[bpf] xsk: fix refcount underflow in error path

Commit Message

Magnus Karlsson Aug. 9, 2023, 2:28 p.m. UTC

From: Magnus Karlsson <magnus.karlsson@intel.com>

Fix a refcount underflow problem reported by syzbot that can happen
when a system is running out of memory. If xp_alloc_tx_descs() fails,
and it can only fail due to not having enough memory, then the error
path is triggered. In this error path, the refcount of the pool is
decremented as it has incremented before. However, the reference to
the pool in the socket was not nulled. This means that when the socket
is closed later, the socket teardown logic will think that there is a
pool attached to the socket and try to decrease the refcount again,
leading to a refcount underflow.

I chose this fix as it involved adding just a single line. Another
option would have been to move xp_get_pool() and the assignment of
xs->pool to after the if-statement and using xs_umem->pool instead of
xs->pool in the whole if-statement resulting in somewhat simpler code,
but this would have led to much more churn in the code base perhaps
making it harder to backport.

Fixes: ba3beec2ec1d ("xsk: Fix possible crash when multiple sockets are created")
Reported-by: syzbot+8ada0057e69293a05fd4@syzkaller.appspotmail.com
Signed-off-by: Magnus Karlsson <magnus.karlsson@intel.com>
---
 net/xdp/xsk.c | 1 +
 1 file changed, 1 insertion(+)


base-commit: 999f6631866e9ea81add935b9c6ebaab0579d259

Comments

patchwork-bot+netdevbpf@kernel.org Aug. 10, 2023, 3:30 a.m. UTC | #1

Hello:

This patch was applied to bpf/bpf.git (master)
by Martin KaFai Lau <martin.lau@kernel.org>:

On Wed,  9 Aug 2023 16:28:43 +0200 you wrote:
> From: Magnus Karlsson <magnus.karlsson@intel.com>
> 
> Fix a refcount underflow problem reported by syzbot that can happen
> when a system is running out of memory. If xp_alloc_tx_descs() fails,
> and it can only fail due to not having enough memory, then the error
> path is triggered. In this error path, the refcount of the pool is
> decremented as it has incremented before. However, the reference to
> the pool in the socket was not nulled. This means that when the socket
> is closed later, the socket teardown logic will think that there is a
> pool attached to the socket and try to decrease the refcount again,
> leading to a refcount underflow.
> 
> [...]

Here is the summary with links:
  - [bpf] xsk: fix refcount underflow in error path
    https://git.kernel.org/bpf/bpf/c/85c2c79a0730

You are awesome, thank you!

Patch

diff --git a/net/xdp/xsk.c b/net/xdp/xsk.c
index b89adb52a977..10ea85c03147 100644
--- a/net/xdp/xsk.c
+++ b/net/xdp/xsk.c
@@ -994,6 +994,7 @@  static int xsk_bind(struct socket *sock, struct sockaddr *addr, int addr_len)
 				err = xp_alloc_tx_descs(xs->pool, xs);
 				if (err) {
 					xp_put_pool(xs->pool);
+					xs->pool = NULL;
 					sockfd_put(sock);
 					goto out_unlock;
 				}