In '4da6a196f93b1' we fixed a potential unhash loop caused when a TLS socket in a sockmap was removed from the sockmap. This happened because the unhash operation on the TLS ctx continued to point at the sockmap implementation of unhash even though the psock has already been removed. The sockmap unhash handler when a psock is removed does the following, void sock_map_unhash(struct sock *sk) { void (*saved_unhash)(struct sock *sk); struct sk_psock *psock; rcu_read_lock(); psock = sk_psock(sk); if (unlikely(!psock)) { rcu_read_unlock(); if (sk->sk_prot->unhash) sk->sk_prot->unhash(sk); return; } [...] } The unlikely() case is there to handle the case where psock is detached but the proto ops have not been updated yet. But, in the above case with TLS and removed psock we never fixed sk_prot->unhash() and unhash() points back to sock_map_unhash resulting in a loop. To fix this we added this bit of code, static inline void sk_psock_restore_proto(struct sock *sk, struct sk_psock *psock) { sk->sk_prot->unhash = psock->saved_unhash; This will set the sk_prot->unhash back to its saved value. This is the correct callback for a TLS socket that has been removed from the sock_map. Unfortunately, this also overwrites the unhash pointer for all psocks. We effectively break sockmap unhash handling for any future socks. Omitting the unhash operation will leave stale entries in the map if a socket transition through unhash, but does not do close() op. To fix handle similar to write_space and rewrite it in the TLS update hook. This way the TLS enabled socket will point to the saved unhash() handler. Fixes: 4da6a196f93b1 ("bpf: Sockmap/tls, during free we may call tcp_bpf_unhash() in loop") Reported-by: Cong Wang <xiyou.wangcong@xxxxxxxxx> Reported-by: Lorenz Bauer <lmb@xxxxxxxxxxxxxx> Signed-off-by: John Fastabend <john.fastabend@xxxxxxxxx> --- include/linux/skmsg.h | 1 - net/tls/tls_main.c | 6 ++++++ 2 files changed, 6 insertions(+), 1 deletion(-) diff --git a/include/linux/skmsg.h b/include/linux/skmsg.h index 8edbbf5f2f93..f6009fe9c9ac 100644 --- a/include/linux/skmsg.h +++ b/include/linux/skmsg.h @@ -349,7 +349,6 @@ static inline void sk_psock_update_proto(struct sock *sk, static inline void sk_psock_restore_proto(struct sock *sk, struct sk_psock *psock) { - sk->sk_prot->unhash = psock->saved_unhash; if (inet_csk_has_ulp(sk)) { tcp_update_ulp(sk, psock->sk_proto, psock->saved_write_space); } else { diff --git a/net/tls/tls_main.c b/net/tls/tls_main.c index 47b7c5334c34..ecb5634b4c4a 100644 --- a/net/tls/tls_main.c +++ b/net/tls/tls_main.c @@ -754,6 +754,12 @@ static void tls_update(struct sock *sk, struct proto *p, ctx = tls_get_ctx(sk); if (likely(ctx)) { + /* TLS does not have an unhash proto in SW cases, but we need + * to ensure we stop using the sock_map unhash routine because + * the associated psock is being removed. So use the original + * unhash handler. + */ + WRITE_ONCE(sk->sk_prot->unhash, p->unhash); ctx->sk_write_space = write_space; ctx->sk_proto = p; } else {