bpf.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] net/tls: Fix sk_psock refcnt leak in bpf_exec_tx_verdict()
@ 2020-04-25 12:54 Xiyu Yang
  2020-04-27 18:17 ` David Miller
  0 siblings, 1 reply; 3+ messages in thread
From: Xiyu Yang @ 2020-04-25 12:54 UTC (permalink / raw)
  To: Boris Pismenny, Aviad Yehezkel, John Fastabend, Daniel Borkmann,
	Jakub Kicinski, David S. Miller, Alexei Starovoitov,
	Martin KaFai Lau, Song Liu, Yonghong Song, Andrii Nakryiko,
	KP Singh, netdev, linux-kernel, bpf
  Cc: yuanxzhang, kjlu, Xiyu Yang, Xin Tan

bpf_exec_tx_verdict() invokes sk_psock_get(), which returns a reference
of the specified sk_psock object to "psock" with increased refcnt.

When bpf_exec_tx_verdict() returns, local variable "psock" becomes
invalid, so the refcount should be decreased to keep refcount balanced.

The reference counting issue happens in one exception handling path of
bpf_exec_tx_verdict(). When "policy" equals to NULL but "psock" is not
NULL, the function forgets to decrease the refcnt increased by
sk_psock_get(), causing a refcnt leak.

Fix this issue by calling sk_psock_put() on this error path before
bpf_exec_tx_verdict() returns.

Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
---
 net/tls/tls_sw.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 7d3bf86e6cbf..5fad144edaa3 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -800,6 +800,8 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk,
 			*copied -= sk_msg_free(sk, msg);
 			tls_free_open_rec(sk);
 		}
+		if (psock)
+			sk_psock_put(sk, psock);
 		return err;
 	}
 more_data:
-- 
2.7.4


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] net/tls: Fix sk_psock refcnt leak in bpf_exec_tx_verdict()
  2020-04-25 12:54 [PATCH] net/tls: Fix sk_psock refcnt leak in bpf_exec_tx_verdict() Xiyu Yang
@ 2020-04-27 18:17 ` David Miller
  0 siblings, 0 replies; 3+ messages in thread
From: David Miller @ 2020-04-27 18:17 UTC (permalink / raw)
  To: xiyuyang19
  Cc: borisp, aviadye, john.fastabend, daniel, kuba, ast, kafai,
	songliubraving, yhs, andriin, kpsingh, netdev, linux-kernel, bpf,
	yuanxzhang, kjlu, tanxin.ctf

From: Xiyu Yang <xiyuyang19@fudan.edu.cn>
Date: Sat, 25 Apr 2020 20:54:37 +0800

> bpf_exec_tx_verdict() invokes sk_psock_get(), which returns a reference
> of the specified sk_psock object to "psock" with increased refcnt.
> 
> When bpf_exec_tx_verdict() returns, local variable "psock" becomes
> invalid, so the refcount should be decreased to keep refcount balanced.
> 
> The reference counting issue happens in one exception handling path of
> bpf_exec_tx_verdict(). When "policy" equals to NULL but "psock" is not
> NULL, the function forgets to decrease the refcnt increased by
> sk_psock_get(), causing a refcnt leak.
> 
> Fix this issue by calling sk_psock_put() on this error path before
> bpf_exec_tx_verdict() returns.
> 
> Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
> Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>

Applied and queued up for -stable.

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] net/tls: Fix sk_psock refcnt leak in bpf_exec_tx_verdict()
@ 2020-04-25 18:46 Markus Elfring
  0 siblings, 0 replies; 3+ messages in thread
From: Markus Elfring @ 2020-04-25 18:46 UTC (permalink / raw)
  To: Xiyu Yang, Xin Tan, netdev, bpf
  Cc: linux-kernel, Alexei Starovoitov, Andrii Nakryiko,
	Aviad Yehezkel, Boris Pismenny, Daniel Borkmann, David S. Miller,
	Jakub Kicinski, John Fastabend, Kangjie Lu, KP Singh,
	Martin KaFai Lau, Song Liu, Yonghong Song, Yuan Zhang

> When bpf_exec_tx_verdict() returns, local variable "psock" becomes
> invalid, so the refcount should be decreased to keep refcount balanced.

How do you think about to mention the term “reference counting” in
the commit message?

Would you like to add the tag “Fixes” to the change description?

Regards,
Markus

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2020-04-27 18:18 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-04-25 12:54 [PATCH] net/tls: Fix sk_psock refcnt leak in bpf_exec_tx_verdict() Xiyu Yang
2020-04-27 18:17 ` David Miller
2020-04-25 18:46 Markus Elfring

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).