Received: by 2002:a5d:9c59:0:0:0:0:0 with SMTP id 25csp1569675iof; Tue, 7 Jun 2022 07:57:44 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzWHJxh5BfSDP2dy9pzKrVVE/AIsYpH6GotbYvgRZcfvYs6PFttwqzwdFxNMk2RTrg7X1Ea X-Received: by 2002:a63:ea09:0:b0:3fd:3c6a:47c2 with SMTP id c9-20020a63ea09000000b003fd3c6a47c2mr17908423pgi.242.1654613864618; Tue, 07 Jun 2022 07:57:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1654613864; cv=none; d=google.com; s=arc-20160816; b=GuSxJxJbk2zMEe+pMEEaEQbNOk/zFfvhGYU4RM16frSvKsMUFRoVRw6KK3uFyX1GNj iOzqQmIdJbCb6Ho2dGtYWn2t6LanDDjDFnEDxm68JLdis3ACtxHpY0RdAvWSgEac3o5v amGMQNJjH9ECar63wCcBdODw/UrW+rwTIKznQCbqFVpaETMB3VFuMrBZQ/ZbFoxBN44l orkME93U2rhd9XUhxAPiTcPtuCB0c3RGdySZ0DcQFZTePg+OmfDeNq9SDIeD4KhLzZyB Wr3BN4Ufc7BydJbA5g89ByJ3XYegMuZ2O/CkDd+1X59i8/QyZvilQSeyf/kYjwh9TL6t KRdA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:date:message-id:subject:to:from:cc:references :in-reply-to:content-transfer-encoding:mime-version:dkim-signature; bh=A2kvy81dmgdanm+fBa8gakwM2bQO6g6F9OhMyxeC6JY=; b=kGTRpS/+gS3Sb2YtYrv/nwoWM6BwkUlu8jx0GxrW+AA+36IxYRU5CSO62CPUuucFfd XbD42NYWAFXIKztIKwcFJgpw6InH6tlf33L6ICV27/TCCFghnoLVgr/yW4pxfwg1znSp 80baIOTCBPJuHIgYWF8+uvqE436gcrG2uYUZbR1pf7mqAbodHpMTtDAhb/AOE6r3Pvwv jWG0Jo5Jvmc0gEbp4ET8CfuG2sGmQWdlL4HfivHlcOFF/X9gE4hKJ2XW3oHT/5gJJobF r4Z64R7lpJmqM9zGYnyxKm/hBeZUUF80nEtjDIBQQEvM0Rbjq9oxNDRZKFHFPjbe6Hp1 kWQA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=GVkWsBrH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 66-20020a630045000000b003fcef4b7babsi19737771pga.417.2022.06.07.07.57.30; Tue, 07 Jun 2022 07:57:44 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=GVkWsBrH; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S238114AbiFGISl (ORCPT + 99 others); Tue, 7 Jun 2022 04:18:41 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42790 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S238110AbiFGISj (ORCPT ); Tue, 7 Jun 2022 04:18:39 -0400 Received: from ams.source.kernel.org (ams.source.kernel.org [IPv6:2604:1380:4601:e00::1]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 7C1682DAB2 for ; Tue, 7 Jun 2022 01:18:33 -0700 (PDT) Received: from smtp.kernel.org (relay.kernel.org [52.25.139.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ams.source.kernel.org (Postfix) with ESMTPS id DB1D4B81DCE for ; Tue, 7 Jun 2022 08:18:31 +0000 (UTC) Received: by smtp.kernel.org (Postfix) with ESMTPSA id 395B1C3411C; Tue, 7 Jun 2022 08:18:30 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1654589910; bh=SQc9ZQvKbAS8SE0fRcfUgLsQN2D9074hUVTtRfwimCA=; h=In-Reply-To:References:Cc:From:To:Subject:Date:From; b=GVkWsBrHyquVZ0iNXb9LPjIm5HnA62QtToF7pqgKmSjHqfbcadDwoAFgUwqUZMVhR 8dwuYd6ssmb33pXa6RjpBdY9mjALO9B2BPPMgJ6RsvFIh3+BQlfPEFcJ+6K1Lhonfa 9aP/JAZm1fFNAT7ViS+BWxvu+qWUG03WX904YC+zjlz7Bj1kfddpmveKLoV7KBsw07 jS2jWIOKD2Zv1jZ9kXzBeC8BgGohV7uCa/L1cQRQfUVz5CmVG/R9ygFzXLRyyGGlo/ SDPRtp50Az3Q3fhAxrdfYpSK8rYoS+YBq6qBbQZh72iFZ10U7/hkMNjil7jcXbcPm4 yxEB5blDQEzbw== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable In-Reply-To: <20220607013844.213446-1-jmaxwell37@gmail.com> References: <20220607013844.213446-1-jmaxwell37@gmail.com> Cc: davem@davemloft.net, cjebpub@gmail.com, jmaxwell37@gmail.com From: Antoine Tenart To: Jon Maxwell , linux-kernel@vger.kernel.org Subject: Re: [PATCH net-next] net: bpf: fix request_sock leak in filter.c Message-ID: <165458990767.3884.13816861537144030058@kwain> Date: Tue, 07 Jun 2022 10:18:27 +0200 X-Spam-Status: No, score=-8.3 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_HI, SPF_HELO_NONE,SPF_PASS,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Hi Jon, This patch is targeted at the networking subsystem, as such (see the "NETWORKING [GENERAL]" section in MAINTAINERS), you should send it to netdev@vger.kernel.org and to the networking maintainers (David, Jakub, Paolo & Eric). This also fixes an issue and should be targeted at [net] instead of [net-next]. Because of this you'll also need a Fixes: tag. Quoting Jon Maxwell (2022-06-07 03:38:44) > A customer reported a request_socket leak in a Calico cloud environment. = We=20 > found that a BPF program was doing a socket lookup with takes a refcnt on= =20 > the socket and that it was finding the request_socket but returning the p= arent=20 > LISTEN socket via sk_to_full_sk() without decrementing the child request = socket=20 > 1st, resulting in request_sock slab object leak. This patch retains the=20 > existing behaviour of returning full socks to the caller but it also decr= ements > the child request_socket if one is present before doing so to prevent the= leak. >=20 > Thanks to Curtis Taylor for all the help in diagnosing and testing this. = And=20 > thanks to Antoine Tenart for the reproducer and patch input. >=20 > Signed-off-by: Jon Maxwell > Tested-by: Curtis Taylor > Co-developed-by: Antoine Tenart You need to put my SoB here when using the above tag. You'll also need to put your SoB at the end of all the above tags instead of the top. > @@ -6514,13 +6514,14 @@ __bpf_sk_lookup(struct sk_buff *skb, struct bpf_s= ock_tuple *tuple, u32 len, > { > struct sock *sk =3D __bpf_skc_lookup(skb, tuple, len, caller_net, > ifindex, proto, netns_id, flag= s); > + struct sock *sk1 =3D sk; > =20 > if (sk) { > sk =3D sk_to_full_sk(sk); > - if (!sk_fullsock(sk)) { > - sock_gen_put(sk); I'd suggest to add a comment here to explain why sock_gen_put is called on the original sk. > + if (!sk_fullsock(sk1))=20 > + sock_gen_put(sk1); > + if (!sk_fullsock(sk)) > return NULL; > - } > } > =20 > return sk; > @@ -6551,13 +6552,14 @@ bpf_sk_lookup(struct sk_buff *skb, struct bpf_soc= k_tuple *tuple, u32 len, > { > struct sock *sk =3D bpf_skc_lookup(skb, tuple, len, proto, netns_= id, > flags); > + struct sock *sk1 =3D sk; > =20 > if (sk) { > sk =3D sk_to_full_sk(sk); > - if (!sk_fullsock(sk)) { > - sock_gen_put(sk); Ditto. > + if (!sk_fullsock(sk1)) > + sock_gen_put(sk1); > + if (!sk_fullsock(sk)) > return NULL; > - } > } > =20 > return sk; Thanks! Antoine