk)
     sk_prot->destroy(sk);      <--- sock_map_destroy
        sk_psock_stop(, true);   <--- true so cancel workqueue
          cancel_work_sync()     <--- splat, because *_bh_disable()

We can not call cancel_work_sync() from inside destroy path. So mark
the sk_psock_stop call to skip this cancel_work_sync(). This will avoid
the BUG, but means we may run sk_psock_backlog after or during the
destroy op. We zapped the ingress_skb queue in sk_psock_stop (safe to
do with local_bh_disable) so its empty and the sk_psock_backlog work
item will not find any pkts to process here. However, because we are
not going to wait for it or clear its ->state its possible it kicks off
or is already running. This should be 'safe' up until psock drops its
refcnt to psock->sk. The sock_put() that drops this reference is only
done at psock destroy time from sk_psock_destroy(). This is done through
workqueue when sk_psock_drop() is called on psock refnt reaches 0.
And importantly sk_psock_destroy() does a cancel_work_sync(). So trivial
fix works.

I've had hit or miss luck reproducing this caught it once or twice with
the provided reproducer when running with many runners. However, syzkaller
is very good at reproducing so relying on syzkaller to verify fix.

Fixes: d8616ee2af ("bpf, sockmap: Fix sk->sk_forward_alloc warn_on in sk_stream_kill_queues")
Reported-by: syzbot+140186ceba0c496183bc@syzkaller.appspotmail.com
Suggested-by: Hillf Danton <hdanton@sina.com>
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Cc: Wang Yufen <wangyufen@huawei.com>
Link: https://lore.kernel.org/bpf/20220628035803.317876-1-john.fastabend@gmail.com
2022-06-28 09:30:03 +02:00
..
.gitignore net: skb: use auto-generation to convert skb drop reason to string 2022-06-07 12:51:41 +02:00
bpf_sk_storage.c bpf: Compute map_btf_id during build time 2022-04-26 11:35:21 -07:00
datagram.c net: keep sk->sk_forward_alloc as small as possible 2022-06-10 16:21:27 -07:00
dev_addr_lists_test.c net: kunit: add a test for dev_addr_lists 2021-11-20 12:25:57 +00:00
dev_addr_lists.c net: extract a few internals from netdevice.h 2022-04-07 20:32:09 -07:00
dev_ioctl.c net: rename reference+tracking helpers 2022-06-09 21:52:55 -07:00
dev.c net: add napi_get_frags_check() helper 2022-06-09 21:53:57 -07:00
dev.h net: add skb_defer_max sysctl 2022-05-16 11:33:59 +01:00
devlink.c devlink: adopt u64_stats_t 2022-06-09 21:53:11 -07:00
drop_monitor.c drop_monitor: adopt u64_stats_t 2022-06-09 21:53:12 -07:00
dst_cache.c wireguard: device: reset peer src endpoint when netns exits 2021-11-29 19:50:45 -08:00
dst.c net: rename reference+tracking helpers 2022-06-09 21:52:55 -07:00
failover.c net: rename reference+tracking helpers 2022-06-09 21:52:55 -07:00
fib_notifier.c
fib_rules.c fib: expand fib_rule_policy 2021-12-16 07:18:35 -08:00
filter.c bpf: Fix bpf_skc_lookup comment wrt. return type 2022-06-17 18:36:45 +02:00
flow_dissector.c flow_dissector: Add number of vlan tags dissector 2022-04-20 11:09:13 +01:00
flow_offload.c netfilter: nf_tables: bail out early if hardware offload is not supported 2022-06-06 19:19:15 +02:00
gen_estimator.c net: sched: Remove Qdisc::running sequence counter 2021-10-18 12:54:41 +01:00
gen_stats.c net: stats: Read the statistics in ___gnet_stats_copy_basic() instead of adding. 2021-10-21 12:47:56 +01:00
gro_cells.c net: add per-cpu storage and net->core_stats 2022-03-11 23:17:24 -08:00
gro.c net: allow gro_max_size to exceed 65536 2022-05-16 10:18:56 +01:00
hwbm.c
link_watch.c net: rename reference+tracking helpers 2022-06-09 21:52:55 -07:00
lwt_bpf.c bpf, lwt: Fix crash when using bpf_skb_set_tunnel_key() from bpf_xmit lwt hook 2022-04-22 17:45:25 +02:00
lwtunnel.c lwtunnel: Validate RTA_ENCAP_TYPE attribute length 2021-12-31 14:31:59 +00:00
Makefile net: skb: use auto-generation to convert skb drop reason to string 2022-06-07 12:51:41 +02:00
neighbour.c net: rename reference+tracking helpers 2022-06-09 21:52:55 -07:00
net_namespace.c net: initialize init_net earlier 2022-02-06 11:04:29 +00:00
net-procfs.c net: extract a few internals from netdevice.h 2022-04-07 20:32:09 -07:00
net-sysfs.c net: rename reference+tracking helpers 2022-06-09 21:52:55 -07:00
net-sysfs.h net-sysfs: add netdev_change_owner() 2020-02-26 20:07:25 -08:00
net-traces.c tcp: add tracepoint for checksum errors 2021-05-14 15:26:03 -07:00
netclassid_cgroup.c bpf, cgroups: Fix cgroup v2 fallback on v1/v2 mixed mode 2021-09-13 16:35:58 -07:00
netevent.c net: core: Correct function name netevent_unregister_notifier() in the kerneldoc 2021-03-28 17:56:56 -07:00
netpoll.c net: rename reference+tracking helpers 2022-06-09 21:52:55 -07:00
netprio_cgroup.c bpf, cgroups: Fix cgroup v2 fallback on v1/v2 mixed mode 2021-09-13 16:35:58 -07:00
of_net.c Revert "of: net: support NVMEM cells with MAC in text format" 2022-01-12 14:14:36 +00:00
page_pool.c net: page_pool: add page allocation stats for two fast page allocate path 2022-05-13 11:28:55 +01:00
pktgen.c net: rename reference+tracking helpers 2022-06-09 21:52:55 -07:00
ptp_classifier.c ptp: Add generic PTP is_sync() function 2022-03-07 11:31:34 +00:00
request_sock.c
rtnetlink.c net: allow gro_max_size to exceed 65536 2022-05-16 10:18:56 +01:00
scm.c memcg: enable accounting for scm_fp_list objects 2021-07-20 06:00:38 -07:00
secure_seq.c tcp: resalt the secret every 10 seconds 2022-05-04 19:22:21 -07:00
selftests.c net: core: constify mac addrs in selftests 2021-10-24 13:59:44 +01:00
skbuff.c net: don't check skb_count twice 2022-06-15 12:51:31 +01:00
skmsg.c skmsg: Get rid of unncessary memset() 2022-06-20 14:05:52 +02:00
sock_destructor.h skb_expand_head() adjust skb->truesize incorrectly 2021-10-22 12:35:51 -07:00
sock_diag.c net: Don't include filter.h from net/sock.h 2021-12-29 08:48:14 -08:00
sock_map.c bpf: Fix sockmap calling sleepable function in teardown path 2022-06-28 09:30:03 +02:00
sock_reuseport.c tcp: Add stats for socket migration. 2021-06-23 12:56:08 -07:00
sock.c tcp: sk_forced_mem_schedule() optimization 2022-06-13 13:35:25 +01:00
stream.c net: use WARN_ON_ONCE() in sk_stream_kill_queues() 2022-06-09 21:53:55 -07:00
sysctl_net_core.c Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2022-05-23 16:07:14 -07:00
timestamping.c
tso.c net: tso: add UDP segmentation support 2020-06-18 20:46:23 -07:00
utils.c net: core: Use csum_replace_by_diff() and csum_sub() instead of opencoding 2022-02-21 11:40:44 +00:00
xdp.c Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next 2022-03-22 11:18:49 -07:00