Received: by 10.213.65.68 with SMTP id h4csp2141212imn; Sun, 8 Apr 2018 20:46:02 -0700 (PDT) X-Google-Smtp-Source: AIpwx48HMKP9iEcMHb84ZxrNGF1189oXA+mDrUoGNBzdzF9u4eWcQVe27XVy/ncKtp9t8K5AcrYj X-Received: by 2002:a17:902:5581:: with SMTP id g1-v6mr6418727pli.351.1523245562367; Sun, 08 Apr 2018 20:46:02 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1523245562; cv=none; d=google.com; s=arc-20160816; b=nopB2BfPK0k+roJm6xx4Rdo/TNgIDD6spEPxHBrZ2iui4xT2THqp6iwJEy7clEvKPO yjz0CTacIxdgrWxqVVOg8Jrl9gzJPglB2Wxwam4VS3A+/tSq1ZVvAzBACW/9/39kZ9PP 4BWgnouBRBFWWQQcV5NRJQ+bzFSUC26u23oQ1Xocl207K1nhiUsXvkRKdQtK+dbp3NA0 bGMtHdgPFED+tK9T1mWZAQ7NGrXq6RXX88o4dCiSeiO8aa1c8imccSOvoqRfycrLbnVZ OorCF7psP9oKofD9PNjoZV49hbsPsN0VGZK/NqZzN8FLOlhUImwujzc7nrjZeFbO1paG 1flA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:content-transfer-encoding :spamdiagnosticmetadata:spamdiagnosticoutput:content-language :accept-language:in-reply-to:references:message-id:date:thread-index :thread-topic:subject:cc:to:from:dkim-signature :arc-authentication-results; bh=dpV9QLGwP3N/UUhXkWLaBUwQqAdSb3liWX0HvdnJ6us=; b=V1sy9WMkHP3p3WyuYPRUDbZiIOYZMeCAVPRhUaqx0G22fDSTAQwoGeh5QkMTqqD+ZH EC8bVpWjDNT/aNM080aAS3p/WnGR9UmdgQK5C+SNvlHxOgwyYzGWuXf/6M3UuqhMEffT dLdQsNhaN7FUDYqx3wI0zaoh4BWjM/wksXmthg9X4xOnyeacwfIwQUKsox7eiXHUa7lv HOZfbduGJvVjobjTIk6xoJ7W64hPS1VVD5HJrF9u2DpEQJJOsJZLnYrvmHradrPt78cW LxHEzDLCBxfj+Q+UfmJp4Clpg3VnO8ep31PmuDPiM58xjemWss6zaoxO09BURxett688 0u7g== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@microsoft.com header.s=selector1 header.b=KAtlc3vD; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id x32-v6si13746197pld.591.2018.04.08.20.45.25; Sun, 08 Apr 2018 20:46:02 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@microsoft.com header.s=selector1 header.b=KAtlc3vD; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=microsoft.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1754717AbeDIDk7 (ORCPT + 99 others); Sun, 8 Apr 2018 23:40:59 -0400 Received: from mail-sn1nam01on0114.outbound.protection.outlook.com ([104.47.32.114]:12752 "EHLO NAM01-SN1-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1754344AbeDIAVE (ORCPT ); Sun, 8 Apr 2018 20:21:04 -0400 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version; bh=dpV9QLGwP3N/UUhXkWLaBUwQqAdSb3liWX0HvdnJ6us=; b=KAtlc3vDkg2Js+/vrHFWqXyz1WSxaB1ibCwANNTj7+GrPjEoFbK0bExNOdsRL7L6x0OZZKcDAU0KNm36sIrYv3YS3Apw4BRiKTxPs8q1CoAtJAJH/hfYkqKJ5KrkyPFM/1kL4Lgr+Ag9z+rGZ94jwc6yOcH5Ltx7LerC82Y4wzM= Received: from DM5PR2101MB1032.namprd21.prod.outlook.com (52.132.128.13) by DM5PR2101MB0920.namprd21.prod.outlook.com (52.132.132.165) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.696.0; Mon, 9 Apr 2018 00:20:58 +0000 Received: from DM5PR2101MB1032.namprd21.prod.outlook.com ([fe80::8109:aef0:a777:7059]) by DM5PR2101MB1032.namprd21.prod.outlook.com ([fe80::8109:aef0:a777:7059%2]) with mapi id 15.20.0696.003; Mon, 9 Apr 2018 00:20:58 +0000 From: Sasha Levin To: "stable@vger.kernel.org" , "linux-kernel@vger.kernel.org" CC: John Fastabend , Daniel Borkmann , Sasha Levin Subject: [PATCH AUTOSEL for 4.15 154/189] bpf: sockmap, fix leaking maps with attached but not detached progs Thread-Topic: [PATCH AUTOSEL for 4.15 154/189] bpf: sockmap, fix leaking maps with attached but not detached progs Thread-Index: AQHTz5hW5NvMazAU90e2uNvhFNr63w== Date: Mon, 9 Apr 2018 00:18:52 +0000 Message-ID: <20180409001637.162453-154-alexander.levin@microsoft.com> References: <20180409001637.162453-1-alexander.levin@microsoft.com> In-Reply-To: <20180409001637.162453-1-alexander.levin@microsoft.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-originating-ip: [52.168.54.252] x-ms-publictraffictype: Email x-microsoft-exchange-diagnostics: 1;DM5PR2101MB0920;7:ZdaAuVnV7WNFXmGI/mYNeIRxN4MbY5/BFiKl/c/vtP/1DVk1HPzHvkyaZu7BmA70YPxmHYzt0WCmXQsY+2F3Lt7pq7eEd09cGyJU4VpBnJPIoiXHbg8Roker2nfeOe3sbyjRW4LwOOLz+f09Hv+BVYlizMeua/wbSpK5V6Ns1AwJV3lJfczDxrS84mK7XqkqY/sU8ei5KB8oAziTR74bPWAQFWMUyL7pAvKTqdpmiSxJafrRGg6/P7aBAitarm6R;20:V3d1hHsxH5vaHEIfetngP683wIO+9VDLvlNFv53+UfYiONhEM+Cw4P8/I3JjSMegB/qOthB7W1u75Ou94P5K69Y6U5fxOKEu/B0ltFQ8sUWcFemrSUPB1X1VE6OmMpBsBlgB6VKz0KIqO2tdLbWu4K9lIPeBTas5GiBhfKX3IPI= X-MS-Office365-Filtering-Correlation-Id: e365e2d1-436c-427d-498c-08d59dafc4b5 x-ms-office365-filtering-ht: Tenant x-microsoft-antispam: UriScan:;BCL:0;PCL:0;RULEID:(7020095)(4652020)(4534165)(4627221)(201703031133081)(201702281549075)(5600026)(4604075)(3008032)(48565401081)(2017052603328)(7193020);SRVR:DM5PR2101MB0920; x-ms-traffictypediagnostic: DM5PR2101MB0920: authentication-results: spf=none (sender IP is ) smtp.mailfrom=Alexander.Levin@microsoft.com; x-microsoft-antispam-prvs: x-exchange-antispam-report-test: UriScan:(28532068793085)(89211679590171)(85827821059158); x-exchange-antispam-report-cfa-test: BCL:0;PCL:0;RULEID:(8211001083)(61425038)(6040522)(2401047)(8121501046)(5005006)(93006095)(93001095)(3231221)(944501327)(52105095)(3002001)(10201501046)(6055026)(61426038)(61427038)(6041310)(20161123562045)(201703131423095)(201702281528075)(20161123555045)(201703061421075)(201703061406153)(20161123558120)(20161123564045)(20161123560045)(6072148)(201708071742011);SRVR:DM5PR2101MB0920;BCL:0;PCL:0;RULEID:;SRVR:DM5PR2101MB0920; x-forefront-prvs: 0637FCE711 x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(39860400002)(39380400002)(396003)(366004)(346002)(376002)(199004)(189003)(66066001)(86362001)(59450400001)(3660700001)(3280700002)(25786009)(5890100001)(76176011)(2900100001)(36756003)(6506007)(2906002)(99286004)(86612001)(6486002)(102836004)(305945005)(1076002)(7736002)(97736004)(2616005)(446003)(11346002)(476003)(486006)(26005)(39060400002)(6666003)(6512007)(4326008)(107886003)(5660300001)(478600001)(6436002)(105586002)(10290500003)(5250100002)(22452003)(316002)(186003)(8676002)(110136005)(81166006)(54906003)(6116002)(8936002)(72206003)(53936002)(2501003)(3846002)(68736007)(14454004)(81156014)(10090500001)(106356001)(22906009)(217873001);DIR:OUT;SFP:1102;SCL:1;SRVR:DM5PR2101MB0920;H:DM5PR2101MB1032.namprd21.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;A:1;MX:1; received-spf: None (protection.outlook.com: microsoft.com does not designate permitted sender hosts) x-microsoft-antispam-message-info: axQ/v37RJraxh0hnCHCBcb+Aq2PkW/UXOGiEFv4bFFDwo8kGq99AZry9bVVB5tAHxaEKO9quQr/gKTQ4RE1o2DNrsQ20ecA15a6LhNlVy+UOZegHdE1zgDiNL1FUDRZcO3FN3PAX54CMnX9EPd0hapsxfZqiI0pJ5B2dUMdrew+EXk+Txqyfqixq4TqRBPbX2XDE2G0qoAPjQVENHQA4JXBm+Be9a8YJgEg10bGI+DMxo7q+aqJ0RkvjsPBSnGDShom7n1ARHADMl+NefJdrLiDK9tOtmJzoV7ze5tUpHLO46SXNEkbIt+edmR2kGfk89DI3WCRQQ3TgXOE32i2bi7ATuHKJ0SfJnHP4+BWqyuMiov2ihndMvbPpm2hOBNeJpFythaHIrhWOOxSYe8mYQNXX5e5wMXfrSwwcnue0/ww= spamdiagnosticoutput: 1:99 spamdiagnosticmetadata: NSPM Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: microsoft.com X-MS-Exchange-CrossTenant-Network-Message-Id: e365e2d1-436c-427d-498c-08d59dafc4b5 X-MS-Exchange-CrossTenant-originalarrivaltime: 09 Apr 2018 00:18:52.2840 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: 72f988bf-86f1-41af-91ab-2d7cd011db47 X-MS-Exchange-Transport-CrossTenantHeadersStamped: DM5PR2101MB0920 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: John Fastabend [ Upstream commit 3d9e952697de89b53227f06d4241f275eb99cfc4 ] When a program is attached to a map we increment the program refcnt to ensure that the program is not removed while it is potentially being referenced from sockmap side. However, if this same program also references the map (this is a reasonably common pattern in my programs) then the verifier will also increment the maps refcnt from the verifier. This is to ensure the map doesn't get garbage collected while the program has a reference to it. So we are left in a state where the map holds the refcnt on the program stopping it from being removed and releasing the map refcnt. And vice versa the program holds a refcnt on the map stopping it from releasing the refcnt on the prog. All this is fine as long as users detach the program while the map fd is still around. But, if the user omits this detach command we are left with a dangling map we can no longer release. To resolve this when the map fd is released decrement the program references and remove any reference from the map to the program. This fixes the issue with possibly dangling map and creates a user side API constraint. That is, the map fd must be held open for programs to be attached to a map. Fixes: 174a79ff9515 ("bpf: sockmap with sk redirect support") Signed-off-by: John Fastabend Signed-off-by: Daniel Borkmann Signed-off-by: Sasha Levin --- kernel/bpf/sockmap.c | 19 ++++++++++++++----- 1 file changed, 14 insertions(+), 5 deletions(-) diff --git a/kernel/bpf/sockmap.c b/kernel/bpf/sockmap.c index 1712d319c2d8..7965398a3070 100644 --- a/kernel/bpf/sockmap.c +++ b/kernel/bpf/sockmap.c @@ -604,11 +604,6 @@ static void sock_map_free(struct bpf_map *map) } rcu_read_unlock(); =20 - if (stab->bpf_verdict) - bpf_prog_put(stab->bpf_verdict); - if (stab->bpf_parse) - bpf_prog_put(stab->bpf_parse); - sock_map_remove_complete(stab); } =20 @@ -880,6 +875,19 @@ static int sock_map_update_elem(struct bpf_map *map, return err; } =20 +static void sock_map_release(struct bpf_map *map, struct file *map_file) +{ + struct bpf_stab *stab =3D container_of(map, struct bpf_stab, map); + struct bpf_prog *orig; + + orig =3D xchg(&stab->bpf_parse, NULL); + if (orig) + bpf_prog_put(orig); + orig =3D xchg(&stab->bpf_verdict, NULL); + if (orig) + bpf_prog_put(orig); +} + const struct bpf_map_ops sock_map_ops =3D { .map_alloc =3D sock_map_alloc, .map_free =3D sock_map_free, @@ -887,6 +895,7 @@ const struct bpf_map_ops sock_map_ops =3D { .map_get_next_key =3D sock_map_get_next_key, .map_update_elem =3D sock_map_update_elem, .map_delete_elem =3D sock_map_delete_elem, + .map_release =3D sock_map_release, }; =20 BPF_CALL_4(bpf_sock_map_update, struct bpf_sock_ops_kern *, bpf_sock, --=20 2.15.1