Commit af58e7ee authored by Toke Høiland-Jørgensen's avatar Toke Høiland-Jørgensen Committed by Daniel Borkmann

xdp: Fix race in dev_map_hash_update_elem() when replacing element

syzbot found a crash in dev_map_hash_update_elem(), when replacing an
element with a new one. Jesper correctly identified the cause of the crash
as a race condition between the initial lookup in the map (which is done
before taking the lock), and the removal of the old element.

Rather than just add a second lookup into the hashmap after taking the
lock, fix this by reworking the function logic to take the lock before the
initial lookup.

Fixes: 6f9d451a ("xdp: Add devmap_hash map type for looking up devices by hashed index")
Reported-and-tested-by: syzbot+4e7a85b1432052e8d6f8@syzkaller.appspotmail.com
Signed-off-by: default avatarToke Høiland-Jørgensen <toke@redhat.com>
Acked-by: default avatarJesper Dangaard Brouer <brouer@redhat.com>
Signed-off-by: default avatarDaniel Borkmann <daniel@iogearbox.net>
parent a4fa6e16
...@@ -650,19 +650,22 @@ static int __dev_map_hash_update_elem(struct net *net, struct bpf_map *map, ...@@ -650,19 +650,22 @@ static int __dev_map_hash_update_elem(struct net *net, struct bpf_map *map,
u32 ifindex = *(u32 *)value; u32 ifindex = *(u32 *)value;
u32 idx = *(u32 *)key; u32 idx = *(u32 *)key;
unsigned long flags; unsigned long flags;
int err = -EEXIST;
if (unlikely(map_flags > BPF_EXIST || !ifindex)) if (unlikely(map_flags > BPF_EXIST || !ifindex))
return -EINVAL; return -EINVAL;
spin_lock_irqsave(&dtab->index_lock, flags);
old_dev = __dev_map_hash_lookup_elem(map, idx); old_dev = __dev_map_hash_lookup_elem(map, idx);
if (old_dev && (map_flags & BPF_NOEXIST)) if (old_dev && (map_flags & BPF_NOEXIST))
return -EEXIST; goto out_err;
dev = __dev_map_alloc_node(net, dtab, ifindex, idx); dev = __dev_map_alloc_node(net, dtab, ifindex, idx);
if (IS_ERR(dev)) if (IS_ERR(dev)) {
return PTR_ERR(dev); err = PTR_ERR(dev);
goto out_err;
spin_lock_irqsave(&dtab->index_lock, flags); }
if (old_dev) { if (old_dev) {
hlist_del_rcu(&old_dev->index_hlist); hlist_del_rcu(&old_dev->index_hlist);
...@@ -683,6 +686,10 @@ static int __dev_map_hash_update_elem(struct net *net, struct bpf_map *map, ...@@ -683,6 +686,10 @@ static int __dev_map_hash_update_elem(struct net *net, struct bpf_map *map,
call_rcu(&old_dev->rcu, __dev_map_entry_free); call_rcu(&old_dev->rcu, __dev_map_entry_free);
return 0; return 0;
out_err:
spin_unlock_irqrestore(&dtab->index_lock, flags);
return err;
} }
static int dev_map_hash_update_elem(struct bpf_map *map, void *key, void *value, static int dev_map_hash_update_elem(struct bpf_map *map, void *key, void *value,
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment