tjh.dev / kernel
Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
kernel os linux
fork atom

Merge https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf

Daniel Borkmann says:

====================
pull-request: bpf 2022-03-18

We've added 2 non-merge commits during the last 18 day(s) which contain
a total of 2 files changed, 50 insertions(+), 20 deletions(-).

The main changes are:

1) Fix a race in XSK socket teardown code that can lead to a NULL pointer
dereference, from Magnus.

2) Small MAINTAINERS doc update to remove Lorenz from sockmap, from Lorenz.

* https://git.kernel.org/pub/scm/linux/kernel/git/bpf/bpf:
xsk: Fix race at socket teardown
bpf: Remove Lorenz Bauer from L7 BPF maintainers
====================

Link: https://lore.kernel.org/r/20220318152418.28638-1-daniel@iogearbox.net
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

Jakub Kicinski 6bd0c76b 9905eed4

+50 -20
-1
MAINTAINERS
··· 10765 10765 M: John Fastabend <john.fastabend@gmail.com> 10766 10766 M: Daniel Borkmann <daniel@iogearbox.net> 10767 10767 M: Jakub Sitnicki <jakub@cloudflare.com> 10768 - M: Lorenz Bauer <lmb@cloudflare.com> 10769 10768 L: netdev@vger.kernel.org 10770 10769 L: bpf@vger.kernel.org 10771 10770 S: Maintained
+50 -19
net/xdp/xsk.c
··· 403 403 static int xsk_wakeup(struct xdp_sock *xs, u8 flags) 404 404 { 405 405 struct net_device *dev = xs->dev; 406 - int err; 407 406 408 - rcu_read_lock(); 409 - err = dev->netdev_ops->ndo_xsk_wakeup(dev, xs->queue_id, flags); 410 - rcu_read_unlock(); 411 - 412 - return err; 413 - } 414 - 415 - static int xsk_zc_xmit(struct xdp_sock *xs) 416 - { 417 - return xsk_wakeup(xs, XDP_WAKEUP_TX); 407 + return dev->netdev_ops->ndo_xsk_wakeup(dev, xs->queue_id, flags); 418 408 } 419 409 420 410 static void xsk_destruct_skb(struct sk_buff *skb) ··· 523 533 524 534 mutex_lock(&xs->mutex); 525 535 536 + /* Since we dropped the RCU read lock, the socket state might have changed. */ 537 + if (unlikely(!xsk_is_bound(xs))) { 538 + err = -ENXIO; 539 + goto out; 540 + } 541 + 526 542 if (xs->queue_id >= xs->dev->real_num_tx_queues) 527 543 goto out; 528 544 ··· 592 596 return err; 593 597 } 594 598 595 - static int __xsk_sendmsg(struct sock *sk) 599 + static int xsk_xmit(struct sock *sk) 596 600 { 597 601 struct xdp_sock *xs = xdp_sk(sk); 602 + int ret; 598 603 599 604 if (unlikely(!(xs->dev->flags & IFF_UP))) 600 605 return -ENETDOWN; 601 606 if (unlikely(!xs->tx)) 602 607 return -ENOBUFS; 603 608 604 - return xs->zc ? xsk_zc_xmit(xs) : xsk_generic_xmit(sk); 609 + if (xs->zc) 610 + return xsk_wakeup(xs, XDP_WAKEUP_TX); 611 + 612 + /* Drop the RCU lock since the SKB path might sleep. */ 613 + rcu_read_unlock(); 614 + ret = xsk_generic_xmit(sk); 615 + /* Reaquire RCU lock before going into common code. */ 616 + rcu_read_lock(); 617 + 618 + return ret; 605 619 } 606 620 607 621 static bool xsk_no_wakeup(struct sock *sk) ··· 625 619 #endif 626 620 } 627 621 628 - static int xsk_sendmsg(struct socket *sock, struct msghdr *m, size_t total_len) 622 + static int __xsk_sendmsg(struct socket *sock, struct msghdr *m, size_t total_len) 629 623 { 630 624 bool need_wait = !(m->msg_flags & MSG_DONTWAIT); 631 625 struct sock *sk = sock->sk; ··· 645 639 646 640 pool = xs->pool; 647 641 if (pool->cached_need_wakeup & XDP_WAKEUP_TX) 648 - return __xsk_sendmsg(sk); 642 + return xsk_xmit(sk); 649 643 return 0; 650 644 } 651 645 652 - static int xsk_recvmsg(struct socket *sock, struct msghdr *m, size_t len, int flags) 646 + static int xsk_sendmsg(struct socket *sock, struct msghdr *m, size_t total_len) 647 + { 648 + int ret; 649 + 650 + rcu_read_lock(); 651 + ret = __xsk_sendmsg(sock, m, total_len); 652 + rcu_read_unlock(); 653 + 654 + return ret; 655 + } 656 + 657 + static int __xsk_recvmsg(struct socket *sock, struct msghdr *m, size_t len, int flags) 653 658 { 654 659 bool need_wait = !(flags & MSG_DONTWAIT); 655 660 struct sock *sk = sock->sk; ··· 686 669 return 0; 687 670 } 688 671 672 + static int xsk_recvmsg(struct socket *sock, struct msghdr *m, size_t len, int flags) 673 + { 674 + int ret; 675 + 676 + rcu_read_lock(); 677 + ret = __xsk_recvmsg(sock, m, len, flags); 678 + rcu_read_unlock(); 679 + 680 + return ret; 681 + } 682 + 689 683 static __poll_t xsk_poll(struct file *file, struct socket *sock, 690 684 struct poll_table_struct *wait) 691 685 { ··· 707 679 708 680 sock_poll_wait(file, sock, wait); 709 681 710 - if (unlikely(!xsk_is_bound(xs))) 682 + rcu_read_lock(); 683 + if (unlikely(!xsk_is_bound(xs))) { 684 + rcu_read_unlock(); 711 685 return mask; 686 + } 712 687 713 688 pool = xs->pool; 714 689 ··· 720 689 xsk_wakeup(xs, pool->cached_need_wakeup); 721 690 else 722 691 /* Poll needs to drive Tx also in copy mode */ 723 - __xsk_sendmsg(sk); 692 + xsk_xmit(sk); 724 693 } 725 694 726 695 if (xs->rx && !xskq_prod_is_empty(xs->rx)) ··· 728 697 if (xs->tx && xsk_tx_writeable(xs)) 729 698 mask |= EPOLLOUT | EPOLLWRNORM; 730 699 700 + rcu_read_unlock(); 731 701 return mask; 732 702 } 733 703 ··· 760 728 761 729 /* Wait for driver to stop using the xdp socket. */ 762 730 xp_del_xsk(xs->pool, xs); 763 - xs->dev = NULL; 764 731 synchronize_net(); 765 732 dev_put(dev); 766 733 }