WARNING: CPU: 0 PID: 6558 at net/core/sock_map.c:1703 sock_map_close+0x3c4/0x480
Modules linked in:
CPU: 0 UID: 0 PID: 6558 Comm: syz-executor.14 Not tainted 6.14.0-rc5+ #238
RIP: 0010:sock_map_close+0x3c4/0x480
Call Trace:
<TASK>
inet_release+0x144/0x280
__sock_release+0xb8/0x270
sock_close+0x1e/0x30
__fput+0x3c6/0xb30
__fput_sync+0x7b/0x90
__x64_sys_close+0x90/0x120
do_syscall_64+0x5d/0x170
entry_SYSCALL_64_after_hwframe+0x76/0x7e
The root cause is:
sock_hash_update_common
sock_map_unref
sock_map_del_link
psock->psock_update_sk_prot(sk, psock, false);
//false won't restore proto
sk_psock_put
rcu_assign_sk_user_data(sk, NULL);
inet_release
sk->sk_prot->close
sock_map_close
WARN(sk->sk_prot->close == sock_map_close)
When psock is removed from sockmap, sock_map_del_link() still set
sk->sk_prot to bpf proto instead of restore it (for incorrect restore
value). sock release will triger warning of sock_map_close() for
recurse after psock drop.
Set restore param of psock_update_sk_prot to true to fix the problem.
Fixes: c0d95d3380ee ("bpf, sockmap: Re-evaluate proto ops when psock is removed from sockmap")
Signed-off-by: Dong Chenchen <dongchenchen2@xxxxxxxxxx>
---
net/core/sock_map.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/net/core/sock_map.c b/net/core/sock_map.c
index 82a14f131d00..10bc185ef103 100644
--- a/net/core/sock_map.c
+++ b/net/core/sock_map.c
@@ -171,7 +171,7 @@ static void sock_map_del_link(struct sock *sk,
sk_psock_stop_verdict(sk, psock);
if (psock->psock_update_sk_prot)
- psock->psock_update_sk_prot(sk, psock, false);
+ psock->psock_update_sk_prot(sk, psock, true);
write_unlock_bh(&sk->sk_callback_lock);
}
}
--
2.25.1
