Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp981583ybt; Wed, 17 Jun 2020 19:51:16 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz+hnCznNMwzFHxUDHMsRyyqf7pHtrAoBym7o5Laluul/cpp6fGWhVJ4tRYFlJqqs6bESUz X-Received: by 2002:a17:906:6403:: with SMTP id d3mr1950635ejm.386.1592448676706; Wed, 17 Jun 2020 19:51:16 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1592448676; cv=none; d=google.com; s=arc-20160816; b=XngNWOEl3XC/fhLBZhHFh3IbO528hXMNXSp55ZH5mM4kVaG4MSOghND0NqDqgsv8V0 QUyIvkHjPPRuxPAga7pKg1tVBP7j22fxnuMk2fnPmBeqVNKj4Jd3hPJchNsp/Ume9vyB 4HdMkfJJuQF2ZP3V7xSxWc8T3dqguPGjdJVkX5HQuUAgaZyb3PKzxiM5QamHXgic9Og2 hzwN0nJ3YylRRaJXCeA8X/vWpIJjWpnCKTIqTnZ3UVdcJubo3B/TfAQb5rj2P2rPzgDk KkGR2ULccVRN12li4EMpFlVFU1S3UIX006utXU9w+SG2vVIbm0C6j6Z4Ttg3ciKPogC6 2zLA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=Fn7dH+wRPHPgnciUmDoiiIi8sbUCrjEOsxAVP2+sQXI=; b=AuTUm3YILur1ScEqGIxWTCPIysIMBKgoGZYxEkp8s7Gxk6D8SMZUtUmxlB8E0w6psO UktlLTzirLy/gN8Y48jC0YwtNr304e20fUC46Cewmwy74a96PvDf86Q9owzRyqucBJhE k2SpUedygoCAJBBWam0eBq0CmtTtMzTNz/hc9ruszxPnEMCeEozQ4l+Z8u4nC5LeLfzr w37LhyrUl1ot/LxLHXUrNd1XGC0xS3VTEmAEH+V+QAKp/Q6w31CmpDh/Y+8dEy5/2sfI Rmw/4O+aLbgmZ4oa3sYDQHASrdopnCrQNyk5Wk8Pfsr6ZT7f5GPUQso83ieeEHe1FGpE +vGQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=T53g89eU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d19si1007327ejy.459.2020.06.17.19.50.51; Wed, 17 Jun 2020 19:51:16 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=T53g89eU; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2387917AbgFRCrJ (ORCPT + 99 others); Wed, 17 Jun 2020 22:47:09 -0400 Received: from mail.kernel.org ([198.145.29.99]:37574 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1728493AbgFRBK0 (ORCPT ); Wed, 17 Jun 2020 21:10:26 -0400 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id E7CFC2089D; Thu, 18 Jun 2020 01:10:24 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1592442625; bh=/GQEdGujnbIHnkLHzej4D5czD149ccqynnLQLOD0wVA=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=T53g89eUx2kZYZiGC3ivVVjTq9ekRaI1fB13lk3LVW5Gio7IA5+1AAyXXjCF5oLNG vIgffQW63lmxq+oOF7XBiNsg0Q+56rexnOIsE23pmDl13PLSDxDd3q2fqmqYXNslcr dnnMbtI19UNy/0HSe8/h8DmKbQnIgr61008bQ/NM= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Jakub Sitnicki , Alexei Starovoitov , John Fastabend , Sasha Levin , netdev@vger.kernel.org, bpf@vger.kernel.org Subject: [PATCH AUTOSEL 5.7 104/388] bpf, sockhash: Fix memory leak when unlinking sockets in sock_hash_free Date: Wed, 17 Jun 2020 21:03:21 -0400 Message-Id: <20200618010805.600873-104-sashal@kernel.org> X-Mailer: git-send-email 2.25.1 In-Reply-To: <20200618010805.600873-1-sashal@kernel.org> References: <20200618010805.600873-1-sashal@kernel.org> MIME-Version: 1.0 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Jakub Sitnicki [ Upstream commit 33a7c831565c43a7ee2f38c7df4c4a40e1dfdfed ] When sockhash gets destroyed while sockets are still linked to it, we will walk the bucket lists and delete the links. However, we are not freeing the list elements after processing them, leaking the memory. The leak can be triggered by close()'ing a sockhash map when it still contains sockets, and observed with kmemleak: unreferenced object 0xffff888116e86f00 (size 64): comm "race_sock_unlin", pid 223, jiffies 4294731063 (age 217.404s) hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 81 de e8 41 00 00 00 00 c0 69 2f 15 81 88 ff ff ...A.....i/..... backtrace: [<00000000dd089ebb>] sock_hash_update_common+0x4ca/0x760 [<00000000b8219bd5>] sock_hash_update_elem+0x1d2/0x200 [<000000005e2c23de>] __do_sys_bpf+0x2046/0x2990 [<00000000d0084618>] do_syscall_64+0xad/0x9a0 [<000000000d96f263>] entry_SYSCALL_64_after_hwframe+0x49/0xb3 Fix it by freeing the list element when we're done with it. Fixes: 604326b41a6f ("bpf, sockmap: convert to generic sk_msg interface") Signed-off-by: Jakub Sitnicki Signed-off-by: Alexei Starovoitov Acked-by: John Fastabend Link: https://lore.kernel.org/bpf/20200607205229.2389672-2-jakub@cloudflare.com Signed-off-by: Sasha Levin --- net/core/sock_map.c | 1 + 1 file changed, 1 insertion(+) diff --git a/net/core/sock_map.c b/net/core/sock_map.c index b08dfae10f88..7edbf1e92457 100644 --- a/net/core/sock_map.c +++ b/net/core/sock_map.c @@ -1024,6 +1024,7 @@ static void sock_hash_free(struct bpf_map *map) sock_map_unref(elem->sk, elem); rcu_read_unlock(); release_sock(elem->sk); + sock_hash_free_elem(htab, elem); } } -- 2.25.1