From: John Fastabend <john.fastabend@gmail.com>
Date: Fri, 19 Jul 2019 17:29:20 +0000 (-0700)
Subject: bpf: sockmap, synchronize_rcu before free'ing map
X-Git-Tag: v5.2.11~143
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=47032e94979e01100de1ba846c40d5adf2a30ab4;p=users%2Fdwmw2%2Flinux.git

bpf: sockmap, synchronize_rcu before free'ing map

[ Upstream commit 2bb90e5cc90e1d09f631aeab041a9cf913a5bbe5 ]

We need to have a synchronize_rcu before free'ing the sockmap because
any outstanding psock references will have a pointer to the map and
when they use this could trigger a use after free.

Fixes: 604326b41a6fb ("bpf, sockmap: convert to generic sk_msg interface")
Signed-off-by: John Fastabend <john.fastabend@gmail.com>
Signed-off-by: Daniel Borkmann <daniel@iogearbox.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---

diff --git a/net/core/sock_map.c b/net/core/sock_map.c
index 1d40e040320d2..bbc91597d8364 100644
--- a/net/core/sock_map.c
+++ b/net/core/sock_map.c
@@ -252,6 +252,8 @@ static void sock_map_free(struct bpf_map *map)
 	raw_spin_unlock_bh(&stab->lock);
 	rcu_read_unlock();
 
+	synchronize_rcu();
+
 	bpf_map_area_free(stab->sks);
 	kfree(stab);
 }