On 04/24, Jann Horn wrote:
> On Wed, Apr 24, 2019 at 6:09 PM Stanislav Fomichev <sdf@xxxxxxxxxx> wrote:
> > target_fd is target namespace. If there is a flow dissector BPF program
> > attached to that namespace, its (single) id is returned.
> >
> > v2:
> > * don't sleep in rcu critical section (Jakub Kicinski)
> > * check input prog_cnt (exit early)
> >
> > Signed-off-by: Stanislav Fomichev <sdf@xxxxxxxxxx>
> [...]
> > +int skb_flow_dissector_prog_query(const union bpf_attr *attr,
> > + union bpf_attr __user *uattr)
> > +{
> [...]
> > + net = get_net_ns_by_fd(attr->query.target_fd);
> > + if (IS_ERR(net))
> > + return PTR_ERR(net);
>
> At this point, you're holding a refcounted reference to `net`. It
> looks like that reference is never dropped?
Ah, indeed, put_net is missing, thanks!
> > +
> > + rcu_read_lock();
> > + attached = rcu_dereference(net->flow_dissector_prog);
> > + if (attached) {
> > + prog_cnt = 1;
> > + prog_id = attached->aux->id;
> > + }
> > + rcu_read_unlock();
> > +
> > + if (copy_to_user(&uattr->query.attach_flags, &flags, sizeof(flags)))
> > + return -EFAULT;
> [...]
> > +}
