From patchwork Fri Sep  8 19:44:47 2017
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
X-Patchwork-Submitter: Eric Dumazet <eric.dumazet@gmail.com>
X-Patchwork-Id: 811814
X-Patchwork-Delegate: davem@davemloft.net
Return-Path: <netdev-owner@vger.kernel.org>
X-Original-To: patchwork-incoming@ozlabs.org
Delivered-To: patchwork-incoming@ozlabs.org
Authentication-Results: ozlabs.org;
	spf=none (mailfrom) smtp.mailfrom=vger.kernel.org
	(client-ip=209.132.180.67; helo=vger.kernel.org;
	envelope-from=netdev-owner@vger.kernel.org;
	receiver=<UNKNOWN>)
Authentication-Results: ozlabs.org; dkim=pass (2048-bit key;
	unprotected) header.d=gmail.com header.i=@gmail.com
	header.b="qlqPFXgT"; dkim-atps=neutral
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by ozlabs.org (Postfix) with ESMTP id 3xpnpc5r9Lz9sRV
	for <patchwork-incoming@ozlabs.org>;
	Sat,  9 Sep 2017 05:44:56 +1000 (AEST)
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
	id S1757101AbdIHTox (ORCPT <rfc822;patchwork-incoming@ozlabs.org>);
	Fri, 8 Sep 2017 15:44:53 -0400
Received: from mail-pg0-f67.google.com ([74.125.83.67]:37186 "EHLO
	mail-pg0-f67.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
	with ESMTP id S1757087AbdIHTou (ORCPT
	<rfc822;netdev@vger.kernel.org>); Fri, 8 Sep 2017 15:44:50 -0400
Received: by mail-pg0-f67.google.com with SMTP id v5so1715027pgn.4
	for <netdev@vger.kernel.org>; Fri, 08 Sep 2017 12:44:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=gmail.com; s=20161025;
	h=message-id:subject:from:to:cc:date:mime-version
	:content-transfer-encoding;
	bh=ooyAzIA8B8dQ0FOpznKhXXn9wj5u8LxR8u9ZxgmCEVI=;
	b=qlqPFXgTrQUImGaGBy3ON6jtXJWfEXPyNrVfJI6LYKY0rl5BqdJy1acn26bas++c69
	cSMsGT4jEdf5JXlbImy8YwAbl+LBAIjEvqpq4FjoU/sEdL6xwH7f8RTeMP63/oygJnxW
	xVQMIofmyUiNetBpszLc6yjKWW4JcUC5D/lFvtjeFFV78q0AitpLWiFYTSxrmNrD4Y+Q
	lpad4P2ax+SuItNxK+29oPVMIpLZm0xQ2kry4FxTVqHJdBIj5oGtmheO5xzzj0+Wk+CJ
	DCwnC2myE2YmcQFJPVf4RiS6qs/d3xXhnSu+vSK/ER1lnuTTlXsXaP1QxdwdaI+l2pO1
	Sojw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
	d=1e100.net; s=20161025;
	h=x-gm-message-state:message-id:subject:from:to:cc:date:mime-version
	:content-transfer-encoding;
	bh=ooyAzIA8B8dQ0FOpznKhXXn9wj5u8LxR8u9ZxgmCEVI=;
	b=fH4dMtWWBKgaXh7HL9BJl0LqyUqyP9kHOw4BkV1Cqn6dUwB+jabtydqXDkydr/XdYJ
	KXy719JQqLKPyQZ4bywKWsd8pjMRho61wi4+41mHhOAkUJ8ls3jEsKmPVitsRlz4JV1u
	idjbRryMTB52tYwDSo/1A9FravxIcpUuOMPrhBe11DnRCq2g57HPZlM3IOdbd27dJ9Yp
	EJPCdf7++idbVoHpJlykGLQguHwZkCqFQvndj5SJsz/agASpRm7Mey+KNgVDklXcxghD
	JE35ZV+O+2FVBKoplXpNpnJSES/Dz+9IzB2UHfA/KW0AEVga/udEEdpsq4RkDhEaewhG
	xWhA==
X-Gm-Message-State: AHPjjUgXVwm3x8ELjd0FCoFPZ/MBcad4E5Ih7qIS3Vss6e7ysev6L5bU
	2LRI/mBalrqbLbI1
X-Google-Smtp-Source: 
 ADKCNb4LhWeqHsZkaoux73fIVKgnkAr/0oJctJxUjlOO1feqcDoVVohyBFS7Vm1eF//njesl36pHUQ==
X-Received: by 10.98.103.27 with SMTP id b27mr4251889pfc.160.1504899889843;
	Fri, 08 Sep 2017 12:44:49 -0700 (PDT)
Received: from ?IPv6:2620:15c:2c1:100:b157:a4c6:2921:1e29?
	([2620:15c:2c1:100:b157:a4c6:2921:1e29])
	by smtp.googlemail.com with ESMTPSA id
	b63sm5052333pga.27.2017.09.08.12.44.48
	(version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
	Fri, 08 Sep 2017 12:44:48 -0700 (PDT)
Message-ID: <1504899887.15310.95.camel@edumazet-glaptop3.roam.corp.google.com>
Subject: [PATCH net] tcp: fix a request socket leak
From: Eric Dumazet <eric.dumazet@gmail.com>
To: David Miller <davem@davemloft.net>
Cc: netdev <netdev@vger.kernel.org>
Date: Fri, 08 Sep 2017 12:44:47 -0700
X-Mailer: Evolution 3.10.4-0ubuntu2 
Mime-Version: 1.0
Sender: netdev-owner@vger.kernel.org
Precedence: bulk
List-ID: <netdev.vger.kernel.org>
X-Mailing-List: netdev@vger.kernel.org

From: Eric Dumazet <edumazet@google.com>

While the cited commit fixed a possible deadlock, it added a leak
of the request socket, since reqsk_put() must be called if the BPF
filter decided the ACK packet must be dropped.

Fixes: d624d276d1dd ("tcp: fix possible deadlock in TCP stack vs BPF filter")
Signed-off-by: Eric Dumazet <edumazet@google.com>
Acked-by: Alexei Starovoitov <ast@kernel.org>
---
David, this is a stable candidate (linux-4.13 has this bug)

 net/ipv4/tcp_ipv4.c |    6 +++---
 net/ipv6/tcp_ipv6.c |    6 +++---
 2 files changed, 6 insertions(+), 6 deletions(-)

diff --git a/net/ipv4/tcp_ipv4.c b/net/ipv4/tcp_ipv4.c
index a63486afa7a7e7b4dce88b65bc27cfa872a3ba2f..d9416b5162bc1bdd1acd34fcb4da21cb6b62d0ae 100644
--- a/net/ipv4/tcp_ipv4.c
+++ b/net/ipv4/tcp_ipv4.c
@@ -1669,9 +1669,9 @@ int tcp_v4_rcv(struct sk_buff *skb)
 		 */
 		sock_hold(sk);
 		refcounted = true;
-		if (tcp_filter(sk, skb))
-			goto discard_and_relse;
-		nsk = tcp_check_req(sk, skb, req, false);
+		nsk = NULL;
+		if (!tcp_filter(sk, skb))
+			nsk = tcp_check_req(sk, skb, req, false);
 		if (!nsk) {
 			reqsk_put(req);
 			goto discard_and_relse;
diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 38f76d8b231e3e5923ad72d05b8d320b6aeb850f..64d94afa427f81fd7a505b1cfd1c0be66c273810 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1460,9 +1460,9 @@ static int tcp_v6_rcv(struct sk_buff *skb)
 		}
 		sock_hold(sk);
 		refcounted = true;
-		if (tcp_filter(sk, skb))
-			goto discard_and_relse;
-		nsk = tcp_check_req(sk, skb, req, false);
+		nsk = NULL;
+		if (!tcp_filter(sk, skb))
+			nsk = tcp_check_req(sk, skb, req, false);
 		if (!nsk) {
 			reqsk_put(req);
 			goto discard_and_relse;