bpf: Acquire map uref in .init_seq_private for sock{map,hash} iterator

commit f0d2b2716d71778d0b0c8eaa433c073287d69d93 upstream.

sock_map_iter_attach_target() acquires a map uref, and the uref may be
released before or in the middle of iterating map elements. For example,
the uref could be released in sock_map_iter_detach_target() as part of
bpf_link_release(), or could be released in bpf_map_put_with_uref() as
part of bpf_map_release().

Fixing it by acquiring an extra map uref in .init_seq_private and
releasing it in .fini_seq_private.

Fixes: 0365351524d7 ("net: Allow iterating sockmap and sockhash")
Signed-off-by: Hou Tao <houtao1@huawei.com>
Acked-by: Yonghong Song <yhs@fb.com>
Link: https://lore.kernel.org/r/20220810080538.1845898-5-houtao@huaweicloud.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>

diff --git a/net/core/sock_map.c b/net/core/sock_map.c
index 6351b6af7aca9cecd26586f595b914a443544c7b..795b3acfb9fd2ba529aa2e85b6b9f546bd8d9304 100644 (file)
--- a/net/core/sock_map.c
+++ b/net/core/sock_map.c
@@ -789,13 +789,22 @@ static int sock_map_init_seq_private(void *priv_data,
 {
        struct sock_map_seq_info *info = priv_data;
 
+       bpf_map_inc_with_uref(aux->map);
        info->map = aux->map;
        return 0;
 }
 
+static void sock_map_fini_seq_private(void *priv_data)
+{
+       struct sock_map_seq_info *info = priv_data;
+
+       bpf_map_put_with_uref(info->map);
+}
+
 static const struct bpf_iter_seq_info sock_map_iter_seq_info = {
        .seq_ops                = &sock_map_seq_ops,
        .init_seq_private       = sock_map_init_seq_private,
+       .fini_seq_private       = sock_map_fini_seq_private,
        .seq_priv_size          = sizeof(struct sock_map_seq_info),
 };
 
@@ -1376,18 +1385,27 @@ static const struct seq_operations sock_hash_seq_ops = {
 };
 
 static int sock_hash_init_seq_private(void *priv_data,
-                                    struct bpf_iter_aux_info *aux)
+                                     struct bpf_iter_aux_info *aux)
 {
        struct sock_hash_seq_info *info = priv_data;
 
+       bpf_map_inc_with_uref(aux->map);
        info->map = aux->map;
        info->htab = container_of(aux->map, struct bpf_shtab, map);
        return 0;
 }
 
+static void sock_hash_fini_seq_private(void *priv_data)
+{
+       struct sock_hash_seq_info *info = priv_data;
+
+       bpf_map_put_with_uref(info->map);
+}
+
 static const struct bpf_iter_seq_info sock_hash_iter_seq_info = {
        .seq_ops                = &sock_hash_seq_ops,
        .init_seq_private       = sock_hash_init_seq_private,
+       .fini_seq_private       = sock_hash_fini_seq_private,
        .seq_priv_size          = sizeof(struct sock_hash_seq_info),
 };