leandrof/linux
1
0
Fork 0
forked from Minki/linux
Code Issues Pull Requests Packages Projects Releases Wiki Activity
2207d182c1
linux/net/ipv4
History
Sabrina Dubroca ebfa00c574 tcp: fix refcnt leak with ebpf congestion control 
There are a few bugs around refcnt handling in the new BPF congestion
control setsockopt:

 - The new ca is assigned to icsk->icsk_ca_ops even in the case where we
   cannot get a reference on it. This would lead to a use after free,
   since that ca is going away soon.

 - Changing the congestion control case doesn't release the refcnt on
   the previous ca.

 - In the reinit case, we first leak a reference on the old ca, then we
   call tcp_reinit_congestion_control on the ca that we have just
   assigned, leading to deinitializing the wrong ca (->release of the
   new ca on the old ca's data) and releasing the refcount on the ca
   that we actually want to use.

This is visible by building (for example) BIC as a module and setting
net.ipv4.tcp_congestion_control=bic, and using tcp_cong_kern.c from
samples/bpf.

This patch fixes the refcount issues, and moves reinit back into tcp
core to avoid passing a ca pointer back to BPF.

Fixes: 91b5b21c7c ("bpf: Add support for changing congestion control")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Acked-by: Lawrence Brakmo <brakmo@fb.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
2017-08-25 17:16:27 -07:00
..
netfilter netfilter: x_tables: Fix use-after-free in ipt_do_table. 2017-07-31 20:24:09 +02:00
af_inet.c igmp: Fix regression caused by igmp sysctl namespace code. 2017-08-09 22:46:44 -07:00
ah4.c Merge branch 'master' of git://git.kernel.org/pub/scm/linux/kernel/git/klassert/ipsec-next 2017-06-23 14:17:31 -04:00
arp.c networking: make skb_put & friends return void pointers 2017-06-16 11:48:39 -04:00
cipso_ipv4.c Cipso: cipso_v4_optptr enter infinite loop 2017-08-01 15:31:23 -07:00
datagram.c
devinet.c net: convert in_device.refcnt from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
esp4_offload.c esp: Fix error handling on layer 2 xmit. 2017-08-07 08:31:07 +02:00
esp4.c esp: Fix memleaks on error paths. 2017-07-13 09:26:24 +02:00
fib_frontend.c ipv4: initialize fib_trie prior to register_netdev_notifier call. 2017-07-20 15:24:45 -07:00
fib_lookup.h net: add extack arg to lwtunnel build state 2017-05-30 11:55:32 -04:00
fib_notifier.c
fib_rules.c
fib_semantics.c ipv4: fix NULL dereference in free_fib_info_rcu() 2017-08-15 17:07:52 -07:00
fib_trie.c net, ipv4: convert fib_info.fib_clntref from atomic_t to refcount_t 2017-07-04 01:29:04 -07:00
fou.c gue: fix remcsum when GRO on and CHECKSUM_PARTIAL boundary is outer UDP 2017-08-01 16:09:14 -07:00
gre_demux.c
gre_offload.c
icmp.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/davem/net 2017-06-15 11:59:32 -04:00
igmp.c net: igmp: Use ingress interface rather than vrf device 2017-08-16 11:08:55 -07:00
inet_connection_sock.c net: convert sock.sk_refcnt from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
inet_diag.c
inet_fragment.c net: convert inet_frag_queue.refcnt from atomic_t to refcount_t 2017-07-01 07:39:09 -07:00
inet_hashtables.c net: make sk_ehashfn() static 2017-07-03 03:29:14 -07:00
inet_timewait_sock.c net: convert sock.sk_refcnt from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
inetpeer.c net: convert inet_peer.refcnt from atomic_t to refcount_t 2017-07-01 07:39:07 -07:00
ip_forward.c
ip_fragment.c net: convert inet_frag_queue.refcnt from atomic_t to refcount_t 2017-07-01 07:39:09 -07:00
ip_gre.c net: add netlink_ext_ack argument to rtnl_link_ops.validate 2017-06-26 23:13:22 -04:00
ip_input.c
ip_options.c
ip_output.c udp: consistently apply ufo or fragmentation 2017-08-10 09:52:12 -07:00
ip_sockglue.c do_ip_setsockopt(): don't open-code memdup_user() 2017-06-30 02:04:09 -04:00
ip_tunnel_core.c net: store port/representator id in metadata_dst 2017-06-25 11:42:01 -04:00
ip_tunnel.c ip_tunnel: fix potential issue in ip_tunnel_rcv 2017-06-16 12:01:29 -04:00
ip_vti.c net: add netlink_ext_ack argument to rtnl_link_ops.validate 2017-06-26 23:13:22 -04:00
ipcomp.c
ipconfig.c networking: convert many more places to skb_put_zero() 2017-06-16 11:48:35 -04:00
ipip.c net: add netlink_ext_ack argument to rtnl_link_ops.validate 2017-06-26 23:13:22 -04:00
ipmr.c net: ipmr: ipmr_get_table() returns NULL 2017-07-12 08:18:46 -07:00
Kconfig
Makefile tcp: ULP infrastructure 2017-06-15 12:12:40 -04:00
netfilter.c
ping.c net: convert sock.sk_refcnt from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
proc.c tcp: add TCPMemoryPressuresChrono counter 2017-06-08 11:26:19 -04:00
protocol.c
raw_diag.c
raw.c net: convert sock.sk_refcnt from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
route.c net: check and errout if res->fi is NULL when RTM_F_FIB_MATCH is set 2017-08-18 16:05:46 -07:00
syncookies.c ipv4: ipv6: initialize treq->txhash in cookie_v[46]_check() 2017-07-18 11:22:51 -07:00
sysctl_net_ipv4.c tcp: ULP infrastructure 2017-06-15 12:12:40 -04:00
tcp_bbr.c tcp_bbr: init pacing rate on first RTT sample 2017-07-15 14:43:29 -07:00
tcp_bic.c tcp: bic, cubic: use tcp_jiffies32 instead of tcp_time_stamp 2017-05-17 16:06:01 -04:00
tcp_cdg.c
tcp_cong.c tcp: fix refcnt leak with ebpf congestion control 2017-08-25 17:16:27 -07:00
tcp_cubic.c tcp: bic, cubic: use tcp_jiffies32 instead of tcp_time_stamp 2017-05-17 16:06:01 -04:00
tcp_dctcp.c
tcp_diag.c
tcp_fastopen.c bpf: Add TCP connection BPF callbacks 2017-07-01 16:15:14 -07:00
tcp_highspeed.c
tcp_htcp.c tcp: replace misc tcp_time_stamp to tcp_jiffies32 2017-05-17 16:06:01 -04:00
tcp_hybla.c
tcp_illinois.c
tcp_input.c tcp: when rearming RTO, if RTO time is in past then fire RTO ASAP 2017-08-18 16:07:43 -07:00
tcp_ipv4.c tcp: fix possible deadlock in TCP stack vs BPF filter 2017-08-14 22:31:27 -07:00
tcp_lp.c tcp: switch TCP TS option (RFC 7323) to 1ms clock 2017-05-17 16:06:01 -04:00
tcp_metrics.c tcp: use tcp_jiffies32 to feed tp->snd_cwnd_stamp 2017-05-17 16:06:01 -04:00
tcp_minisocks.c bpf: Support for setting initial receive window 2017-07-01 16:15:13 -07:00
tcp_nv.c tcpnv: do not export local function 2017-05-21 13:42:36 -04:00
tcp_offload.c net: convert sock.sk_wmem_alloc from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
tcp_output.c tcp: fastopen: tcp_connect() must refresh the route 2017-08-08 20:39:52 -07:00
tcp_probe.c
tcp_rate.c tcp: export do_tcp_sendpages and tcp_rate_check_app_limited functions 2017-06-15 12:12:40 -04:00
tcp_recovery.c tcp: switch TCP TS option (RFC 7323) to 1ms clock 2017-05-17 16:06:01 -04:00
tcp_scalable.c
tcp_timer.c net: fix keepalive code vs TCP_FASTOPEN_CONNECT 2017-08-03 09:34:51 -07:00
tcp_ulp.c tcp: ulp: avoid module refcnt leak in tcp_set_ulp 2017-08-14 22:17:05 -07:00
tcp_vegas.c
tcp_vegas.h
tcp_veno.c
tcp_westwood.c tcp_westwood: use tcp_jiffies32 instead of tcp_time_stamp 2017-05-17 16:06:01 -04:00
tcp_yeah.c
tcp.c tcp: fix refcnt leak with ebpf congestion control 2017-08-25 17:16:27 -07:00
tunnel4.c
udp_diag.c net: convert sock.sk_refcnt from atomic_t to refcount_t 2017-07-01 07:39:08 -07:00
udp_impl.h udp: make *udp*_queue_rcv_skb() functions static 2017-05-18 10:23:33 -04:00
udp_offload.c net: avoid skb_warn_bad_offload false positives on UFO 2017-08-08 21:39:01 -07:00
udp_tunnel.c
udp.c datagram: When peeking datagrams with offset < 0 don't skip empty skbs 2017-08-18 15:12:54 -07:00
udplite.c
xfrm4_input.c
xfrm4_mode_beet.c networking: make skb_pull & friends return void pointers 2017-06-16 11:48:39 -04:00
xfrm4_mode_transport.c xfrm: Add encapsulation header offsets while SKB is not encrypted 2017-04-14 10:07:39 +02:00
xfrm4_mode_tunnel.c xfrm: Add encapsulation header offsets while SKB is not encrypted 2017-04-14 10:07:39 +02:00
xfrm4_output.c
xfrm4_policy.c
xfrm4_protocol.c
xfrm4_state.c
xfrm4_tunnel.c