Jakub Sitnicki wrote: > syzkaller started using corpuses where a BPF tracing program deletes > elements from a sockmap/sockhash map. Because BPF tracing programs can be > invoked from any interrupt context, locks taken during a map_delete_elem > operation must be hardirq-safe. Otherwise a deadlock due to lock inversion > is possible, as reported by lockdep: > > CPU0 CPU1 > ---- ---- > lock(&htab->buckets[i].lock); > local_irq_disable(); > lock(&host->lock); > lock(&htab->buckets[i].lock); > <Interrupt> > lock(&host->lock); > > Locks in sockmap are hardirq-unsafe by design. We expects elements to be > deleted from sockmap/sockhash only in task (normal) context with interrupts > enabled, or in softirq context. > > Detect when map_delete_elem operation is invoked from a context which is > _not_ hardirq-unsafe, that is interrupts are disabled, and bail out with an > error. > > Note that map updates are not affected by this issue. BPF verifier does not > allow updating sockmap/sockhash from a BPF tracing program today. > > Reported-by: xingwei lee <xrivendell7@xxxxxxxxx> > Reported-by: yue sun <samsun1006219@xxxxxxxxx> > Reported-by: syzbot+bc922f476bd65abbd466@xxxxxxxxxxxxxxxxxxxxxxxxx > Reported-and-tested-by: syzbot+d4066896495db380182e@xxxxxxxxxxxxxxxxxxxxxxxxx > Closes: https://syzkaller.appspot.com/bug?extid=d4066896495db380182e > Closes: https://syzkaller.appspot.com/bug?extid=bc922f476bd65abbd466 > Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") > Signed-off-by: Jakub Sitnicki <jakub@xxxxxxxxxxxxxx> > --- > Cc: John Fastabend <john.fastabend@xxxxxxxxx> > Cc: Edward Adam Davis <eadavis@xxxxxx> > Cc: Shung-Hsi Yu <shung-hsi.yu@xxxxxxxx> > --- > net/core/sock_map.c | 6 ++++++ > 1 file changed, 6 insertions(+) Agree. Acked-by: John Fastabend <john.fastabend@xxxxxxxxx>
