[ Sasha's backport helper bot ]
Hi,
The upstream commit SHA1 provided is correct: ed1fc5d76b81a4d681211333c026202cad4d5649
WARNING: Author mismatch between patch and upstream commit: Backport author: Alva Lanalvalan9@foxmail.com Commit author: Michal Luczajmhal@rbox.co
Status in newer kernel trees: 6.12.y | Present (different SHA1: bf2318e288f6) 6.6.y | Present (different SHA1: b015f19fedd2) 6.1.y | Present (different SHA1: b543d4a4153f)
Note: The patch differs from the upstream commit: --- 1: ed1fc5d76b81 ! 1: 559c7465df3b bpf, sockmap: Fix race between element replace and close() @@ Metadata ## Commit message ## bpf, sockmap: Fix race between element replace and close()
+ [ Upstream commit ed1fc5d76b81a4d681211333c026202cad4d5649 ] + Element replace (with a socket different from the one stored) may race with socket's close() link popping & unlinking. __sock_map_delete() unconditionally unrefs the (wrong) element: @@ Commit message Signed-off-by: Daniel Borkmann daniel@iogearbox.net Reviewed-by: John Fastabend john.fastabend@gmail.com Link: https://lore.kernel.org/bpf/20241202-sockmap-replace-v1-3-1e88579e7bd5@rbox.... + Signed-off-by: Alva Lan alvalan9@foxmail.com
## net/core/sock_map.c ## @@ net/core/sock_map.c: static void *sock_map_lookup_sys(struct bpf_map *map, void *key) @@ net/core/sock_map.c: static void *sock_map_lookup_sys(struct bpf_map *map, void + struct sock *sk = NULL; int err = 0;
- spin_lock_bh(&stab->lock); + if (irqs_disabled()) + return -EOPNOTSUPP; /* locks here are hardirq-unsafe */ + + raw_spin_lock_bh(&stab->lock); - sk = *psk; - if (!sk_test || sk_test == sk) ++ + if (!sk_test || sk_test == *psk) sk = xchg(psk, NULL);
---
Results of testing on various branches:
| Branch | Patch Apply | Build Test | |---------------------------|-------------|------------| | stable/linux-6.1.y | Success | Success |