On Wed, Apr 24, 2019 at 6:09 PM Stanislav Fomichev <sdf@xxxxxxxxxx> wrote:
> target_fd is target namespace. If there is a flow dissector BPF program
> attached to that namespace, its (single) id is returned.
>
> v2:
> * don't sleep in rcu critical section (Jakub Kicinski)
> * check input prog_cnt (exit early)
>
> Signed-off-by: Stanislav Fomichev <sdf@xxxxxxxxxx>
[...]
> +int skb_flow_dissector_prog_query(const union bpf_attr *attr,
> + union bpf_attr __user *uattr)
> +{
[...]
> + net = get_net_ns_by_fd(attr->query.target_fd);
> + if (IS_ERR(net))
> + return PTR_ERR(net);
At this point, you're holding a refcounted reference to `net`. It
looks like that reference is never dropped?
> +
> + rcu_read_lock();
> + attached = rcu_dereference(net->flow_dissector_prog);
> + if (attached) {
> + prog_cnt = 1;
> + prog_id = attached->aux->id;
> + }
> + rcu_read_unlock();
> +
> + if (copy_to_user(&uattr->query.attach_flags, &flags, sizeof(flags)))
> + return -EFAULT;
[...]
> +}
