On 05/28/2018 05:13 PM, John Fastabend wrote:
> On 05/27/2018 03:36 PM, Daniel Borkmann wrote:
>> On 05/25/2018 07:37 PM, John Fastabend wrote:
>>> syzbot reported two related splats, a use after free and null
>>> pointer dereference, when a TCP socket is closed while the map is
>>> also being removed.
>>>
>>> The psock keeps a reference to all map slots that have a reference
>>> to the sock so that when the sock is closed we can clean up any
>>> outstanding sock{map|hash} entries. This avoids pinning a sock
>>> forever if the map owner fails to do proper cleanup. However, the
>>> result is we have two paths that can free an entry in the map. Even
>>> the comment in the sock{map|hash} tear down function, sock_hash_free()
>>> notes this:
>>>
>>> At this point no update, lookup or delete operations can happen.
>>> However, be aware we can still get a socket state event updates,
>>> and data ready callbacks that reference the psock from sk_user_data.
>>>
>>> Both removal paths omitted taking the hash bucket lock resulting
>>> in the case where we have two references that are in the process
>>> of being free'd.
>>>
>>> Reported-by: syzbot+a761b81c211794fa1...@syzkaller.appspotmail.com
>>> Signed-off-by: John Fastabend <john.fastab...@gmail.com>
>>
>> Applied to bpf-next, thanks John!
>
> This needs a v2 it introduces a slightly different/related error. I'll
> have a v2 shortly.
Ok, I've just dropped it from the tree in favor for a v2. Thanks John!
