Skip to content

bpf, sockmap: Fix psock incorrectly pointing to sk #5369

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: bpf-next_base
Choose a base branch
from
Open

bpf, sockmap: Fix psock incorrectly pointing to sk #5369

wants to merge 1 commit into from
+5 −1

Conversation

kernel-patches-daemon-bpf-rc[bot]
Copy link

Pull request for series with
subject: bpf, sockmap: Fix psock incorrectly pointing to sk
version: 1
url: https://patchwork.kernel.org/project/netdevbpf/list/?series=965935

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: 8259eb0
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=965935
version: 1

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: bfccacd
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=965935
version: 1

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: 079e5c5
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=965935
version: 1

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: db22b13
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=965935
version: 1

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: 1ae7a84
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=965935
version: 1

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: 86bc9c7
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=965935
version: 1

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: d496557
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=965935
version: 1

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: ca56fbd
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=965935
version: 1

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: 5ffb537
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=965935
version: 1

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: c5cebb2
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=965935
version: 1

@kernel-patches-daemon-bpf-rc kernel-patches-daemon-bpf-rc bot force-pushed the bpf-next_base branch 3 times, most recently from 18af9fe to 653831c Compare June 1, 2025 18:00
@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: bb1556e
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=965935
version: 1

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: bb1556e
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=965935
version: 1

@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: cd2e103
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=965935
version: 1

@mrpre
bpf, sockmap: Fix psock incorrectly pointing to sk
9d5b34e 
We observed an issue from the latest selftest: sockmap_redir where
sk_psock(psock->sk) != psock in the backlog. The root cause is the special
behavior in sockmap_redir - it frequently performs map_update() and
map_delete() on the same socket. During map_update(), we create a new
psock and during map_delete(), we eventually free the psock via rcu_work
in sk_psock_drop(). However, pending workqueues might still exist and not
be processed yet. If users immediately perform another map_update(), a new
psock will be allocated for the same sk, resulting in two psocks pointing
to the same sk.

When the pending workqueue is later triggered, it uses the old psock to
access sk for I/O operations, which is incorrect.

Timing Diagram:

cpu0                        cpu1

map_update(sk):
    sk->psock = psock1
    psock1->sk = sk
map_delete(sk):
   rcu_work_free(psock1)

map_update(sk):
    sk->psock = psock2
    psock2->sk = sk
                            workqueue:
                                wakeup with psock1, but the sk of psock1
                                doesn't belong to psock1
rcu_handler:
    clean psock1
    free(psock1)

Previously, we used reference counting to address the concurrency issue
between backlog and sock_map_close(). This logic remains necessary as it
prevents the sk from being freed while processing the backlog. But this
patch prevents pending backlogs from using a psock after it has been
freed.

Note: We cannot call cancel_delayed_work_sync() in map_delete() since this
might be invoked in BPF context by BPF helper, and the function may sleep.

Fixes: 604326b ("bpf, sockmap: convert to generic sk_msg interface")
Signed-off-by: Jiayuan Chen <[email protected]>
@kernel-patches-daemon-bpf-rc
Copy link
Author

Upstream branch: cd2e103
series: https://patchwork.kernel.org/project/netdevbpf/list/?series=965935
version: 1

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bpf-next new V1-ci-pass V1
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@mrpre