From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.3 required=3.0 tests=HEADER_FROM_DIFFERENT_DOMAINS, MAILING_LIST_MULTI,SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,USER_AGENT_SANE_1 autolearn=unavailable autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4A2B6C54EEB for ; Mon, 27 Apr 2020 21:22:10 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 2C9142072D for ; Mon, 27 Apr 2020 21:22:10 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726363AbgD0VWI (ORCPT ); Mon, 27 Apr 2020 17:22:08 -0400 Received: from www62.your-server.de ([213.133.104.62]:47470 "EHLO www62.your-server.de" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726030AbgD0VWH (ORCPT ); Mon, 27 Apr 2020 17:22:07 -0400 Received: from sslproxy01.your-server.de ([78.46.139.224]) by www62.your-server.de with esmtpsa (TLSv1.2:DHE-RSA-AES256-GCM-SHA384:256) (Exim 4.89_1) (envelope-from ) id 1jTBC0-00021X-HG; Mon, 27 Apr 2020 23:21:32 +0200 Received: from [178.195.186.98] (helo=pc-9.home) by sslproxy01.your-server.de with esmtpsa (TLSv1.3:TLS_AES_256_GCM_SHA384:256) (Exim 4.92) (envelope-from ) id 1jTBBz-000JBo-SI; Mon, 27 Apr 2020 23:21:31 +0200 Subject: Re: [PATCH v2] bpf: Fix sk_psock refcnt leak when receiving message To: Xiyu Yang , John Fastabend , Jakub Sitnicki , Lorenz Bauer , Eric Dumazet , "David S. Miller" , Alexey Kuznetsov , Hideaki YOSHIFUJI , Jakub Kicinski , Alexei Starovoitov , Martin KaFai Lau , Song Liu , Yonghong Song , Andrii Nakryiko , KP Singh , Lingpeng Chen , netdev@vger.kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org Cc: yuanxzhang@fudan.edu.cn, kjlu@umn.edu, Xin Tan References: <1587872115-42805-1-git-send-email-xiyuyang19@fudan.edu.cn> From: Daniel Borkmann Message-ID: <3d57b38c-fe77-4b2d-27e2-1b02c01226fb@iogearbox.net> Date: Mon, 27 Apr 2020 23:21:30 +0200 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.7.2 MIME-Version: 1.0 In-Reply-To: <1587872115-42805-1-git-send-email-xiyuyang19@fudan.edu.cn> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit X-Authenticated-Sender: daniel@iogearbox.net X-Virus-Scanned: Clear (ClamAV 0.102.2/25795/Mon Apr 27 14:00:10 2020) Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On 4/26/20 5:35 AM, Xiyu Yang wrote: > tcp_bpf_recvmsg() invokes sk_psock_get(), which returns a reference of > the specified sk_psock object to "psock" with increased refcnt. > > When tcp_bpf_recvmsg() returns, local variable "psock" becomes invalid, > so the refcount should be decreased to keep refcount balanced. > > The reference counting issue happens in several exception handling paths > of tcp_bpf_recvmsg(). When those error scenarios occur such as "flags" > includes MSG_ERRQUEUE, the function forgets to decrease the refcnt > increased by sk_psock_get(), causing a refcnt leak. > > Fix this issue by calling sk_psock_put() or pulling up the error queue > read handling when those error scenarios occur. > > Fixes: e7a5f1f1cd000 ("bpf/sockmap: Read psock ingress_msg before sk_receive_queue") > Signed-off-by: Xiyu Yang > Signed-off-by: Xin Tan Applied, thanks!