git.baikalelectronics.ru Git - kernel.git/commit

author	Sabrina Dubroca <sd@queasysnail.net>
	Fri, 25 Aug 2017 11:10:12 +0000 (13:10 +0200)
committer	David S. Miller <davem@davemloft.net>
	Sat, 26 Aug 2017 00:16:27 +0000 (17:16 -0700)
commit	f55742c92838264ced808e81313385b1f47d9eda
tree	70f899bdadb25a073dc98f97bac41e60a149077a	tree \| snapshot
parent	c8d56e7261287b4a8d7cd7acb61719c40cd33425	commit \| diff

tcp: fix refcnt leak with ebpf congestion control

There are a few bugs around refcnt handling in the new BPF congestion
control setsockopt:

- The new ca is assigned to icsk->icsk_ca_ops even in the case where we
   cannot get a reference on it. This would lead to a use after free,
   since that ca is going away soon.

- Changing the congestion control case doesn't release the refcnt on
   the previous ca.

- In the reinit case, we first leak a reference on the old ca, then we
   call tcp_reinit_congestion_control on the ca that we have just
   assigned, leading to deinitializing the wrong ca (->release of the
   new ca on the old ca's data) and releasing the refcount on the ca
   that we actually want to use.

This is visible by building (for example) BIC as a module and setting
net.ipv4.tcp_congestion_control=bic, and using tcp_cong_kern.c from
samples/bpf.

This patch fixes the refcount issues, and moves reinit back into tcp
core to avoid passing a ca pointer back to BPF.

Fixes: a4161d089e0a ("bpf: Add support for changing congestion control")
Signed-off-by: Sabrina Dubroca <sd@queasysnail.net>
Acked-by: Lawrence Brakmo <brakmo@fb.com>
Signed-off-by: David S. Miller <davem@davemloft.net>

include/net/tcp.h		diff \| blob \| history
net/core/filter.c		diff \| blob \| history
net/ipv4/tcp.c		diff \| blob \| history
net/ipv4/tcp_cong.c		diff \| blob \| history