From nobody Mon Jun 8 06:37:54 2026 Received: from mail-pl1-f169.google.com (mail-pl1-f169.google.com [209.85.214.169]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id 9C5523C9899 for ; Fri, 5 Jun 2026 09:50:04 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=209.85.214.169 ARC-Seal: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780653005; cv=none; b=B4qAsQMdmEvdCyXeaVjOmGVMXNKGe917ntuaD3ScdViS+/V4S8DlMoBQZ2UcvN6R9ABcOH9JtQdEN61+2uJaWxUgrGr/W4E70By7Eifuc5WxiRi3RhOoXynpx+Jg5fj1wXWxcu6ZMYrfevuoKGxGUU/kPXlwzvgbydOqKz1EJQg= ARC-Message-Signature: i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1780653005; c=relaxed/simple; bh=G4+yJM6zWYuFGgB8T+z7rO6dkHqePIEw7sogic09p8o=; h=From:To:Cc:Subject:Date:Message-ID:MIME-Version; b=BNdfmMOMQD1HzANbjF/TTmWIVkYt6XKCH3fD6xzA5NVCq4QlWtsye3d5Pyh41p+2SCVgor/MfsWzGiADzxfFxc9KAiq98t/T1fN13UpXTDANkZQitSWEzZi5L4WaJ1KkxVbX2BwB0KCQyZAjwkHDdWXiR2gJ5tp/MAx3wKEVtcs= ARC-Authentication-Results: i=1; smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com; spf=pass smtp.mailfrom=gmail.com; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b=GFruvWfo; arc=none smtp.client-ip=209.85.214.169 Authentication-Results: smtp.subspace.kernel.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: smtp.subspace.kernel.org; spf=pass smtp.mailfrom=gmail.com Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="GFruvWfo" Received: by mail-pl1-f169.google.com with SMTP id d9443c01a7336-2c0c3546924so11411305ad.3 for ; Fri, 05 Jun 2026 02:50:04 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20251104; t=1780653004; x=1781257804; darn=vger.kernel.org; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:from:to:cc:subject:date:message-id:reply-to; bh=dCw22FSssd23IT7H44f6S6FFYK8geV9IkF2RFmfa8jU=; b=GFruvWfo+dp7EsRy4+nRSnuq74EZN6Ha1zJSmsbBP35U1Yf2FuytBzFrg8cfB8l2TP p3V8c6PGIhgJSEzOdaAse8eVxHHWZKu0v7dmZqf44hejGbU+eHwfobF0UczXS5WvgWC3 DuASqOxZ2THzC24qKdQfccjyiMTON4v+94KIWECcDYsqQ+SrzP/kvIks+9hxfJ5WFuvy DbhT6DeXz1ttovBhGQb2osb92VD/AtVj+WYNqQdUl6HzJUVsgwFJS2qDf1PKZZT3esBT TNrNUZBwXefw5gLYh7XgLHgPRkePH6fQUoj4QK9iY2cW4jD4rhCIMntDR16whrWw1TP7 XBTA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20251104; t=1780653004; x=1781257804; h=content-transfer-encoding:mime-version:message-id:date:subject:cc :to:from:x-gm-gg:x-gm-message-state:from:to:cc:subject:date :message-id:reply-to; bh=dCw22FSssd23IT7H44f6S6FFYK8geV9IkF2RFmfa8jU=; b=W+A7HjSXycN5reT7u7al9vJU0osbiui/5x9F0NnuxlNX0QtlOcs7NHK7Vv7i+LMTQ6 JTzERMRh2BGy+BsX3mzy/zIxFZ/RFI9+so2RO+UL50TTwoZFOvZRzvxKZ08zZWbIbuor 628TjUhO1ve/Ho25OZgMviucQpk2qDAKJUKEkISvRAuxPldWiSbs35F8c14XsAKhc8YG DMiMSoMg58LysO4IuYNolXs/gf1QtbxUVHV6Bh3T2eAUnBpn0pUu0y4hGJXN0Qqj4Wr/ A/tzeTfauXfFuyION9sxftOrO/g/MKjaS63BHn0fsILRTgBF0oYSJrCQ7xzATIUsD6Dh o9Lw== X-Forwarded-Encrypted: i=1; AFNElJ9jr43dCSE9Hu4O1pNFUgkgTVF/NruChRgAygC4Ylmpjw/r6/mQKm9wPZrEeV0YyhL27gCEul7j64d3zAg=@vger.kernel.org X-Gm-Message-State: AOJu0YxF1VTyHNIi6KihN+vsrJV5yIO2B2ZakNzycGSp7Z4wlD4OWHIk /PLE6qLZj4yVFW6+dsSSZH2dSTcASJEsOAOxcU3GizBBnAixrDxhyZvI X-Gm-Gg: Acq92OHEHWsyyLXxxSsNZhGal1t+hE+Cf5/wDr0k+W0edQvEzXOxvtnUZJvBxMfOo1W Mpbb1ABmGSQCE57CCrf1I6Wbml0/7XPyJuY+WH5z7oc6mvdzhj/LsNPSfDIo6xQp1ceDKqfKTSz 2/EoNQ/XtA6xCdMMZ9yVRM9/Zph7e6OaOZ2ZrxT0HFbJif/vbTL6sDX3K0KMyHGdAq31CB0Bg7N cm27/oomwRnHsdx9NP1C5eiuVQIypPxo6bDOU7B0qXGXNrNM6Gs4Sxb8liA1Eclytllq94xItWq V+QFW+PuB2d0N8dOM3+PrtVDgWDfpApaXiw4eprr1OMFQph0rciKXBHeP5XQn5uPcU8o9rDlw+3 IIt3PO9XIiyfvxOU0M854x3fGVp3/hYnR71MVU8VSCqWLzPgRlhg7Sz0ykAK4EpGwKeLN5l1GRU Ok8bsFuWHUwvS4WXG3oeOVlybKFy0WQ4tcclzs4LnYwUvUDrW2j9rz01IKpS6V9gHEQFC4zFzy X-Received: by 2002:a17:903:18c:b0:2c0:e5ee:f56c with SMTP id d9443c01a7336-2c1e881fefemr29151715ad.20.1780653003681; Fri, 05 Jun 2026 02:50:03 -0700 (PDT) Received: from cps-manycore-1.. ([147.46.174.222]) by smtp.gmail.com with ESMTPSA id d9443c01a7336-2c166391d53sm115871285ad.65.2026.06.05.02.49.59 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 05 Jun 2026 02:50:03 -0700 (PDT) From: Sechang Lim To: Eric Dumazet , Neal Cardwell , "David S . Miller" , Jakub Kicinski , Paolo Abeni Cc: Kuniyuki Iwashima , Simon Horman , Lawrence Brakmo , Alexei Starovoitov , netdev@vger.kernel.org, linux-kernel@vger.kernel.org, bpf@vger.kernel.org Subject: [PATCH net] tcp: clear sock_ops cb flags before force-closing a child socket Date: Fri, 5 Jun 2026 09:49:46 +0000 Message-ID: <20260605094954.1374489-1-rhkrqnwk98@gmail.com> X-Mailer: git-send-email 2.43.0 Precedence: bulk X-Mailing-List: linux-kernel@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable Content-Type: text/plain; charset="utf-8" A child socket inherits the listener's bpf_sock_ops_cb_flags via sk_clone_lock(). If its setup fails in tcp_v4_syn_recv_sock() / tcp_v6_syn_recv_sock(), the child is freed through put_and_exit, where inet_csk_prepare_forced_close() drops the socket lock and tcp_done() runs without it. If BPF_SOCK_OPS_STATE_CB_FLAG was inherited, tcp_done() -> tcp_set_state() calls tcp_call_bpf(), which expects the lock and trips sock_owned_by_me(): WARNING: include/net/sock.h:1799 at tcp_set_state+0x433/0x550 RIP: 0010:tcp_set_state+0x433/0x550 include/net/sock.h:1799 Call Trace: tcp_done+0xba/0x250 net/ipv4/tcp.c:5095 tcp_v4_syn_recv_sock+0x850/0xa50 net/ipv4/tcp_ipv4.c:1787 tcp_check_req+0xf30/0x1360 net/ipv4/tcp_minisocks.c:926 tcp_v4_rcv+0x1047/0x1b50 net/ipv4/tcp_ipv4.c:2164 The child is freed before it is ever established, so it should run no sock_ops callback. Clear its cb flags before the forced close. Fixes: d44874910a26 ("bpf: Add BPF_SOCK_OPS_STATE_CB") Signed-off-by: Sechang Lim --- include/net/tcp.h | 7 +++++++ net/ipv4/tcp_ipv4.c | 1 + net/ipv6/tcp_ipv6.c | 1 + 3 files changed, 9 insertions(+) diff --git a/include/net/tcp.h b/include/net/tcp.h index 98848db62894..97eac5fa341c 100644 --- a/include/net/tcp.h +++ b/include/net/tcp.h @@ -2942,6 +2942,11 @@ static inline int tcp_call_bpf_3arg(struct sock *sk,= int op, u32 arg1, u32 arg2, return tcp_call_bpf(sk, op, 3, args); } =20 +static inline void tcp_clear_sock_ops_cb_flags(struct sock *sk) +{ + tcp_sk(sk)->bpf_sock_ops_cb_flags =3D 0; +} + #else static inline int tcp_call_bpf(struct sock *sk, int op, u32 nargs, u32 *ar= gs) { @@ -2959,6 +2964,8 @@ static inline int tcp_call_bpf_3arg(struct sock *sk, = int op, u32 arg1, u32 arg2, return -EPERM; } =20 +static inline void tcp_clear_sock_ops_cb_flags(struct sock *sk) {} + #endif =20 static inline u32 tcp_timeout_init(struct sock *sk) diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c index fdc81150ff6c..7748668dba82 100644 --- a/net/ipv4/tcp_ipv4.c +++ b/net/ipv4/tcp_ipv4.c @@ -1783,6 +1783,7 @@ struct sock *tcp_v4_syn_recv_sock(const struct sock *= sk, struct sk_buff *skb, return NULL; put_and_exit: newinet->inet_opt =3D NULL; + tcp_clear_sock_ops_cb_flags(newsk); inet_csk_prepare_forced_close(newsk); tcp_done(newsk); goto exit; diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c index 36d75fb50a70..493477b786db 100644 --- a/net/ipv6/tcp_ipv6.c +++ b/net/ipv6/tcp_ipv6.c @@ -1531,6 +1531,7 @@ static struct sock *tcp_v6_syn_recv_sock(const struct= sock *sk, struct sk_buff * tcp_listendrop(sk); return NULL; put_and_exit: + tcp_clear_sock_ops_cb_flags(newsk); inet_csk_prepare_forced_close(newsk); tcp_done(newsk); goto exit; --=20 2.43.0