[PATCH openEuler-22.03-LTS-SP2 9/9] bpf: fix bpf_tcp_ingress addr use after free

11 Jun 2023

From: zhangmingyi zhangmingyi5@huawei.com
euleros inclusion
category: bugfix
bugzilla: https://gitee.com/openeuler/kernel/issues/I545NW
CVE: NA
--------------------------------
fix a bug in bpf_tcp_ingress(), addr use after free
Signed-off-by: zhangmingyi zhangmingyi5@huawei.com
Reviewed-by: liuxin liuxin350@huawei.com
Reviewed-by: wuchangye wuchangye@huawei.com
Fixes: 8818e269f18d ("bpf, sockmap: Add sk_rmem_alloc check for sockmap")
Signed-off-by: Liu Jian liujian56@huawei.com
---
 net/ipv4/tcp_bpf.c | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
index ad612109317f..1cff6ae3f6fd 100644
--- a/net/ipv4/tcp_bpf.c
+++ b/net/ipv4/tcp_bpf.c
@@ -138,7 +138,8 @@ static int bpf_tcp_ingress(struct sock *sk, struct sk_psock *psock,
    if (!ret) {
    	msg->sg.start = i;
    	sk_psock_queue_msg(psock, tmp);
-		atomic_add(tmp->sg.size, &sk->sk_rmem_alloc);
+		if (sk_psock_test_state(psock, SK_PSOCK_TX_ENABLED))
+			atomic_add(tmp->sg.size, &sk->sk_rmem_alloc);
    	sk_psock_data_ready(sk, psock);
    } else {
    	sk_msg_free(sk, tmp);
-- 
2.34.1


    

2025

2024

2023

2022

2021

2020

2019

[PATCH openEuler-22.03-LTS-SP2 9/9] bpf: fix bpf_tcp_ingress addr use after free