On 05/26/2018 01:30 AM, Daniel Borkmann wrote:
> Hi John,
>
> On 05/25/2018 07:37 PM, John Fastabend wrote:
>> syzbot reported two related splats, a use after free and null
>> pointer dereference, when a TCP socket is closed while the map is
>> also being removed.
>>
>> The psock keeps a reference to all map slots that have a reference
>> to the sock so that when the sock is closed we can clean up any
>> outstanding sock{map|hash} entries. This avoids pinning a sock
>> forever if the map owner fails to do proper cleanup. However, the
>> result is we have two paths that can free an entry in the map. Even
>> the comment in the sock{map|hash} tear down function, sock_hash_free()
>> notes this:
>>
>> At this point no update, lookup or delete operations can happen.
>> However, be aware we can still get a socket state event updates,
>> and data ready callbacks that reference the psock from sk_user_data.
>>
>> Both removal paths omitted taking the hash bucket lock resulting
>> in the case where we have two references that are in the process
>> of being free'd.
>>
>> Reported-by: syzbot+a761b81c211794fa1...@syzkaller.appspotmail.com
>> Signed-off-by: John Fastabend <john.fastab...@gmail.com>
>
Fixes: 81110384441a ("bpf: sockmap, add hash map support")
