This patch set addresses the syzbot report in [1]. Patch #1 has been suggested by Eric [2]. I extended it to cover the rest of sock_map proto callbacks. Otherwise we would still overflow the stack. Patch #2 contains the actual fix and bug analysis. Patches #3 & #4 add coverage to selftests to trigger the bug. [1] https://lore.kernel.org/all/00000000000073b14905ef2e7401@xxxxxxxxxx/ [2] https://lore.kernel.org/all/CANn89iK2UN1FmdUcH12fv_xiZkv2G+Nskvmq7fG6aA_6VKRf6g@xxxxxxxxxxxxxx/ --- v1 -> v2: v1: https://lore.kernel.org/r/20230113-sockmap-fix-v1-0-d3cad092ee10@xxxxxxxxxxxxxx [v1 didn't hit bpf@ ML by mistake] * pull in Eric's patch to protect against recursion loop bugs (Eric) * add a macro helper to check if pointer is inside a memory range (Eric) --- Jakub Sitnicki (4): bpf, sockmap: Don't let sock_map_{close,destroy,unhash} call itself bpf, sockmap: Check for any of tcp_bpf_prots when cloning a listener selftests/bpf: Pass BPF skeleton to sockmap_listen ops tests selftests/bpf: Cover listener cloning with progs attached to sockmap include/linux/util_macros.h | 12 ++++ net/core/sock_map.c | 61 ++++++++-------- net/ipv4/tcp_bpf.c | 4 +- .../selftests/bpf/prog_tests/sockmap_listen.c | 81 +++++++++++++++++----- 4 files changed, 111 insertions(+), 47 deletions(-)
