mirror of
https://git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
synced 2025-01-08 14:23:19 +00:00
585f5a6252
The current code in sock_map_ctx_update_elem() allows for BPF_EXIST
and BPF_NOEXIST map update flags. While on array-like maps this approach
is rather uncommon, e.g. bpf_fd_array_map_update_elem() and others
enforce map update flags to be BPF_ANY such that xchg() can be used
directly, the current implementation in sock map does not guarantee
that such operation with BPF_EXIST / BPF_NOEXIST is atomic.
The initial test does a READ_ONCE(stab->sock_map[i]) to fetch the
socket from the slot which is then tested for NULL / non-NULL. However
later after __sock_map_ctx_update_elem(), the actual update is done
through osock = xchg(&stab->sock_map[i], sock). Problem is that in
the meantime a different CPU could have updated / deleted a socket
on that specific slot and thus flag contraints won't hold anymore.
I've been thinking whether best would be to just break UAPI and do
an enforcement of BPF_ANY to check if someone actually complains,
however trouble is that already in BPF kselftest we use BPF_NOEXIST
for the map update, and therefore it might have been copied into
applications already. The fix to keep the current behavior intact
would be to add a map lock similar to the sock hash bucket lock only
for covering the whole map.
Fixes:
|
||
|---|---|---|
| .. | ||
| arraymap.c | ||
| bpf_lru_list.c | ||
| bpf_lru_list.h | ||
| btf.c | ||
| cgroup.c | ||
| core.c | ||
| cpumap.c | ||
| devmap.c | ||
| disasm.c | ||
| disasm.h | ||
| hashtab.c | ||
| helpers.c | ||
| inode.c | ||
| local_storage.c | ||
| lpm_trie.c | ||
| Makefile | ||
| map_in_map.c | ||
| map_in_map.h | ||
| offload.c | ||
| percpu_freelist.c | ||
| percpu_freelist.h | ||
| reuseport_array.c | ||
| sockmap.c | ||
| stackmap.c | ||
| syscall.c | ||
| tnum.c | ||
| verifier.c | ||
| xskmap.c | ||