lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date:   Mon, 27 Apr 2020 23:21:30 +0200
From:   Daniel Borkmann <>
To:     Xiyu Yang <>,
        John Fastabend <>,
        Jakub Sitnicki <>,
        Lorenz Bauer <>,
        Eric Dumazet <>,
        "David S. Miller" <>,
        Alexey Kuznetsov <>,
        Hideaki YOSHIFUJI <>,
        Jakub Kicinski <>,
        Alexei Starovoitov <>,
        Martin KaFai Lau <>,
        Song Liu <>, Yonghong Song <>,
        Andrii Nakryiko <>,
        KP Singh <>,
        Lingpeng Chen <>,,,
        Xin Tan <>
Subject: Re: [PATCH v2] bpf: Fix sk_psock refcnt leak when receiving message

On 4/26/20 5:35 AM, Xiyu Yang wrote:
> tcp_bpf_recvmsg() invokes sk_psock_get(), which returns a reference of
> the specified sk_psock object to "psock" with increased refcnt.
> When tcp_bpf_recvmsg() returns, local variable "psock" becomes invalid,
> so the refcount should be decreased to keep refcount balanced.
> The reference counting issue happens in several exception handling paths
> of tcp_bpf_recvmsg(). When those error scenarios occur such as "flags"
> includes MSG_ERRQUEUE, the function forgets to decrease the refcnt
> increased by sk_psock_get(), causing a refcnt leak.
> Fix this issue by calling sk_psock_put() or pulling up the error queue
> read handling when those error scenarios occur.
> Fixes: e7a5f1f1cd000 ("bpf/sockmap: Read psock ingress_msg before sk_receive_queue")
> Signed-off-by: Xiyu Yang <>
> Signed-off-by: Xin Tan <>

Applied, thanks!

Powered by blists - more mailing lists