From nobody Sun Feb 8 13:53:44 2026 Received: from mail-ua1-f99.google.com (mail-ua1-f99.google.com [209.85.222.99]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id AC7F933BBBD for ; Fri, 9 Jan 2026 11:07:40 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.222.99 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767956862; cv=none; b=isFuo40CQJgSvDMB4xQDfhdu5CtpPEUSaFnsKEgbjbmwnZNXXCEe0UNCKgJkCmFZ4r6GiLpiF6ALgRGfdLhQHnM5qjjKAPNcssnGheqjh/Vl8P9+2qGGSmQtIeypQYrOPVPrq+Auap39CN17vHkeATTbzfu1IGEm3dm91iX9DrM= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1767956862; c=relaxed/simple; bh=bClo26dKQKfmtH6wmORSjwie/4l4DK0i8SN38XFShIg=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=Nk1kVV670QQP1eLmPXvqcj1DY62uoXCJCR/lEbaG7F6edbXnsvn58M9NuJViO9FExG3ZL3zL3uI7NhEm7UiIPKQvgjJmgk9xJC+BF+zfD2iQNPPjAsv6q3DtjkgmnG+nP8EuODtI4ttH0OI1JuHairmD7eqJ1l2Qm1jHhMBEXUQ= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com; spf=fail smtp.mailfrom=broadcom.com; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b=e6u/lY3j; arc=none smtp.client-ip=209.85.222.99 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=reject dis=none) header.from=broadcom.com Authentication-Results: smtp.subspace.kernel.org; spf=fail smtp.mailfrom=broadcom.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (1024-bit key) header.d=broadcom.com header.i=@broadcom.com header.b="e6u/lY3j" Received: by mail-ua1-f99.google.com with SMTP id a1e0cc1a2514c-944199736ebso1082140241.2 for ; Fri, 09 Jan 2026 03:07:40 -0800 (PST) X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1767956860; x=1768561660; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:dkim-signature:x-gm-gg:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=eD5pHYGilsMyb5v5eXOJGZgBHsDewfP3AwzPbcKcT5s=; b=MIvlPR2wofU3syONvv1nCi5D2tpx8jbsOv6hfknAg9QyGIZzaIY//soA7cicK/bnPV Ih8Y9hz+o5ofRl+qsyNiDLKa9CEi8Wwa4TUPBiOtjQk1GCb5w4+OkpcQWAKsvnmQPe8U Lx/1QzGsIM0jIh6nTGzwZQ6R9E6pJWKwRgY5c6p4tdHf+2+HN/rEmFtl1V75OVhyH6gA crfoEfngsula7oo2b5WllwQJI+BQsH2XIYLFJZANQfHlkqQpG6zeUojy8IRQLOVD9gPY A84jJHvgAc0MUm8dN9Cd6SS/lAPgsGHavIscSbufQICAj9u6nTQKmSdlP+omaYUj1Cdh y28A== X-Forwarded-Encrypted: i=1; AJvYcCW8O/WNa5pdGJj+t1qYl+3/VhzCmtFaPsEEJp/bRlARvDDgtsQsvXmPOOfnnmrlZlLIYo2GDRLf/GdiY+Y=@vger.kernel.org X-Gm-Message-State: AOJu0Yy1+HfRpR+NMejWgZYN6OBBN0XZxamPkgqnpiGJQp1FVZt1bA8p dk1C1o2+KKXtV+UnAg7g5tsQEZOADhORJFwPIZLEHNb67w3jY15qiAFGBoh54h/4gxBO3EXjB0x kOkrUA9QWUSTl6azBQAFwwu6FG3uUwmLYWKBum3LUUKTr9GXUo5DqJlQnEPdMsJK8O36sAxH5+9 Nr+g6u87c2ByOPrc1RZJOCpN74QsqTmWKWeoAzWODp7TksxTtiBn4ePeJUu1hGTHN875DWU0e3b sppKDtWeL/YgcVWcX6aIAlvGdvY4g== X-Gm-Gg: AY/fxX46C57TX5oX8d2Ti9xdpyAMkcuLXouOuhmv3AbjezB78zivU4JJPshOaCbqwjU XGohnhuFK4kVkRZG7+D+K9D53y1GzOBUMQuSTgRRulp7dJ+JOXOF6LnHJpkQIrWfRY1RLfh3Y5p joV/AqB3f9chJ/VEUJC7iFLJAfggupWyfI5QDAr7bSS+i9r9i2q4gWXBH/N2AswtjOEuPqwbkrI o04wN7q1/uMjQByJ8ilIACt+CUqjSZM5kxRMyEm+8YQkzytD2n9y+G0FZfW6mmPLJy7i+rYGmtV /Cobwp+5ad4t66SnMW+uhgstVlBE+EFX6N/ZrEX/IuZ5l4g5AXG9dTmbhaUdMuidQXt7B00ZWHi UG1OctlQpJsTeeOqWm5O1ZfZ/UR5NNBd8taJ7t+wIRVy6mS5s4mWSbSeg8vZyUxc4pzHxHZa53V rPJLD8I9SM21ZT+HMK4LoHP8klY5wTY9IlTUrGddwXiBW3COp1uw== X-Google-Smtp-Source: AGHT+IFzrnfo3fSOXmbV3yAfXhSAiigKlVoXJlZyP7dPOzF2AnujpghH/IHqiM0e3kmpKb7VzzewX8DAMQwF X-Received: by 2002:a05:6102:5e98:b0:5ee:a03c:8774 with SMTP id ada2fe7eead31-5eea03c97e8mr2153913137.28.1767956858228; Fri, 09 Jan 2026 03:07:38 -0800 (PST) Received: from smtp-us-east1-p01-i01-si01.dlp.protect.broadcom.com (address-144-49-247-2.dlp.protect.broadcom.com. [144.49.247.2]) by smtp-relay.gmail.com with ESMTPS id ada2fe7eead31-5eea678fa9csm428739137.0.2026.01.09.03.07.38 for (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Fri, 09 Jan 2026 03:07:38 -0800 (PST) X-Relaying-Domain: broadcom.com X-CFilter-Loop: Reflected Received: by mail-dy1-f198.google.com with SMTP id 5a478bee46e88-2ac363a9465so3245988eec.0 for ; Fri, 09 Jan 2026 03:07:36 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=broadcom.com; s=google; t=1767956856; x=1768561656; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=eD5pHYGilsMyb5v5eXOJGZgBHsDewfP3AwzPbcKcT5s=; b=e6u/lY3jiyHaefD2gMMsIPSsetyln1ny1Vsbu96XaS/t3uXU5mJx/Y3BE/Iky4nuAY UtQyGqLngUqAUmrqwPviYJrWPfxzG2YA5XCDj7DdZu9T+ws1CXYSjs5NA7spnr+eOXYY 09Q2GES7lXRiWZPf8YNJLcQqaE1fWiXgsVRbc= X-Forwarded-Encrypted: i=1; AJvYcCU4ZYnrrbS9fDvTrUbC7/ATheZwx77VjuFSPUZ3Tk8JpAqo1FJ7NirXcGRmuoCtBwMzbcvboLkGRrFqS94=@vger.kernel.org X-Received: by 2002:a05:7301:7214:b0:2ae:5d7d:4f1d with SMTP id 5a478bee46e88-2b17d238b33mr8081328eec.1.1767956856160; Fri, 09 Jan 2026 03:07:36 -0800 (PST) X-Received: by 2002:a05:7301:7214:b0:2ae:5d7d:4f1d with SMTP id 5a478bee46e88-2b17d238b33mr8081297eec.1.1767956855605; Fri, 09 Jan 2026 03:07:35 -0800 (PST) Received: from photon-big-dev.. ([192.19.161.250]) by smtp.gmail.com with ESMTPSA id 5a478bee46e88-2b1775fe27dsm8783818eec.29.2026.01.09.03.07.33 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 09 Jan 2026 03:07:35 -0800 (PST) From: HarinadhD To: stable@vger.kernel.org, gregkh@linuxfoundation.org Cc: john.fastabend@gmail.com, daniel@iogearbox.net, jakub@cloudflare.com, lmb@cloudflare.com, davem@davemloft.net, kuba@kernel.org, ast@kernel.org, andrii@kernel.org, kafai@fb.com, songliubraving@fb.com, yhs@fb.com, kpsingh@kernel.org, netdev@vger.kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, ajay.kaher@broadcom.com, alexey.makhalov@broadcom.com, vamsi-krishna.brahmajosyula@broadcom.com, yin.ding@broadcom.com, tapas.kundu@broadcom.com, Eric Dumazet , Sasha Levin , Harinadh Dommaraju Subject: [PATCH v2 v5.10.y] bpf, sockmap: Don't let sock_map_{close,destroy,unhash} call itself Date: Fri, 9 Jan 2026 10:20:11 +0000 Message-ID: <20260109102011.3904861-1-harinadh.dommaraju@broadcom.com> X-Mailer: git-send-email 2.43.7 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable X-DetectorID-Processed: b00c1d49-9d2e-4205-b15f-d015386d3d5e Content-Type: text/plain; charset="utf-8" From: Jakub Sitnicki [ Upstream commit 5b4a79ba65a1ab479903fff2e604865d229b70a9 ] sock_map proto callbacks should never call themselves by design. Protect against bugs like [1] and break out of the recursive loop to avoid a stack overflow in favor of a resource leak. [1] https://lore.kernel.org/all/00000000000073b14905ef2e7401@google.com/ Suggested-by: Eric Dumazet Signed-off-by: Jakub Sitnicki Acked-by: John Fastabend Link: https://lore.kernel.org/r/20230113-sockmap-fix-v2-1-1e0ee7ac2f90@clou= dflare.com Signed-off-by: Alexei Starovoitov Signed-off-by: Sasha Levin [Harinadh: Modified to apply on v5.10.y ] Signed-off-by: Harinadh Dommaraju --- net/core/sock_map.c | 53 +++++++++++++++++++++++++-------------------- 1 file changed, 30 insertions(+), 23 deletions(-) diff --git a/net/core/sock_map.c b/net/core/sock_map.c index 3a9e0046a780..438bbef5ff75 100644 --- a/net/core/sock_map.c +++ b/net/core/sock_map.c @@ -1558,15 +1558,16 @@ void sock_map_unhash(struct sock *sk) psock =3D sk_psock(sk); if (unlikely(!psock)) { rcu_read_unlock(); - if (sk->sk_prot->unhash) - sk->sk_prot->unhash(sk); - return; + saved_unhash =3D READ_ONCE(sk->sk_prot)->unhash; + } else { + saved_unhash =3D psock->saved_unhash; + sock_map_remove_links(sk, psock); + rcu_read_unlock(); } - - saved_unhash =3D psock->saved_unhash; - sock_map_remove_links(sk, psock); - rcu_read_unlock(); - saved_unhash(sk); + if (WARN_ON_ONCE(saved_unhash =3D=3D sock_map_unhash)) + return; + if (saved_unhash) + saved_unhash(sk); } =20 void sock_map_destroy(struct sock *sk) @@ -1578,16 +1579,17 @@ void sock_map_destroy(struct sock *sk) psock =3D sk_psock_get(sk); if (unlikely(!psock)) { rcu_read_unlock(); - if (sk->sk_prot->destroy) - sk->sk_prot->destroy(sk); - return; + saved_destroy =3D READ_ONCE(sk->sk_prot)->destroy; + } else { + saved_destroy =3D psock->saved_destroy; + sock_map_remove_links(sk, psock); + rcu_read_unlock(); + sk_psock_put(sk, psock); } - - saved_destroy =3D psock->saved_destroy; - sock_map_remove_links(sk, psock); - rcu_read_unlock(); - sk_psock_put(sk, psock); - saved_destroy(sk); + if (WARN_ON_ONCE(saved_destroy =3D=3D sock_map_destroy)) + return; + if (saved_destroy) + saved_destroy(sk); } EXPORT_SYMBOL_GPL(sock_map_destroy); =20 @@ -1602,13 +1604,18 @@ void sock_map_close(struct sock *sk, long timeout) if (unlikely(!psock)) { rcu_read_unlock(); release_sock(sk); - return sk->sk_prot->close(sk, timeout); + saved_close =3D READ_ONCE(sk->sk_prot)->close; + } else { + saved_close =3D psock->saved_close; + sock_map_remove_links(sk, psock); + rcu_read_unlock(); + release_sock(sk); } - - saved_close =3D psock->saved_close; - sock_map_remove_links(sk, psock); - rcu_read_unlock(); - release_sock(sk); + /* Make sure we do not recurse. This is a bug. + * Leak the socket instead of crashing on a stack overflow. + */ + if (WARN_ON_ONCE(saved_close =3D=3D sock_map_close)) + return; saved_close(sk, timeout); } =20 --=20 2.43.7