bpf, sockhash: Synchronize_rcu before free'ing map

jsitnicki · borkmann · commit 0b2dc83906cf · 2020-02-07T22:36:26.000+01:00
We need to have a synchronize_rcu before free'ing the sockhash because any outstanding psock references will have a pointer to the map and when they use it, this could trigger a use after free. This is a sister fix for sockhash, following commit 2bb90e5 ("bpf: sockmap, synchronize_rcu before free'ing map") which addressed sockmap, which comes from a manual audit. Fixes: 604326b ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Acked-by: John Fastabend <john.fastabend@gmail.com> Link: https://lore.kernel.org/bpf/20200206111652.694507-3-jakub@cloudflare.com
diff --git a/net/core/sock_map.c b/net/core/sock_map.c
@@ -250,6 +250,7 @@ static void sock_map_free(struct bpf_map *map)
 	}
 	raw_spin_unlock_bh(&stab->lock);
 
+	/* wait for psock readers accessing its map link */
 	synchronize_rcu();
 
 	bpf_map_area_free(stab->sks);
@@ -877,6 +878,9 @@ static void sock_hash_free(struct bpf_map *map)
 		raw_spin_unlock_bh(&bucket->lock);
 	}
 
+	/* wait for psock readers accessing its map link */
+	synchronize_rcu();
+
 	bpf_map_area_free(htab->buckets);
 	kfree(htab);
 }

Original file line number	Diff line number	Diff line change
`@@ -250,6 +250,7 @@ static void sock_map_free(struct bpf_map *map)`
`250`	`250`	`}`
`251`	`251`	`raw_spin_unlock_bh(&stab->lock);`
`252`	`252`
	`253`	`+ /* wait for psock readers accessing its map link */`
`253`	`254`	`synchronize_rcu();`
`254`	`255`
`255`	`256`	`bpf_map_area_free(stab->sks);`
`@@ -877,6 +878,9 @@ static void sock_hash_free(struct bpf_map *map)`
`877`	`878`	`raw_spin_unlock_bh(&bucket->lock);`
`878`	`879`	`}`
`879`	`880`
	`881`	`+ /* wait for psock readers accessing its map link */`
	`882`	`+ synchronize_rcu();`
	`883`	`+`
`880`	`884`	`bpf_map_area_free(htab->buckets);`
`881`	`885`	`kfree(htab);`
`882`	`886`	`}`