Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp1479642ybz;
        Sat, 25 Apr 2020 20:39:15 -0700 (PDT)
X-Google-Smtp-Source: APiQypKD/cA5sslZnVex20F/YPKUz34kT/zNNwfn4l/I/460vNk++cD7TupPwo45kXS5Mnl88Xpf
X-Received: by 2002:aa7:de0b:: with SMTP id h11mr13935210edv.133.1587872355040;
        Sat, 25 Apr 2020 20:39:15 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1587872355; cv=none;
        d=google.com; s=arc-20160816;
        b=pHetF0r8XzMqCPikWs1k2dqVS+9PyFGa6h4ImZUAQEObMk0Qzw381b0IWve+UK2k+r
         HXxEk6M2Ro2dfrsmIOiQvqY+I3DZc/KoZqa5MVHDAPe+MsiTRXHVpQg0OvYmug+c/U48
         Yw/ryzSoQbGzCWOfXDcFyQ/XniVcjRKehILRk3iBejSqJEaRI8tPGfyzMtAc8MbgzauM
         FlMJSW49mFUQYQLYAA4nDM+UyKnveVFx4YdKH61Uaz3IaUBY8HGxAhrPOe8DEVnMEcPc
         fhyALlGoGWNbI0fUvOJzatBLSGqjg4pc2PTJkyPZqX9qUnN6vAi6UYAr2U192sPsLTsT
         dMVg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :dkim-signature;
        bh=cj5cv4jNx8jyM4cS8bEE5q0CelqTOx1baSzDTYeEatY=;
        b=yDru+MqnatXEcz7nImqQ/etQGVYefdIQVmNrkiPxj7RVkTukkq6dol5mFkK8Bh3QWM
         nOWd1F0ZI5fMbkd4xTuHcjRL8WbXiOiJ7nwtq1ckVNhCdQAZOesSjYBQbXMd8cXVZcNl
         OTCBtFRhxNjz5UO+/JpGBJnIyKJXlINxQrzK39vqCKD3ZE9u9xWj4sPQfhpnuDTaQy5y
         p97vuwU/0QV24d2rHm6N+94UXvYavjx6iohXu/BBKEATjN8ZgksROFfSTlsYoisC+k7T
         vp3ylaupiuT25hkswJBhhYrKpsLPDKGcImAt6GoThrjSlNFygZcacRVnbYh4CTstS7mp
         +Mdw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@fudan.edu.cn header.s=dkim header.b=GvoIkko8;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id h27si6210707eja.40.2020.04.25.20.38.48;
        Sat, 25 Apr 2020 20:39:15 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@fudan.edu.cn header.s=dkim header.b=GvoIkko8;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726159AbgDZDg5 (ORCPT <rfc822;zjuysxie86@gmail.com>
        + 99 others); Sat, 25 Apr 2020 23:36:57 -0400
Received: from mail.fudan.edu.cn ([202.120.224.73]:42553 "EHLO fudan.edu.cn"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1726100AbgDZDg4 (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Sat, 25 Apr 2020 23:36:56 -0400
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=fudan.edu.cn; s=dkim; h=Received:From:To:Cc:Subject:Date:
        Message-Id; bh=cj5cv4jNx8jyM4cS8bEE5q0CelqTOx1baSzDTYeEatY=; b=G
        voIkko8LVAyfrekmjpFAf9/7U3wIYCb4Ad/k9oNWJvyLPiXU5/9eKa/TG67V9bCy
        nOLPDL2k/+MS6b2/kK/AyOJaobXc9ctePo8Kv5XEVSMqeBpSNixuIYWh7dWWS8nG
        ycli1sOLVs9hLk117hOe7nfpMf2SyTsWqUACRQaZ6k=
Received: from localhost.localdomain (unknown [120.229.255.83])
        by app2 (Coremail) with SMTP id XQUFCgCXagiUAaVe6j+3AA--.21353S3;
        Sun, 26 Apr 2020 11:35:51 +0800 (CST)
From:   Xiyu Yang <xiyuyang19@fudan.edu.cn>
To:     John Fastabend <john.fastabend@gmail.com>,
        Daniel Borkmann <daniel@iogearbox.net>,
        Jakub Sitnicki <jakub@cloudflare.com>,
        Lorenz Bauer <lmb@cloudflare.com>,
        Eric Dumazet <edumazet@google.com>,
        "David S. Miller" <davem@davemloft.net>,
        Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>,
        Hideaki YOSHIFUJI <yoshfuji@linux-ipv6.org>,
        Jakub Kicinski <kuba@kernel.org>,
        Alexei Starovoitov <ast@kernel.org>,
        Martin KaFai Lau <kafai@fb.com>,
        Song Liu <songliubraving@fb.com>, Yonghong Song <yhs@fb.com>,
        Andrii Nakryiko <andriin@fb.com>,
        KP Singh <kpsingh@chromium.org>,
        Lingpeng Chen <forrest0579@gmail.com>, netdev@vger.kernel.org,
        bpf@vger.kernel.org, linux-kernel@vger.kernel.org
Cc:     yuanxzhang@fudan.edu.cn, kjlu@umn.edu,
        Xiyu Yang <xiyuyang19@fudan.edu.cn>,
        Xin Tan <tanxin.ctf@gmail.com>
Subject: [PATCH v2] bpf: Fix sk_psock refcnt leak when receiving message
Date:   Sun, 26 Apr 2020 11:35:15 +0800
Message-Id: <1587872115-42805-1-git-send-email-xiyuyang19@fudan.edu.cn>
X-Mailer: git-send-email 2.7.4
X-CM-TRANSID: XQUFCgCXagiUAaVe6j+3AA--.21353S3
X-Coremail-Antispam: 1UD129KBjvJXoW7uFyktF4rAF1fCw4xXF48Xrb_yoW8ZrW5pa
        y7C3sYvF1jyFWUZws3JFW8Jr1fu3yDG348uryrAa1fX3W5uw13JF1Fgr1Y9F40yr40kr45
        Xr4UKF4FkFnxu37anT9S1TB71UUUUUUqnTZGkaVYY2UrUUUUjbIjqfuFe4nvWSU5nxnvy2
        9KBjDU0xBIdaVrnRJUUU9F14x267AKxVW5JVWrJwAFc2x0x2IEx4CE42xK8VAvwI8IcIk0
        rVWrJVCq3wAFIxvE14AKwVWUJVWUGwA2ocxC64kIII0Yj41l84x0c7CEw4AK67xGY2AK02
        1l84ACjcxK6xIIjxv20xvE14v26w1j6s0DM28EF7xvwVC0I7IYx2IY6xkF7I0E14v26F4U
        JVW0owA2z4x0Y4vEx4A2jsIE14v26rxl6s0DM28EF7xvwVC2z280aVCY1x0267AKxVW0oV
        Cq3wAac4AC62xK8xCEY4vEwIxC4wAS0I0E0xvYzxvE52x082IY62kv0487Mc02F40EFcxC
        0VAKzVAqx4xG6I80ewAv7VC0I7IYx2IY67AKxVWUJVWUGwAv7VC2z280aVAFwI0_Jr0_Gr
        1lOx8S6xCaFVCjc4AY6r1j6r4UM4x0Y48IcxkI7VAKI48JM4x0x7Aq67IIx4CEVc8vx2IE
        rcIFxwACI402YVCY1x02628vn2kIc2xKxwCF04k20xvY0x0EwIxGrwCFx2IqxVCFs4IE7x
        kEbVWUJVW8JwC20s026c02F40E14v26r1j6r18MI8I3I0E7480Y4vE14v26r106r1rMI8E
        67AF67kF1VAFwI0_GFv_WrylIxkGc2Ij64vIr41lIxAIcVC0I7IYx2IY67AKxVWUJVWUCw
        CI42IY6xIIjxv20xvEc7CjxVAFwI0_Gr0_Cr1lIxAIcVCF04k26cxKx2IYs7xG6rW3Jr0E
        3s1lIxAIcVC2z280aVAFwI0_Jr0_Gr1lIxAIcVC2z280aVCY1x0267AKxVW8JVW8JrUvcS
        sGvfC2KfnxnUUI43ZEXa7VUby8BUUUUUU==
X-CM-SenderInfo: irzsiiysuqikmy6i3vldqovvfxof0/
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

tcp_bpf_recvmsg() invokes sk_psock_get(), which returns a reference of
the specified sk_psock object to "psock" with increased refcnt.

When tcp_bpf_recvmsg() returns, local variable "psock" becomes invalid,
so the refcount should be decreased to keep refcount balanced.

The reference counting issue happens in several exception handling paths
of tcp_bpf_recvmsg(). When those error scenarios occur such as "flags"
includes MSG_ERRQUEUE, the function forgets to decrease the refcnt
increased by sk_psock_get(), causing a refcnt leak.

Fix this issue by calling sk_psock_put() or pulling up the error queue
read handling when those error scenarios occur.

Fixes: e7a5f1f1cd000 ("bpf/sockmap: Read psock ingress_msg before sk_receive_queue")
Signed-off-by: Xiyu Yang <xiyuyang19@fudan.edu.cn>
Signed-off-by: Xin Tan <tanxin.ctf@gmail.com>
---
Changes in v2:
- Add Fixes tag
- Pull up the error queue read handling
---
 net/ipv4/tcp_bpf.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c
index 5a05327f97c1..ff96466ea6da 100644
--- a/net/ipv4/tcp_bpf.c
+++ b/net/ipv4/tcp_bpf.c
@@ -262,14 +262,17 @@ static int tcp_bpf_recvmsg(struct sock *sk, struct msghdr *msg, size_t len,
 	struct sk_psock *psock;
 	int copied, ret;
 
+	if (unlikely(flags & MSG_ERRQUEUE))
+		return inet_recv_error(sk, msg, len, addr_len);
+
 	psock = sk_psock_get(sk);
 	if (unlikely(!psock))
 		return tcp_recvmsg(sk, msg, len, nonblock, flags, addr_len);
-	if (unlikely(flags & MSG_ERRQUEUE))
-		return inet_recv_error(sk, msg, len, addr_len);
 	if (!skb_queue_empty(&sk->sk_receive_queue) &&
-	    sk_psock_queue_empty(psock))
+	    sk_psock_queue_empty(psock)) {
+		sk_psock_put(sk, psock);
 		return tcp_recvmsg(sk, msg, len, nonblock, flags, addr_len);
+	}
 	lock_sock(sk);
 msg_bytes_ready:
 	copied = __tcp_bpf_recvmsg(sk, psock, msg, len, flags);
-- 
2.7.4