bpf: sockmap, duplicates release calls may NULL sk_prot
authorJohn Fastabend <john.fastabend@gmail.com>
Mon, 2 Apr 2018 19:50:52 +0000 (12:50 -0700)
committerDaniel Borkmann <daniel@iogearbox.net>
Wed, 4 Apr 2018 09:04:31 +0000 (11:04 +0200)
It is possible to have multiple ULP tcp_release call paths in flight
if a sock is closed and simultaneously being removed from the sockmap
control path. The result would be setting the sk_prot to the saved
values on the first iteration and then on the second iteration setting
the value to NULL.

This patch resolves this by ensuring we only reset the sk_prot pointer
if we have a valid saved state to set.

Fixes: 4f738adba30a7 ("bpf: create tcp_bpf_ulp allowing BPF to monitor socket TX/RX data")
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
kernel/bpf/sockmap.c

index 8ddf326b3adee661ac6b3f4b310a070a775905a5..8dd9210d7db7851da0eb79b950803fedff9d89f3 100644 (file)
@@ -182,8 +182,10 @@ static void bpf_tcp_release(struct sock *sk)
                psock->cork = NULL;
        }
 
-       sk->sk_prot = psock->sk_proto;
-       psock->sk_proto = NULL;
+       if (psock->sk_proto) {
+               sk->sk_prot = psock->sk_proto;
+               psock->sk_proto = NULL;
+       }
 out:
        rcu_read_unlock();
 }