Hello:
This patch was applied to bpf/bpf.git (master)
by Daniel Borkmann <daniel@xxxxxxxxxxxxx>:
On Fri, 1 Sep 2023 13:21:37 -0700 you wrote:
> There is a race where skb's from the sk_psock_backlog can be referenced
> after userspace side has already skb_consumed() the sk_buff and its
> refcnt dropped to zer0 causing use after free.
>
> The flow is the following,
>
> while ((skb = skb_peek(&psock->ingress_skb))
> sk_psock_handle_Skb(psock, skb, ..., ingress)
> if (!ingress) ...
> sk_psock_skb_ingress
> sk_psock_skb_ingress_enqueue(skb)
> msg->skb = skb
> sk_psock_queue_msg(psock, msg)
> skb_dequeue(&psock->ingress_skb)
>
> [...]
Here is the summary with links:
- [bpf] bpf: sockmap, fix skb refcnt race after locking changes
https://git.kernel.org/bpf/bpf/c/a454d84ee20b
You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
