John Fastabend 697fb80a53 bpf: Fix sockmap calling sleepable function in teardown path ... syzbot reproduced the bug ... BUG: sleeping function called from invalid context at kernel/workqueue.c:3010 ... with the following stack trace fragment ... start_flush_work kernel/workqueue.c:3010 [inline] __flush_work+0x109/0xb10 kernel/workqueue.c:3074 __cancel_work_timer+0x3f9/0x570 kernel/workqueue.c:3162 sk_psock_stop+0x4cb/0x630 net/core/skmsg.c:802 sock_map_destroy+0x333/0x760 net/core/sock_map.c:1581 inet_csk_destroy_sock+0x196/0x440 net/ipv4/inet_connection_sock.c:1130 __tcp_close+0xd5b/0x12b0 net/ipv4/tcp.c:2897 tcp_close+0x29/0xc0 net/ipv4/tcp.c:2909 ... introduced by d8616ee2af. Do a quick trace of the code path and the bug is obvious: inet_csk_destroy_sock(sk) sk_prot->destroy(sk); <--- sock_map_destroy sk_psock_stop(, true); <--- true so cancel workqueue cancel_work_sync() <--- splat, because *_bh_disable() We can not call cancel_work_sync() from inside destroy path. So mark the sk_psock_stop call to skip this cancel_work_sync(). This will avoid the BUG, but means we may run sk_psock_backlog after or during the destroy op. We zapped the ingress_skb queue in sk_psock_stop (safe to do with local_bh_disable) so its empty and the sk_psock_backlog work item will not find any pkts to process here. However, because we are not going to wait for it or clear its ->state its possible it kicks off or is already running. This should be 'safe' up until psock drops its refcnt to psock->sk. The sock_put() that drops this reference is only done at psock destroy time from sk_psock_destroy(). This is done through workqueue when sk_psock_drop() is called on psock refnt reaches 0. And importantly sk_psock_destroy() does a cancel_work_sync(). So trivial fix works. I've had hit or miss luck reproducing this caught it once or twice with the provided reproducer when running with many runners. However, syzkaller is very good at reproducing so relying on syzkaller to verify fix. Fixes: d8616ee2af ("bpf, sockmap: Fix sk->sk_forward_alloc warn_on in sk_stream_kill_queues") Reported-by: syzbot+140186ceba0c496183bc@syzkaller.appspotmail.com Suggested-by: Hillf Danton <hdanton@sina.com> Signed-off-by: John Fastabend <john.fastabend@gmail.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net> Cc: Wang Yufen <wangyufen@huawei.com> Link: https://lore.kernel.org/bpf/20220628035803.317876-1-john.fastabend@gmail.com		2022-06-28 09:30:03 +02:00
..
6lowpan	net: 6lowpan: constify lowpan_nhc structures	2022-06-09 21:53:28 +02:00
9p	xen: switch gnttab_end_foreign_access() to take a struct page pointer	2022-05-27 11:05:29 +02:00
802	net: 802: Use memset_startat() to clear struct fields	2021-11-19 11:23:23 +00:00
8021q	vlan: adopt u64_stats_t	2022-06-09 21:53:09 -07:00
appletalk	net: remove noblock parameter from skb_recv_datagram()	2022-04-06 13:45:26 +01:00
atm	net: SO_RCVMARK socket option for SO_MARK with recvmsg()	2022-04-28 13:08:15 -07:00
ax25	ax25: use GFP_KERNEL in ax25_dev_device_up()	2022-06-17 20:34:13 -07:00
batman-adv	net: wrap the wireless pointers in struct net_device in an ifdef	2022-05-22 21:51:54 +01:00
bluetooth	bluetooth: don't use bitmaps for random flag accesses	2022-06-05 16:28:41 -07:00
bpf	bpf, test_run: Remove unnecessary prog type checks	2022-06-03 14:53:33 -07:00
bpfilter	uaccess: remove CONFIG_SET_FS	2022-02-25 09:36:06 +01:00
bridge	net: bridge: allow add/remove permanent mdb entries on disabled ports	2022-06-15 09:35:21 +01:00
caif	net: remove noblock parameter from skb_recv_datagram()	2022-04-06 13:45:26 +01:00
can	can: isotp: isotp_bind(): do not validate unused address information	2022-05-19 22:11:28 +02:00
ceph	libceph: use swap() macro instead of taking tmp variable	2022-05-25 20:45:13 +02:00
core	bpf: Fix sockmap calling sleepable function in teardown path	2022-06-28 09:30:03 +02:00
dcb	net: dcb: disable softirqs in dcbnl_flush_dev()	2022-03-03 08:01:55 -08:00
dccp	Revert "net: Add a second bind table hashed by port and address"	2022-06-16 11:07:59 -07:00
decnet	net: add per_cpu_fw_alloc field to struct proto	2022-06-10 16:21:26 -07:00
dns_resolver
dsa	net: adopt u64_stats_t in struct pcpu_sw_netstats	2022-06-09 21:53:11 -07:00
ethernet	net: ethernet: set default assignment identifier to NET_NAME_ENUM	2022-04-07 21:04:03 -07:00
ethtool	ethtool: Fix and simplify ethtool_convert_link_mode_to_legacy_u32()	2022-06-13 23:11:35 -07:00
hsr	net: add per-cpu storage and net->core_stats	2022-03-11 23:17:24 -08:00
ieee802154	net: SO_RCVMARK socket option for SO_MARK with recvmsg()	2022-04-28 13:08:15 -07:00
ife
ipv4	bpf: Require only one of cong_avoid() and cong_control() from a TCP CC	2022-06-23 09:49:57 -07:00
ipv6	net: Introduce a new proto_ops ->read_skb()	2022-06-20 14:05:52 +02:00
iucv	net: keep sk->sk_forward_alloc as small as possible	2022-06-10 16:21:27 -07:00
kcm	net: Don't include filter.h from net/sock.h	2021-12-29 08:48:14 -08:00
key	Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec	2022-06-01 17:44:04 -07:00
l2tp	ipv6: Fix signed integer overflow in l2tp_ip6_sendmsg	2022-06-08 10:56:43 -07:00
l3mdev	l3mdev: l3mdev_master_upper_ifindex_by_index_rcu should be using netdev_master_upper_dev_get_rcu	2022-04-15 14:27:24 -07:00
lapb
llc	net: rename reference+tracking helpers	2022-06-09 21:52:55 -07:00
mac80211	wireless-next patches for v5.20	2022-06-10 08:57:35 -07:00
mac802154	net: mac802154: Fix symbol durations	2022-04-30 20:29:47 +02:00
mctp	Networking changes for 5.19.	2022-05-25 12:22:58 -07:00
mpls	net: mpls: fix memdup.cocci warning	2022-04-07 21:06:41 -07:00
mptcp	net: keep sk->sk_forward_alloc as small as possible	2022-06-10 16:21:27 -07:00
ncsi	all: replace find_next{,_zero}_bit with find_first{,_zero}_bit where appropriate	2022-01-15 08:47:31 -08:00
netfilter	netfilter: nf_tables: bail out early if hardware offload is not supported	2022-06-06 19:19:15 +02:00
netlabel	netlabel: fix out-of-bounds memory accesses	2022-03-21 10:59:11 +00:00
netlink	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2022-05-12 16:15:30 -07:00
netrom	net: remove noblock parameter from skb_recv_datagram()	2022-04-06 13:45:26 +01:00
nfc	net: nfc: Directly use ida_alloc()/free()	2022-05-28 15:28:47 +01:00
nsh
openvswitch	net: rename reference+tracking helpers	2022-06-09 21:52:55 -07:00
packet	net: rename reference+tracking helpers	2022-06-09 21:52:55 -07:00
phonet	net: remove noblock parameter from recvmsg() entities	2022-04-12 15:00:25 +02:00
psample
qrtr	net: remove noblock parameter from skb_recv_datagram()	2022-04-06 13:45:26 +01:00
rds	Linux 5.18	2022-05-24 12:40:28 -03:00
rfkill	rfkill: make new event layout opt-in	2022-03-18 13:09:17 +02:00
rose	ROSE: Remove unused code and clean up some inconsistent indenting	2022-05-09 17:19:27 -07:00
rxrpc	Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net	2022-05-23 21:19:17 -07:00
sched	net: rename reference+tracking helpers	2022-06-09 21:52:55 -07:00
sctp	net: keep sk->sk_forward_alloc as small as possible	2022-06-10 16:21:27 -07:00
smc	net: rename reference+tracking helpers	2022-06-09 21:52:55 -07:00
strparser
sunrpc	Notable changes:	2022-06-10 17:28:43 -07:00
switchdev	net: rename reference+tracking helpers	2022-06-09 21:52:55 -07:00
tipc	tipc: cleanup unused function	2022-06-17 11:43:57 +01:00
tls	tls: Rename TLS_INFO_ZC_SENDFILE to TLS_INFO_ZC_TX	2022-06-09 21:51:57 -07:00
unix	net: Introduce a new proto_ops ->read_skb()	2022-06-20 14:05:52 +02:00
vmw_vsock	hyperv-next for 5.19	2022-05-28 11:39:01 -07:00
wireless	wireless-next patches for v5.19	2022-05-19 13:01:08 -07:00
x25	x25: remove redundant pointer dev	2022-05-10 11:59:22 +02:00
xdp	Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf-next	2022-06-17 19:35:19 -07:00
xfrm	net: rename reference+tracking helpers	2022-06-09 21:52:55 -07:00
compat.c
devres.c
Kconfig	page_pool: Add allocation stats	2022-03-03 09:55:28 +00:00
Kconfig.debug	net: CONFIG_DEBUG_NET depends on CONFIG_NET	2022-06-02 10:15:05 -07:00
Makefile
socket.c	net: make __sys_accept4_file() static	2022-06-13 13:47:15 +01:00
sysctl_net.c