Ksawlii/kernel_samsung_a53x
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
kernel_samsung_a53x/net/core
History
Jakub Sitnicki 55bfcbc4ba bpf, sockmap: Prevent lock inversion deadlock in map delete elem 
commit ff91059932401894e6c86341915615c5eb0eca48 upstream.

syzkaller started using corpuses where a BPF tracing program deletes
elements from a sockmap/sockhash map. Because BPF tracing programs can be
invoked from any interrupt context, locks taken during a map_delete_elem
operation must be hardirq-safe. Otherwise a deadlock due to lock inversion
is possible, as reported by lockdep:

       CPU0                    CPU1
       ----                    ----
  lock(&htab->buckets[i].lock);
                               local_irq_disable();
                               lock(&host->lock);
                               lock(&htab->buckets[i].lock);
  <Interrupt>
    lock(&host->lock);

Locks in sockmap are hardirq-unsafe by design. We expects elements to be
deleted from sockmap/sockhash only in task (normal) context with interrupts
enabled, or in softirq context.

Detect when map_delete_elem operation is invoked from a context which is
_not_ hardirq-unsafe, that is interrupts are disabled, and bail out with an
error.

Note that map updates are not affected by this issue. BPF verifier does not
allow updating sockmap/sockhash from a BPF tracing program today.

Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface")
Reported-by: xingwei lee <xrivendell7@gmail.com>
Reported-by: yue sun <samsun1006219@gmail.com>
Reported-by: syzbot+bc922f476bd65abbd466@syzkaller.appspotmail.com
Reported-by: syzbot+d4066896495db380182e@syzkaller.appspotmail.com
Signed-off-by: Jakub Sitnicki <jakub@cloudflare.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Tested-by: syzbot+d4066896495db380182e@syzkaller.appspotmail.com
Acked-by: John Fastabend <john.fastabend@gmail.com>
Closes: https://syzkaller.appspot.com/bug?extid=d4066896495db380182e
Closes: https://syzkaller.appspot.com/bug?extid=bc922f476bd65abbd466
Link: https://lore.kernel.org/bpf/20240402104621.1050319-1-jakub@cloudflare.com
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
2024-11-19 09:22:46 +01:00
..
bpf_sk_storage.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
datagram.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
datagram.h Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
dev.c packet: annotate data-races around ignore_outgoing 2024-11-19 08:44:59 +01:00
dev_addr_lists.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
dev_ioctl.c net: dev: Convert sa_data to flexible array in struct sockaddr 2024-11-18 22:25:41 +01:00
devlink.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
drop_monitor.c drop_monitor: Require 'CAP_SYS_ADMIN' when joining "events" group 2024-11-18 12:11:46 +01:00
dst.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
dst_cache.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
failover.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
fib_notifier.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
fib_rules.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
filter.c bpf: net: Change sk_getsockopt() to take the sockptr_t argument 2024-11-18 23:19:51 +01:00
flow_dissector.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
flow_offload.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
gen_estimator.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
gen_stats.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
gro_cells.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
hwbm.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
link_watch.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
lwt_bpf.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
lwtunnel.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
Makefile Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
neighbour.c neighbour: Don't let neigh_forced_gc() disable preemption for long 2024-11-18 12:12:16 +01:00
net-procfs.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
net-sysfs.c Backport mac80211 patches from linux-6.1.y 2024-06-15 16:29:20 -03:00
net-sysfs.h Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
net-traces.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
net_namespace.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
netclassid_cgroup.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
netevent.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
netpoll.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
netprio_cgroup.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
page_pool.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
pktgen.c net: pktgen: Fix interface flags printing 2024-11-08 11:26:11 +01:00
ptp_classifier.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
request_sock.c tcp: make sure init the accept_queue's spinlocks once 2024-11-18 12:12:59 +01:00
rtnetlink.c rtnetlink: fix error logic of IFLA_BRIDGE_FLAGS writing back 2024-11-18 23:18:28 +01:00
scm.c Revert "io_uring/unix: drop usage of io_uring socket" 2024-11-19 09:11:51 +01:00
secure_seq.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
skbuff.c net: prevent mss overflow in skb_segment() 2024-11-18 12:13:39 +01:00
skmsg.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
sock.c lsm: make security_socket_getpeersec_stream() sockptr_t safe 2024-11-18 23:19:51 +01:00
sock_diag.c sock_diag: annotate data-races around sock_diag_handlers[family] 2024-11-19 08:44:38 +01:00
sock_map.c bpf, sockmap: Prevent lock inversion deadlock in map delete elem 2024-11-19 09:22:46 +01:00
sock_reuseport.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
stream.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
sysctl_net_core.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
timestamping.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
tso.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
utils.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00
xdp.c Import A536BXXU9EXDC 2024-06-15 16:02:09 -03:00