On Fri, Jan 10, 2020 at 01:23:36PM +0000, Lorenz Bauer wrote: > It's possible to leak time wait and request sockets via the following > BPF pseudo code: > > sk = bpf_skc_lookup_tcp(...) > if (sk) > bpf_sk_release(sk) > > If sk->sk_state is TCP_NEW_SYN_RECV or TCP_TIME_WAIT the refcount taken > by bpf_skc_lookup_tcp is not undone by bpf_sk_release. This is because > sk_flags is re-used for other data in both kinds of sockets. The check > > !sock_flag(sk, SOCK_RCU_FREE) > > therefore returns a bogus result. Check that sk_flags is valid by calling > sk_fullsock. Skip checking SOCK_RCU_FREE if we already know that sk is > not a full socket. Acked-by: Martin KaFai Lau <kafai@xxxxxx>
