Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp860393ybz;
        Sat, 25 Apr 2020 05:59:15 -0700 (PDT)
X-Google-Smtp-Source: APiQypJ53OgJss455ercHBUoAwfV5vc0/a9hU22orJp/DgLswP/zIjaF/xJkFyY6Pr3UPL2MD+Jc
X-Received: by 2002:a17:906:b2c4:: with SMTP id cf4mr12067042ejb.340.1587819555053;
        Sat, 25 Apr 2020 05:59:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1587819555; cv=none;
        d=google.com; s=arc-20160816;
        b=GsmBXMlzZ+4mq02ROSX18eHhbM/AWsxoOwdGPm7JH4aaZvHjF2HoXtb+c6N/qkTP3O
         cnIx6CsMWaaCecNixxITq4vdqn4hLV17ns1GumVEW/6J74h6QnMBoWwiCTXXwOurgKrZ
         8HHWvx2TW9Lgds5nMAGFXdBPd8VgzymROTG6gWbyhuQ6ZYX0DbIRDV8hXPQcee8lBGto
         fUkEByACOT7J9x2dEQi8wo1Loi6qRK+IiNGouwxvcqTzItOVLuK6JWzNSnZ7g3ijzRbs
         7pG83OCzpHxDrn9vaAopsTywqYAhRiSdozO2THLpFYiYU5K2t9kBcx/HhG6aaaDMrO1p
         lYKg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=Hr6TaIsHS2dYA/EvQqNYGdkNxiORGpR8WxM0WdhPfSg=;
        b=I3SBD11eYSldyKmSDhnYgV5HHtDCIU2dav1cDtJ97RBMLGOLwQSuNqkTMCW2qv0BdU
         sdTy7skGSPJm99nJ+YkX/sUk6CDvkZjneNG/zh0ujCngN6uY35S9bUq4CpIhhKVqcBQO
         ob9q3VFCW0eeohxnWiivy09dQ/wzEAnK6nnor9GWJY5NjR7wmqXapLNThbXGAy149LcZ
         eXjUCAxt1340NJD/zIjl5jHVqEI924q2IgEDPnsO+1+HxEuOyFJ2CpoW4enXcDOVCq9M
         aDPczPBsVg61e8KtHKt0wPilkQDwqgKk1iP7TFnDdjkwKpbvT4zXOJ7zI2XW9grcAjwd
         2gsA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@fudan.edu.cn header.s=dkim header.b=Wq5PT9xq;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=fudan.edu.cn
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id o15si4800252eje.13.2020.04.25.05.58.51;
        Sat, 25 Apr 2020 05:59:15 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@fudan.edu.cn header.s=dkim header.b=Wq5PT9xq;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=fudan.edu.cn
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726197AbgDYMzU (ORCPT <rfc822;kkoh.linux@gmail.com>
        + 99 others); Sat, 25 Apr 2020 08:55:20 -0400
Received: from mail.fudan.edu.cn ([202.120.224.10]:40249 "EHLO fudan.edu.cn"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1726060AbgDYMzT (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 25 Apr 2020 08:55:19 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=fudan.edu.cn; s=dkim; h=Received:From:To:Cc:Subject:Date:
        Message-Id; bh=Hr6TaIsHS2dYA/EvQqNYGdkNxiORGpR8WxM0WdhPfSg=; b=W
        q5PT9xq4rYJooAmf7V96kFbiHoQUbAoUboGCLHedf+5hIhmKD97kJV1DQVf7DMxB
        2vcF32AquIh2npTn5BjATQRZ8w2tZIWB17Jhcoj+3mZbGozYDcSVv7E4+Qy44hkV
        ekTkuiy8lCFITQZ68LZowE1lMEysXWnhC8CD2b0sQg=
Received: from localhost.localdomain (unknown [120.229.255.80])
        by app1 (Coremail) with SMTP id XAUFCgD3_MQjM6ReSWuNAA--.2611S3;
        Sat, 25 Apr 2020 20:55:01 +0800 (CST)
From:   Xiyu Yang <xiyuyang19@fudan.edu.cn>
To:     Boris Pismenny <borisp@mellanox.com>,
        Aviad Yehezkel <aviadye@mellanox.com>,
        John Fastabend <john.fastabend@gmail.com>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Jakub Kicinski <kuba@kernel.org>,
        "David S. Miller" <davem@davemloft.net>,
        Alexei Starovoitov <ast@kernel.org>,
        Martin KaFai Lau <kafai@fb.com>,
        Song Liu <songliubraving@fb.com>, Yonghong Song <yhs@fb.com>,
        Andrii Nakryiko <andriin@fb.com>,
        KP Singh <kpsingh@chromium.org>, netdev@vger.kernel.org,
        linux-kernel@vger.kernel.org, bpf@vger.kernel.org
Cc:     yuanxzhang@fudan.edu.cn, kjlu@umn.edu,
        Xiyu Yang <xiyuyang19@fudan.edu.cn>,
        Xin Tan <tanxin.ctf@gmail.com>
Subject: [PATCH] net/tls: Fix sk_psock refcnt leak in bpf_exec_tx_verdict()
Date:   Sat, 25 Apr 2020 20:54:37 +0800
Message-Id: <1587819277-38974-1-git-send-email-xiyuyang19@fudan.edu.cn>
X-Mailer: git-send-email 2.7.4
X-CM-TRANSID: XAUFCgD3_MQjM6ReSWuNAA--.2611S3
X-Coremail-Antispam: 1UD129KBjvdXoWruFW5XFW3tF45uF4xtr13urg_yoWktwc_Kw
        s7Kr1xu3s8ZFn8ta9Fkr4YvrWSkry5Zry8uFyfJrZxAa40grW2vrZ8JF9xArZxGw4Iqa15
        Grs5Ca9Ikw1xZjkaLaAFLSUrUUUUUb8apTn2vfkv8UJUUUU8Yxn0WfASr-VFAUDa7-sFnT
        9fnUUIcSsGvfJTRUUUbTkFF20E14v26ryj6rWUM7CY07I20VC2zVCF04k26cxKx2IYs7xG
        6rWj6s0DM7CIcVAFz4kK6r1j6r18M28lY4IEw2IIxxk0rwA2F7IY1VAKz4vEj48ve4kI8w
        A2z4x0Y4vE2Ix0cI8IcVAFwI0_tr0E3s1l84ACjcxK6xIIjxv20xvEc7CjxVAFwI0_GcCE
        3s1l84ACjcxK6I8E87Iv67AKxVW0oVCq3wA2z4x0Y4vEx4A2jsIEc7CjxVAFwI0_GcCE3s
        1lnxkEFVAIw20F6cxK64vIFxWle2I262IYc4CY6c8Ij28IcVAaY2xG8wAqx4xG64xvF2IE
        w4CE5I8CrVC2j2WlYx0E2Ix0cI8IcVAFwI0_JF0_Jw1lYx0Ex4A2jsIE14v26r1j6r4UMc
        vjeVCFs4IE7xkEbVWUJVW8JwACjcxG0xvY0x0EwIxGrwACjI8F5VA0II8E6IAqYI8I648v
        4I1lFIxGxcIEc7CjxVA2Y2ka0xkIwI1lc2xSY4AK67AK6ryUMxAIw28IcxkI7VAKI48JMx
        C20s026xCaFVCjc4AY6r1j6r4UMI8I3I0E5I8CrVAFwI0_Jr0_Jr4lx2IqxVCjr7xvwVAF
        wI0_JrI_JrWlx4CE17CEb7AF67AKxVW8ZVWrXwCIc40Y0x0EwIxGrwCI42IY6xIIjxv20x
        vE14v26r1j6r1xMIIF0xvE2Ix0cI8IcVCY1x0267AKxVWxJVW8Jr1lIxAIcVCF04k26cxK
        x2IYs7xG6r4j6FyUMIIF0xvEx4A2jsIE14v26r1j6r4UMIIF0xvEx4A2jsIEc7CjxVAFwI
        0_Gr0_Gr1UYxBIdaVFxhVjvjDU0xZFpf9x0JUhyCJUUUUU=
X-CM-SenderInfo: irzsiiysuqikmy6i3vldqovvfxof0/
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

bpf_exec_tx_verdict() invokes sk_psock_get(), which returns a reference
of the specified sk_psock object to "psock" with increased refcnt.

When bpf_exec_tx_verdict() returns, local variable "psock" becomes
invalid, so the refcount should be decreased to keep refcount balanced.

The reference counting issue happens in one exception handling path of
bpf_exec_tx_verdict(). When "policy" equals to NULL but "psock" is not
NULL, the function forgets to decrease the refcnt increased by
sk_psock_get(), causing a refcnt leak.

Fix this issue by calling sk_psock_put() on this error path before
bpf_exec_tx_verdict() returns.

Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
---
 net/tls/tls_sw.c | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/net/tls/tls_sw.c b/net/tls/tls_sw.c
index 7d3bf86e6cbf..5fad144edaa3 100644
--- a/net/tls/tls_sw.c
+++ b/net/tls/tls_sw.c
@@ -800,6 +800,8 @@ static int bpf_exec_tx_verdict(struct sk_msg *msg, struct sock *sk,
 			*copied -= sk_msg_free(sk, msg);
 			tls_free_open_rec(sk);
 		}
+		if (psock)
+			sk_psock_put(sk, psock);
 		return err;
 	}
 more_data:
-- 
2.7.4