Received: by 2002:a25:1985:0:0:0:0:0 with SMTP id 127csp1775800ybz; Sun, 26 Apr 2020 04:03:22 -0700 (PDT) X-Google-Smtp-Source: APiQypIIfAhXVjfqqpWTvHDSVlS9BPq3aXJvoaqc1egQlqvMvX3mOdeLeP707Sd63HEE7PG6fsKt X-Received: by 2002:a17:906:6c93:: with SMTP id s19mr14255114ejr.135.1587899002108; Sun, 26 Apr 2020 04:03:22 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1587899002; cv=none; d=google.com; s=arc-20160816; b=qlKfhD6w7gSQWgcO7iqHXAFQxIjig91lCJcxppTha9p0clNLoPcxrbXCiifPjBGRpo Zc7ws/x7TrC6VCkWL0QNEW5sCGeN73Yy0GfKBmkhPY9TMfM2IIgvmuLtzFCFsLafK8sR DI0qH3+2uJdv+fiHwuSdLz04eBE0FW2u+Gr0RMP29RQqrTV54AlEguf5EAbutXZpiaZw hNOvAi38u73aNatL0Z4wCTOGjHaQSDt/4BH4lQGNJQbvFetUGjUy/d45SbwbkwX1M5Sc 9CgOR7OmkI8b3moQO3puMclPRq2Pkc3MuvGWjR51dXCJIF7W9bY0SrlVDy6ZQA7NknQb O/2A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:mime-version:message-id:date:in-reply-to :subject:cc:to:from:user-agent:references:dkim-signature; bh=RrhmdO0DLNjfBMDoqT4uy73PlihIJnZjBGcOAEACVLQ=; b=P16xvHo9YFdEffo6T83joQ6FbHX1Z7WsUaV5WgZp6QV16ZBl8ukqbgYTtHs+BsUtxZ lLqCqKnra0xBpxTU/LUoGYP0fv4g/Zq3vjWNCMVA4u1I9Ki8OgzkSaEmS+jB2cXeXNuV qdHWmHt9nwHydFOw8WWv4lHPnrOOrSANQOp+sp0ustVuR/b3KGBTUnDfBGFbP21m1eU+ 9/OHTNqNxo0G/+Q+GLQQox1Kv3yDHJGkmt6I7oaiKxx/lkW9/btTzo2a9uveAyB0iIRA Y4vGJwzgN6iVm/vaqiDENi3VpQBltz/WRNGmc2zItIYKbya555ocDYBjctOh7jtpSxy1 JU+w== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@cloudflare.com header.s=google header.b="SOJ0e9h/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=cloudflare.com Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id s26si5366490edq.433.2020.04.26.04.02.56; Sun, 26 Apr 2020 04:03:22 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@cloudflare.com header.s=google header.b="SOJ0e9h/"; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=cloudflare.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726131AbgDZLBd (ORCPT + 99 others); Sun, 26 Apr 2020 07:01:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33084 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-FAIL-OK-FAIL) by vger.kernel.org with ESMTP id S1726119AbgDZLBc (ORCPT ); Sun, 26 Apr 2020 07:01:32 -0400 Received: from mail-wm1-x341.google.com (mail-wm1-x341.google.com [IPv6:2a00:1450:4864:20::341]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 8BB20C09B04F for ; Sun, 26 Apr 2020 04:01:32 -0700 (PDT) Received: by mail-wm1-x341.google.com with SMTP id x4so16277828wmj.1 for ; Sun, 26 Apr 2020 04:01:32 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=cloudflare.com; s=google; h=references:user-agent:from:to:cc:subject:in-reply-to:date :message-id:mime-version; bh=RrhmdO0DLNjfBMDoqT4uy73PlihIJnZjBGcOAEACVLQ=; b=SOJ0e9h/vfQZL3fIsHaTnpWUyWcPJ8BtfMjph1KCE0tRbZP2i7AlCnU653nkIXiOPP aa5Dx1YA180Z/TBpL3G0M3ywHrcwihnMg6zk5p6RMuMq+8uQaz9BGSOfEI5kbP5NYQw4 MOxZmXM9onjxNbW9ZgymV65EkkoAwY3XJh0t8= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:references:user-agent:from:to:cc:subject :in-reply-to:date:message-id:mime-version; bh=RrhmdO0DLNjfBMDoqT4uy73PlihIJnZjBGcOAEACVLQ=; b=VEZHzb5GFplmVxArOL9PU9UcWITvTk02UsnNpxDXQ0DXPS8ivIvbZgkd9uqHC6vLCf 6vSkcoQ3wDG2Qz9UInC/ta+wEV0ZSpfqo/KelfkiN2073mZlw/DC63baL60r2A1AY/2t lrb8BMgaqAAWV8/8iKR3w6rYc+Qwp0ywe2UXJ2cVmBa4NnrrROSAeTcFeAyUJdDHvnlx LGRPNUioOt+dMz0wBXioEnkCSxjX8BshXLljggqM3afWD1lvqvz75Ku+G0pVtYdf+K7q EM8Ddlzgo9h8+qjZqnptzL8NKYsGjy9mplrVYeGe5fVn9fCz3XE7WH707Q94HJ2xfdfS dpsw== X-Gm-Message-State: AGi0PuZCoui/YeAj4MqEtZaM4S3NRO3aqrInN9sZbY7A5K9QHaWP5QG/ MSq4wxwIhVlRx45WYj4iWMOy5g== X-Received: by 2002:a7b:c3d4:: with SMTP id t20mr21410207wmj.170.1587898891012; Sun, 26 Apr 2020 04:01:31 -0700 (PDT) Received: from cloudflare.com ([2a02:a310:c262:aa00:b35e:8938:2c2a:ba8b]) by smtp.gmail.com with ESMTPSA id v7sm10002236wmg.3.2020.04.26.04.01.29 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Sun, 26 Apr 2020 04:01:30 -0700 (PDT) References: <1587872115-42805-1-git-send-email-xiyuyang19@fudan.edu.cn> User-agent: mu4e 1.1.0; emacs 26.3 From: Jakub Sitnicki To: Xiyu Yang Cc: John Fastabend , Daniel Borkmann , Lorenz Bauer , Eric Dumazet , "David S. Miller" , Alexey Kuznetsov , Hideaki YOSHIFUJI , Jakub Kicinski , Alexei Starovoitov , Martin KaFai Lau , Song Liu , Yonghong Song , Andrii Nakryiko , KP Singh , Lingpeng Chen , netdev@vger.kernel.org, bpf@vger.kernel.org, linux-kernel@vger.kernel.org, yuanxzhang@fudan.edu.cn, kjlu@umn.edu, Xin Tan Subject: Re: [PATCH v2] bpf: Fix sk_psock refcnt leak when receiving message In-reply-to: <1587872115-42805-1-git-send-email-xiyuyang19@fudan.edu.cn> Date: Sun, 26 Apr 2020 13:01:29 +0200 Message-ID: <87k122v7cm.fsf@cloudflare.com> MIME-Version: 1.0 Content-Type: text/plain Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sun, Apr 26, 2020 at 05:35 AM CEST, Xiyu Yang wrote: > tcp_bpf_recvmsg() invokes sk_psock_get(), which returns a reference of > the specified sk_psock object to "psock" with increased refcnt. > > When tcp_bpf_recvmsg() returns, local variable "psock" becomes invalid, > so the refcount should be decreased to keep refcount balanced. > > The reference counting issue happens in several exception handling paths > of tcp_bpf_recvmsg(). When those error scenarios occur such as "flags" > includes MSG_ERRQUEUE, the function forgets to decrease the refcnt > increased by sk_psock_get(), causing a refcnt leak. > > Fix this issue by calling sk_psock_put() or pulling up the error queue > read handling when those error scenarios occur. > > Fixes: e7a5f1f1cd000 ("bpf/sockmap: Read psock ingress_msg before sk_receive_queue") > Signed-off-by: Xiyu Yang > Signed-off-by: Xin Tan > --- > Changes in v2: > - Add Fixes tag > - Pull up the error queue read handling > --- > net/ipv4/tcp_bpf.c | 9 ++++++--- > 1 file changed, 6 insertions(+), 3 deletions(-) > > diff --git a/net/ipv4/tcp_bpf.c b/net/ipv4/tcp_bpf.c > index 5a05327f97c1..ff96466ea6da 100644 > --- a/net/ipv4/tcp_bpf.c > +++ b/net/ipv4/tcp_bpf.c > @@ -262,14 +262,17 @@ static int tcp_bpf_recvmsg(struct sock *sk, struct msghdr *msg, size_t len, > struct sk_psock *psock; > int copied, ret; > > + if (unlikely(flags & MSG_ERRQUEUE)) > + return inet_recv_error(sk, msg, len, addr_len); > + > psock = sk_psock_get(sk); > if (unlikely(!psock)) > return tcp_recvmsg(sk, msg, len, nonblock, flags, addr_len); > - if (unlikely(flags & MSG_ERRQUEUE)) > - return inet_recv_error(sk, msg, len, addr_len); > if (!skb_queue_empty(&sk->sk_receive_queue) && > - sk_psock_queue_empty(psock)) > + sk_psock_queue_empty(psock)) { > + sk_psock_put(sk, psock); > return tcp_recvmsg(sk, msg, len, nonblock, flags, addr_len); > + } > lock_sock(sk); > msg_bytes_ready: > copied = __tcp_bpf_recvmsg(sk, psock, msg, len, flags); Reviewed-by: Jakub Sitnicki