system/linux
system/linux
1
0
Fork 0
mirror of https://github.com/torvalds/linux synced 2024-09-21 03:28:37 +00:00
Code Issues Packages Projects Releases Wiki Activity
linux/kernel/bpf
History
John Fastabend 54fedb42c6 bpf: sockmap, fix smap_list_map_remove when psock is in many maps 
If a hashmap is free'd with open socks it removes the reference to
the hash entry from the psock. If that is the last reference to the
psock then it will also be free'd by the reference counting logic.
However the current logic that removes the hash reference from the
list of references is broken. In smap_list_remove() we first check
if the sockmap entry matches and then check if the hashmap entry
matches. But, the sockmap entry sill always match because its NULL in
this case which causes the first entry to be removed from the list.
If this is always the "right" entry (because the user adds/removes
entries in order) then everything is OK but otherwise a subsequent
bpf_tcp_close() may reference a free'd object.

To fix this create two list handlers one for sockmap and one for
sockhash.

Reported-by: syzbot+0ce137753c78f7b6acc1@syzkaller.appspotmail.com
Fixes: 8111038444 ("bpf: sockmap, add hash map support")
Acked-by: Martin KaFai Lau <kafai@fb.com>
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
2018-07-01 01:21:31 +02:00
..
arraymap.c bpf: btf: Rename btf_key_id and btf_value_id in bpf_map_info 2018-05-23 12:03:32 +02:00
bpf_lru_list.c bpf: lru: Lower the PERCPU_NR_SCANS from 16 to 4 2017-04-17 13:55:52 -04:00
bpf_lru_list.h bpf: Only set node->ref = 1 if it has not been set 2017-09-01 09:57:39 -07:00
btf.c treewide: kvzalloc() -> kvcalloc() 2018-06-12 16:19:22 -07:00
cgroup.c bpf: fix attach type BPF_LIRC_MODE2 dependency wrt CONFIG_CGROUP_BPF 2018-06-26 11:28:38 +02:00
core.c bpf: undo prog rejection on read-only lock failure 2018-06-29 10:47:35 -07:00
cpumap.c xdp: introduce xdp_return_frame_rx_napi 2018-05-24 18:36:15 -07:00
devmap.c xdp: Fix handling of devmap in generic XDP 2018-06-15 23:47:15 +02:00
disasm.c bpf: Remove struct bpf_verifier_env argument from print_bpf_insn 2018-03-23 17:38:57 +01:00
disasm.h bpf: Remove struct bpf_verifier_env argument from print_bpf_insn 2018-03-23 17:38:57 +01:00
hashtab.c bpf: avoid retpoline for lookup/update/delete calls on maps 2018-06-03 07:45:37 -07:00
helpers.c bpf: implement bpf_get_current_cgroup_id() helper 2018-06-03 18:22:41 -07:00
inode.c bpf: implement dummy fops for bpf objects 2018-06-08 10:58:48 -07:00
lpm_trie.c treewide: kmalloc() -> kmalloc_array() 2018-06-12 16:19:22 -07:00
Makefile bpf: introduce new bpf AF_XDP map type BPF_MAP_TYPE_XSKMAP 2018-05-03 15:55:24 -07:00
map_in_map.c bpf: Add syscall lookup support for fd array and htab 2017-06-29 13:13:25 -04:00
map_in_map.h bpf: Add syscall lookup support for fd array and htab 2017-06-29 13:13:25 -04:00
offload.c bpf: offload: allow offloaded programs to use perf event arrays 2018-05-04 23:41:03 +02:00
percpu_freelist.c bpf: fix lockdep splat 2017-11-15 19:46:32 +09:00
percpu_freelist.h
sockmap.c bpf: sockmap, fix smap_list_map_remove when psock is in many maps 2018-07-01 01:21:31 +02:00
stackmap.c bpf: avoid -Wmaybe-uninitialized warning 2018-05-28 17:40:59 +02:00
syscall.c bpf: fix attach type BPF_LIRC_MODE2 dependency wrt CONFIG_CGROUP_BPF 2018-06-26 11:28:38 +02:00
tnum.c bpf/verifier: improve register value range tracking with ARSH 2018-04-29 08:45:53 -07:00
verifier.c treewide: Use array_size() in vzalloc() 2018-06-12 16:19:22 -07:00
xskmap.c xsk: clean up SPDX headers 2018-05-18 16:07:02 +02:00