From: Jakub Sitnicki jakub@cloudflare.com
[ Upstream commit db38de39684dda2bf307f41797db2831deba64e9 ]
Call to bpf_prog_put(), with help of call_rcu(), queues an RCU-callback to free the program once a grace period has elapsed. The callback can run together with new RCU readers that started after the last grace period. New RCU readers can potentially see the "old" to-be-freed or already-freed pointer to the program object before the RCU update-side NULLs it.
Reorder the operations so that the RCU update-side resets the protected pointer before the end of the grace period after which the program will be freed.
Fixes: d58e468b1112 ("flow_dissector: implements flow dissector BPF hook") Reported-by: Lorenz Bauer lmb@cloudflare.com Signed-off-by: Jakub Sitnicki jakub@cloudflare.com Acked-by: Petar Penkov ppenkov@google.com Signed-off-by: Daniel Borkmann daniel@iogearbox.net Signed-off-by: Sasha Levin sashal@kernel.org --- net/core/flow_dissector.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c index edd622956083d..b15c0c0f6e557 100644 --- a/net/core/flow_dissector.c +++ b/net/core/flow_dissector.c @@ -138,8 +138,8 @@ int skb_flow_dissector_bpf_prog_detach(const union bpf_attr *attr) mutex_unlock(&flow_dissector_mutex); return -ENOENT; } - bpf_prog_put(attached); RCU_INIT_POINTER(net->flow_dissector_prog, NULL); + bpf_prog_put(attached); mutex_unlock(&flow_dissector_mutex); return 0; }