bpf: Acquire map uref in .init_seq_private for sock{map,hash} iterator

sock_map_iter_attach_target() acquires a map uref, and the uref may be
released before or in the middle of iterating map elements. For example,
the uref could be released in sock_map_iter_detach_target() as part of
bpf_link_release(), or could be released in bpf_map_put_with_uref() as
part of bpf_map_release().

Fixing it by acquiring an extra map uref in .init_seq_private and
releasing it in .fini_seq_private.

Fixes: 0365351524d7 ("net: Allow iterating sockmap and sockhash")
Signed-off-by: Hou Tao <houtao1@huawei.com>
Acked-by: Yonghong Song <yhs@fb.com>
Link: https://lore.kernel.org/r/20220810080538.1845898-5-houtao@huaweicloud.com
Signed-off-by: Alexei Starovoitov <ast@kernel.org>

diff --git a/net/core/sock_map.c b/net/core/sock_map.c
index 028813d..9a9fb94 100644 (file)
--- a/net/core/sock_map.c
+++ b/net/core/sock_map.c
@@ -783,13 +783,22 @@ static int sock_map_init_seq_private(void *priv_data,
 {
        struct sock_map_seq_info *info = priv_data;
 
+       bpf_map_inc_with_uref(aux->map);
        info->map = aux->map;
        return 0;
 }
 
+static void sock_map_fini_seq_private(void *priv_data)
+{
+       struct sock_map_seq_info *info = priv_data;
+
+       bpf_map_put_with_uref(info->map);
+}
+
 static const struct bpf_iter_seq_info sock_map_iter_seq_info = {
        .seq_ops                = &sock_map_seq_ops,
        .init_seq_private       = sock_map_init_seq_private,
+       .fini_seq_private       = sock_map_fini_seq_private,
        .seq_priv_size          = sizeof(struct sock_map_seq_info),
 };
 
@@ -1369,18 +1378,27 @@ static const struct seq_operations sock_hash_seq_ops = {
 };
 
 static int sock_hash_init_seq_private(void *priv_data,
-                                    struct bpf_iter_aux_info *aux)
+                                     struct bpf_iter_aux_info *aux)
 {
        struct sock_hash_seq_info *info = priv_data;
 
+       bpf_map_inc_with_uref(aux->map);
        info->map = aux->map;
        info->htab = container_of(aux->map, struct bpf_shtab, map);
        return 0;
 }
 
+static void sock_hash_fini_seq_private(void *priv_data)
+{
+       struct sock_hash_seq_info *info = priv_data;
+
+       bpf_map_put_with_uref(info->map);
+}
+
 static const struct bpf_iter_seq_info sock_hash_iter_seq_info = {
        .seq_ops                = &sock_hash_seq_ops,
        .init_seq_private       = sock_hash_init_seq_private,
+       .fini_seq_private       = sock_hash_fini_seq_private,
        .seq_priv_size          = sizeof(struct sock_hash_seq_info),
 };