From nobody Sun Dec 14 05:55:23 2025 Received: from mail-qv1-f100.google.com (mail-qv1-f100.google.com [209.85.219.100]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 1B677293C4E for ; Fri, 12 Dec 2025 04:41:07 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.219.100 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765514471; cv=none; b=N9WRPJKTFg6wwcmo8HSKCyWRBYihcJSvTt1g3Ej+aqHpd0FCBnFqtwDKX8gW51eExUwfLhx3QVU4+TaEMlVBupP3bOuTxrox6R+GFVp76Xl9A25I5pVQdCoWecedTLVNUPS5NOWZYksrX1l9q48QIwQQGPWbHm3wuwjBGxNbzT0= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1765514471; c=relaxed/simple; bh=tKseG5gYSJeCAWspW2ZESEYmrC1AP47UvmldaZPNzNU=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=NMWn6dKWjEbRKVt6yxuskyr9xESKcRaWcLFwWJcwdkgqmRqy8lPdMkvXE5ENgV7TsFoTHdc4nMjl2y5dBZunZiGs9jIMPPVhRq01culT4tiXrqyL+BWD0e4knL2elB1JxT3ARXdiMoQRexehKqC9SbRq9ZOUJaUeB3LVzktKbyM= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com; spf=fail smtp.mailfrom=broadcom.com; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b=Uzj/D/Hb; arc=none smtp.client-ip=209.85.219.100 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=broadcom.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b="Uzj/D/Hb" Received: by mail-qv1-f100.google.com with SMTP id 6a1803df08f44-88267973e5cso4914526d6.3 for ; Thu, 11 Dec 2025 20:41:07 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1765514467; x=1766119267; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:dkim-signature:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=FZSzbAqILqIc0sgDWu53ygkH2B1txzwb9FnKFs2Xg3k=; b=VadQ/qvZioa83t7DYHxyY4wwm2zpDeoGOtaBvgzghPFDY/aJIZfoXNPevCT+0PTRf0 qckI3aFVsFqpYLnvCu3Z8oMaES01+4GwuN0kipyUJUBb3c5XDtRHD/X6Uc7mSgfVGQLV mT49uoGq/yoX9/M6QLcD3pEJGfp+nXCY9D5B9jGT9ZVJQqYigAMxl13TxUTpPI7eesf4 qYyKztT4ViQe4F0W/8qRz1TcAFUc7wYtkW+XMxHhWJ0jWnH3gaH4B+L0kA1m5S9x4vJ7 IEmGOwbHqWAjYv7NmXnHSETQ9d2RGQT3QlO3HwL7NXcQWnA/uyGQmUVo/VCdtlitq59A lIfw== X-Forwarded-Encrypted: i=1; AJvYcCXnkFbP194hIiRLcDSSDXDcpdKmXe9WzeJSCbH+EsHUmZ9qtxrF6RUtvrYJoc1elATsCm8kxVMXPZtL+sE=@vger.kernel.org X-Gm-Message-State: AOJu0YxZc/Cgo6xfhPM2jgLGz+5XyTI7bDhC8cGSdAbnPt6EDRt5IBUF nLJB+IJHSDfjCIx2GsiFj9YiAROKejJXy6q/viZSCjib9TRaDU7LvOJFTe/vqq2hI5vrC3ioPV4 HSG/vyRIY6tjWPJy51+9V3SymBRJVy1tvR8CFsx0/6jF+koib/4+VHdCnANQ+ORBxMkMu9SBt6U TVtnkYWzLSSUhfQNqmOzzh7LGILkExHN18QADCGxd8SZzxHRum22OnZR5DkenuLjwLLvEcUEASs N+McrVcD9AUae4v1wNzp+uT869eNA== X-Gm-Gg: AY/fxX4QLw/3xm8Mr538CMs9haF43UPNuN1BKUDDhj2IxrVYUt9Rhon3Ljk4dbGIrgX 6g3MWT6ubie5mXLHOZ/rrQF0wHYnyNCtl1IitO/0rUzT1H9vzDDbjPLWYQWMvzOEfXgSHHQJ+9l w9y/br9+jtREleaXcJui0m0Kfqan+UioG9fwMhZ6dfwTowx0fbnMizYVzwbGcq3/UwcLYfRjU6O K55Xmtp1WAxmCyaQF/TWfVIWnQv/7rIBxsd8XSTEe47StOMbZqk6BD1pqk3txaKseuFPSPjtkTn 4NWItw1t7JENqPF4qRcZDpMoZGp8Fo3VyAmNrDarBOLWanNSKCzwUysGmw5FoVyHcJlo4IPyqPy KOboPKmLE5i2ZPgCWjsBTsRqAHJOGAdYDvg6w8btwBfQn/eYYDl7qRUwLOFLfc1jEeyB4Jz3IRb t+6yKqLDLBhAN2VoIdWkGhHuhxr8NfY3La4ATCRHa0JjvXbGoqdX3fq/s= X-Google-Smtp-Source: AGHT+IEkJCzU8ovDR9+E0pSJNG2jZcEQT6IUzJ3zf5igYeqJtAnVZI5T/+sL81kqWbM9PL6MRE7Q74nW6r/1 X-Received: by 2002:a05:622a:4ac5:b0:4ed:e595:bc85 with SMTP id d75a77b69052e-4f1d05df863mr11149451cf.46.1765514466585; Thu, 11 Dec 2025 20:41:06 -0800 (PST) Received: from smtp-us-east1-p01-i01-si01.dlp.protect.broadcom.com (address-144-49-247-103.dlp.protect.broadcom.com. [144.49.247.103]) by smtp-relay.gmail.com with ESMTPS id d75a77b69052e-4f1bd187263sm4702751cf.0.2025.12.11.20.41.06 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Thu, 11 Dec 2025 20:41:06 -0800 (PST) X-Relaying-Domain: broadcom.com X-CFilter-Loop: Reflected Received: by mail-qt1-f199.google.com with SMTP id d75a77b69052e-4ee416413a8so10387481cf.1 for ; Thu, 11 Dec 2025 20:41:06 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; t=1765514466; x=1766119266; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=FZSzbAqILqIc0sgDWu53ygkH2B1txzwb9FnKFs2Xg3k=; b=Uzj/D/HbJWi2EkH5T6/dgPumnDZDSsyIvSkgPtLb6vPge0pINJKG4i/6dShEJ24Bd5 wdrYKk037nxUZfheRSgLhknTcRUb07uZOXv5+EM2JsmSQvkAjzUHtCWUscz+y9UHdUhb 4JgaTz4QKpKNO+VTJftI9lTyXJCfS27H/Ue2Q= X-Forwarded-Encrypted: i=1; AJvYcCVUIDgn/x9r240eg+hmksU2b2zC+Et5x9fCrD/4LHkRqB3KcxRL6UrdqLXWMxWJWMkf56dBJIfYb6OpJfo=@vger.kernel.org X-Received: by 2002:a05:622a:106:b0:4ee:4a3a:bd08 with SMTP id d75a77b69052e-4f1d066fe70mr9249631cf.80.1765514465905; Thu, 11 Dec 2025 20:41:05 -0800 (PST) X-Received: by 2002:a05:622a:106:b0:4ee:4a3a:bd08 with SMTP id d75a77b69052e-4f1d066fe70mr9249471cf.80.1765514465413; Thu, 11 Dec 2025 20:41:05 -0800 (PST) Received: from photon-big-dev.. ([192.19.161.250]) by smtp.gmail.com with ESMTPSA id af79cd13be357-8bab5d3da25sm380483285a.44.2025.12.11.20.41.02 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Thu, 11 Dec 2025 20:41:04 -0800 (PST) From: HarinadhD To: stable@vger.kernel.org, gregkh@linuxfoundation.org Cc: john.fastabend@gmail.com, daniel@iogearbox.net, jakub@cloudflare.com, lmb@cloudflare.com, davem@davemloft.net, kuba@kernel.org, ast@kernel.org, andrii@kernel.org, kafai@fb.com, songliubraving@fb.com, yhs@fb.com, kpsingh@kernel.org, netdev@vger.kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Eric Dumazet , Sasha Levin , HarinadhD Subject: [PATCH v5.10.y] bpf, sockmap: Don't let sock_map_{close,destroy,unhash} call itself Date: Fri, 12 Dec 2025 03:54:58 +0000 Message-ID: <20251212035458.1794979-1-harinadh.dommaraju@broadcom.com> X-Mailer: git-send-email 2.43.7 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-DetectorID-Processed: b00c1d49-9d2e-4205-b15f-d015386d3d5e Content-Type: text/plain; charset="utf-8" From: Jakub Sitnicki [ Upstream commit 5b4a79ba65a1ab479903fff2e604865d229b70a9 ] sock_map proto callbacks should never call themselves by design. Protect against bugs like [1] and break out of the recursive loop to avoid a stack overflow in favor of a resource leak. [1] https://lore.kernel.org/all/00000000000073b14905ef2e7401@google.com/ Suggested-by: Eric Dumazet Signed-off-by: Jakub Sitnicki Acked-by: John Fastabend Link: https://lore.kernel.org/r/20230113-sockmap-fix-v2-1-1e0ee7ac2f90@clou= dflare.com Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin [ Harinadh: Modified to apply on v5.10.y ] Signed-off-by: HarinadhD --- net/core/sock_map.c | 53 +++++++++++++++++++++++++-------------------- 1 file changed, 30 insertions(+), 23 deletions(-) diff --git a/net/core/sock_map.c b/net/core/sock_map.c index 3a9e0046a780..438bbef5ff75 100644 --- a/net/core/sock_map.c +++ b/net/core/sock_map.c @@ -1558,15 +1558,16 @@ void sock_map_unhash(struct sock *sk) psock =3D sk_psock(sk); if (unlikely(!psock)) { rcu_read_unlock(); - if (sk->sk_prot->unhash) - sk->sk_prot->unhash(sk); - return; + saved_unhash =3D READ_ONCE(sk->sk_prot)->unhash; + } else { + saved_unhash =3D psock->saved_unhash; + sock_map_remove_links(sk, psock); + rcu_read_unlock(); } - - saved_unhash =3D psock->saved_unhash; - sock_map_remove_links(sk, psock); - rcu_read_unlock(); - saved_unhash(sk); + if (WARN_ON_ONCE(saved_unhash =3D=3D sock_map_unhash)) + return; + if (saved_unhash) + saved_unhash(sk); } =20 void sock_map_destroy(struct sock *sk) @@ -1578,16 +1579,17 @@ void sock_map_destroy(struct sock *sk) psock =3D sk_psock_get(sk); if (unlikely(!psock)) { rcu_read_unlock(); - if (sk->sk_prot->destroy) - sk->sk_prot->destroy(sk); - return; + saved_destroy =3D READ_ONCE(sk->sk_prot)->destroy; + } else { + saved_destroy =3D psock->saved_destroy; + sock_map_remove_links(sk, psock); + rcu_read_unlock(); + sk_psock_put(sk, psock); } - - saved_destroy =3D psock->saved_destroy; - sock_map_remove_links(sk, psock); - rcu_read_unlock(); - sk_psock_put(sk, psock); - saved_destroy(sk); + if (WARN_ON_ONCE(saved_destroy =3D=3D sock_map_destroy)) + return; + if (saved_destroy) + saved_destroy(sk); } EXPORT_SYMBOL_GPL(sock_map_destroy); =20 @@ -1602,13 +1604,18 @@ void sock_map_close(struct sock *sk, long timeout) if (unlikely(!psock)) { rcu_read_unlock(); release_sock(sk); - return sk->sk_prot->close(sk, timeout); + saved_close =3D READ_ONCE(sk->sk_prot)->close; + } else { + saved_close =3D psock->saved_close; + sock_map_remove_links(sk, psock); + rcu_read_unlock(); + release_sock(sk); } - - saved_close =3D psock->saved_close; - sock_map_remove_links(sk, psock); - rcu_read_unlock(); - release_sock(sk); + /* Make sure we do not recurse. This is a bug. + * Leak the socket instead of crashing on a stack overflow. + */ + if (WARN_ON_ONCE(saved_close =3D=3D sock_map_close)) + return; saved_close(sk, timeout); } =20 --=20 2.43.7