summaryrefslogtreecommitdiffstats
path: root/kernel/bpf
diff options
context:
space:
mode:
authorToke Høiland-Jørgensen <toke@redhat.com>2019-09-08 09:20:16 +0100
committerDaniel Borkmann <daniel@iogearbox.net>2019-09-16 10:19:51 +0200
commitaf58e7ee6a8d83726ad8a2696e98d86400a7639c (patch)
treef2f1158df0620009367550df13f9b050b39dd46f /kernel/bpf
parenta4fa6e169007d85c2d71ee994aad5a85d966a9d0 (diff)
downloadlinux-stable-af58e7ee6a8d83726ad8a2696e98d86400a7639c.tar.gz
linux-stable-af58e7ee6a8d83726ad8a2696e98d86400a7639c.tar.bz2
linux-stable-af58e7ee6a8d83726ad8a2696e98d86400a7639c.zip
xdp: Fix race in dev_map_hash_update_elem() when replacing element
syzbot found a crash in dev_map_hash_update_elem(), when replacing an element with a new one. Jesper correctly identified the cause of the crash as a race condition between the initial lookup in the map (which is done before taking the lock), and the removal of the old element. Rather than just add a second lookup into the hashmap after taking the lock, fix this by reworking the function logic to take the lock before the initial lookup. Fixes: 6f9d451ab1a3 ("xdp: Add devmap_hash map type for looking up devices by hashed index") Reported-and-tested-by: syzbot+4e7a85b1432052e8d6f8@syzkaller.appspotmail.com Signed-off-by: Toke Høiland-Jørgensen <toke@redhat.com> Acked-by: Jesper Dangaard Brouer <brouer@redhat.com> Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Diffstat (limited to 'kernel/bpf')
-rw-r--r--kernel/bpf/devmap.c17
1 files changed, 12 insertions, 5 deletions
diff --git a/kernel/bpf/devmap.c b/kernel/bpf/devmap.c
index 9af048a932b5..d27f3b60ff6d 100644
--- a/kernel/bpf/devmap.c
+++ b/kernel/bpf/devmap.c
@@ -650,19 +650,22 @@ static int __dev_map_hash_update_elem(struct net *net, struct bpf_map *map,
u32 ifindex = *(u32 *)value;
u32 idx = *(u32 *)key;
unsigned long flags;
+ int err = -EEXIST;
if (unlikely(map_flags > BPF_EXIST || !ifindex))
return -EINVAL;
+ spin_lock_irqsave(&dtab->index_lock, flags);
+
old_dev = __dev_map_hash_lookup_elem(map, idx);
if (old_dev && (map_flags & BPF_NOEXIST))
- return -EEXIST;
+ goto out_err;
dev = __dev_map_alloc_node(net, dtab, ifindex, idx);
- if (IS_ERR(dev))
- return PTR_ERR(dev);
-
- spin_lock_irqsave(&dtab->index_lock, flags);
+ if (IS_ERR(dev)) {
+ err = PTR_ERR(dev);
+ goto out_err;
+ }
if (old_dev) {
hlist_del_rcu(&old_dev->index_hlist);
@@ -683,6 +686,10 @@ static int __dev_map_hash_update_elem(struct net *net, struct bpf_map *map,
call_rcu(&old_dev->rcu, __dev_map_entry_free);
return 0;
+
+out_err:
+ spin_unlock_irqrestore(&dtab->index_lock, flags);
+ return err;
}
static int dev_map_hash_update_elem(struct bpf_map *map, void *key, void *value,