lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening PHC | |
Open Source and information security mailing list archives
| ||
|
Date: Wed, 20 May 2020 17:56:46 -0700 From: Alexei Starovoitov <alexei.starovoitov@...il.com> To: sdf@...gle.com Cc: Jakub Sitnicki <jakub@...udflare.com>, bpf@...r.kernel.org, netdev@...r.kernel.org, kernel-team@...udflare.com, Petar Penkov <ppenkov@...gle.com> Subject: Re: [PATCH bpf] flow_dissector: Drop BPF flow dissector prog ref on netns cleanup On Wed, May 20, 2020 at 10:40:00AM -0700, sdf@...gle.com wrote: > On 05/20, Jakub Sitnicki wrote: > > When attaching a flow dissector program to a network namespace with > > bpf(BPF_PROG_ATTACH, ...) we grab a reference to bpf_prog. > > > If netns gets destroyed while a flow dissector is still attached, and > > there > > are no other references to the prog, we leak the reference and the program > > remains loaded. > > > Leak can be reproduced by running flow dissector tests from selftests/bpf: > > > # bpftool prog list > > # ./test_flow_dissector.sh > > ... > > selftests: test_flow_dissector [PASS] > > # bpftool prog list > > 4: flow_dissector name _dissect tag e314084d332a5338 gpl > > loaded_at 2020-05-20T18:50:53+0200 uid 0 > > xlated 552B jited 355B memlock 4096B map_ids 3,4 > > btf_id 4 > > # > > > Fix it by detaching the flow dissector program when netns is going away. > > > Fixes: d58e468b1112 ("flow_dissector: implements flow dissector BPF hook") > > Signed-off-by: Jakub Sitnicki <jakub@...udflare.com> > > --- > > > Discovered while working on bpf_link support for netns-attached progs. > > Looks like bpf tree material so pushing it out separately. > Oh, good catch! Good catch indeed! > > > -jkbs > > > net/core/flow_dissector.c | 29 ++++++++++++++++++++++++++++- > > 1 file changed, 28 insertions(+), 1 deletion(-) > > > diff --git a/net/core/flow_dissector.c b/net/core/flow_dissector.c > > index 3eff84824c8b..b6179cd20158 100644 > > --- a/net/core/flow_dissector.c > > +++ b/net/core/flow_dissector.c > > @@ -179,6 +179,27 @@ int skb_flow_dissector_bpf_prog_detach(const union > > bpf_attr *attr) > > return 0; > > } > > > +static void __net_exit flow_dissector_pernet_pre_exit(struct net *net) > > +{ > > + struct bpf_prog *attached; > > + > > + /* We don't lock the update-side because there are no > > + * references left to this netns when we get called. Hence > > + * there can be no attach/detach in progress. > > + */ > > + rcu_read_lock(); > > + attached = rcu_dereference(net->flow_dissector_prog); > > + if (attached) { > > + RCU_INIT_POINTER(net->flow_dissector_prog, NULL); > > + bpf_prog_put(attached); > > + } > > + rcu_read_unlock(); > > +} > I wonder, should we instead refactor existing > skb_flow_dissector_bpf_prog_detach to accept netns (instead of attr) > can call that here? Instead of reimplementing it (I don't think we > care about mutex lock/unlock efficiency here?). Thoughts? Agree. Would be good to share that bit of code.
Powered by blists - more mailing lists