From: Alexei Starovoitov <ast@kernel.org>
Date: Wed, 13 Mar 2019 19:04:35 +0000 (-0700)
Subject: Merge branch 'fix-fullsock-access-after-bpf_sk_release'
X-Git-Tag: v5.1-rc3~35^2~64^2~4
X-Git-Url: https://www.infradead.org/git/?a=commitdiff_plain;h=f48a920504e516bded420255946f8e1cb8a0944a;p=nvme.git

Merge branch 'fix-fullsock-access-after-bpf_sk_release'

Martin KaFai Lau says:

====================
This set addresses issue about accessing invalid
ptr returned from bpf_tcp_sock() and bpf_sk_fullsock()
after bpf_sk_release().

v4:
- Tried the one "id" approach.  It does not work well and the reason is in
  the Patch 1 commit message.
- Rename refcount_id to ref_obj_id.
- With ref_obj_id, resetting reg->id to 0 is fine in mark_ptr_or_null_reg()
  because ref_obj_id is passed to release_reference() instead of reg->id.
- Also reset reg->ref_obj_id in mark_ptr_or_null_reg() when is_null == true
- sk_to_full_sk() is removed from bpf_sk_fullsock() and bpf_tcp_sock().
- bpf_get_listener_sock() is added to do sk_to_full_sk() in Patch 2.
- If tp is from bpf_tcp_sock(sk) and sk is a refcounted ptr,
  bpf_sk_release(tp) is also allowed.

v3:
- reset reg->refcount_id for the is_null case in mark_ptr_or_null_reg()

v2:
- Remove refcount_id arg from release_reference() because
  id == refcount_id
- Add a WARN_ON_ONCE to mark_ptr_or_null_regs() to catch
  an internal verifier bug.
====================

Signed-off-by: Alexei Starovoitov <ast@kernel.org>
---

f48a920504e516bded420255946f8e1cb8a0944a