From: Jon Maxwell <jmaxwell37@gmail.com>
To: linux-kernel@vger.kernel.org
Cc: davem@davemloft.net, atenart@kernel.org, cjebpub@gmail.com,
jmaxwell37@gmail.com
Subject: [PATCH net-next] net: bpf: fix request_sock leak in filter.c
Date: Tue, 7 Jun 2022 11:38:44 +1000 [thread overview]
Message-ID: <20220607013844.213446-1-jmaxwell37@gmail.com> (raw)
A customer reported a request_socket leak in a Calico cloud environment. We
found that a BPF program was doing a socket lookup with takes a refcnt on
the socket and that it was finding the request_socket but returning the parent
LISTEN socket via sk_to_full_sk() without decrementing the child request socket
1st, resulting in request_sock slab object leak. This patch retains the
existing behaviour of returning full socks to the caller but it also decrements
the child request_socket if one is present before doing so to prevent the leak.
Thanks to Curtis Taylor for all the help in diagnosing and testing this. And
thanks to Antoine Tenart for the reproducer and patch input.
Signed-off-by: Jon Maxwell <jmaxwell37@gmail.com>
Tested-by: Curtis Taylor <cjebpub@gmail.com>
Co-developed-by: Antoine Tenart <atenart@kernel.org>
---
net/core/filter.c | 14 ++++++++------
1 file changed, 8 insertions(+), 6 deletions(-)
diff --git a/net/core/filter.c b/net/core/filter.c
index 5af58eb48587..f7d74acfef5a 100644
--- a/net/core/filter.c
+++ b/net/core/filter.c
@@ -6514,13 +6514,14 @@ __bpf_sk_lookup(struct sk_buff *skb, struct bpf_sock_tuple *tuple, u32 len,
{
struct sock *sk = __bpf_skc_lookup(skb, tuple, len, caller_net,
ifindex, proto, netns_id, flags);
+ struct sock *sk1 = sk;
if (sk) {
sk = sk_to_full_sk(sk);
- if (!sk_fullsock(sk)) {
- sock_gen_put(sk);
+ if (!sk_fullsock(sk1))
+ sock_gen_put(sk1);
+ if (!sk_fullsock(sk))
return NULL;
- }
}
return sk;
@@ -6551,13 +6552,14 @@ bpf_sk_lookup(struct sk_buff *skb, struct bpf_sock_tuple *tuple, u32 len,
{
struct sock *sk = bpf_skc_lookup(skb, tuple, len, proto, netns_id,
flags);
+ struct sock *sk1 = sk;
if (sk) {
sk = sk_to_full_sk(sk);
- if (!sk_fullsock(sk)) {
- sock_gen_put(sk);
+ if (!sk_fullsock(sk1))
+ sock_gen_put(sk1);
+ if (!sk_fullsock(sk))
return NULL;
- }
}
return sk;
--
2.31.1
next reply other threads:[~2022-06-07 1:40 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-06-07 1:38 Jon Maxwell [this message]
2022-06-07 8:18 ` [PATCH net-next] net: bpf: fix request_sock leak in filter.c Antoine Tenart
2022-06-07 22:38 ` Jonathan Maxwell
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220607013844.213446-1-jmaxwell37@gmail.com \
--to=jmaxwell37@gmail.com \
--cc=atenart@kernel.org \
--cc=cjebpub@gmail.com \
--cc=davem@davemloft.net \
--cc=linux-kernel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.