On Fri, Jan 10, 2020 at 8:43 AM Martin Lau <kafai@xxxxxx> wrote: > > On Fri, Jan 10, 2020 at 01:23:36PM +0000, Lorenz Bauer wrote: > > It's possible to leak time wait and request sockets via the following > > BPF pseudo code: > > > > sk = bpf_skc_lookup_tcp(...) > > if (sk) > > bpf_sk_release(sk) > > > > If sk->sk_state is TCP_NEW_SYN_RECV or TCP_TIME_WAIT the refcount taken > > by bpf_skc_lookup_tcp is not undone by bpf_sk_release. This is because > > sk_flags is re-used for other data in both kinds of sockets. The check > > > > !sock_flag(sk, SOCK_RCU_FREE) > > > > therefore returns a bogus result. Check that sk_flags is valid by calling > > sk_fullsock. Skip checking SOCK_RCU_FREE if we already know that sk is > > not a full socket. > Acked-by: Martin KaFai Lau <kafai@xxxxxx> Applied. Thanks
