On Fri, Jun 26, 2026 at 1:37 PM Michal Luczaj <[email protected]> wrote: > > UDP sockets get SOCK_RCU_FREE set when (auto-)bound. This means > sk_is_refcounted(unbound) = true, while sk_is_refcounted(bound) = false. > > Because sockmap accepts unbound UDP sockets, a BPF program can increment a > socket's refcount via lookup. If the socket is subsequently bound, the > transition from unbound to bound causes bpf_sk_release() to skip the > decrement of the refcount, causing a memory leak. > > unreferenced object 0xffff88810bc2eb40 (size 1984): > comm "test_progs", pid 2451, jiffies 4295320596 > hex dump (first 32 bytes): > 7f 00 00 01 7f 00 00 01 d2 04 1b b7 04 d2 00 00 ................ > 02 00 01 40 00 00 00 00 00 00 00 00 00 00 00 00 ...@............ > backtrace (crc bdee079d): > kmem_cache_alloc_noprof+0x557/0x660 > sk_prot_alloc+0x69/0x240 > sk_alloc+0x30/0x460 > inet_create+0x2ce/0xf80 > __sock_create+0x25b/0x5c0 > __sys_socket+0x119/0x1d0 > __x64_sys_socket+0x72/0xd0 > do_syscall_64+0xa1/0x5f0 > entry_SYSCALL_64_after_hwframe+0x76/0x7e > > Instead of special-casing for refcounted sockets, reject unhashed UDP > sockets during sockmap updates, as there is no benefit to supporting those. > This effectively reverts the commit under Fixes, with two exceptions: > > 1. sock_map_sk_state_allowed() maintains a fall-through `return true`. > 2. In the spirit of commit b8b8315e39ff ("bpf, sockmap: Remove unhash > handler for BPF sockmap usage"), the proto::unhash BPF handler is not > reintroduced. > > Historical note: this issue is related to commit 67312adc96b5 ("bpf: reject > unhashed sockets in bpf_sk_assign"). > > Fixes: 0c48eefae712 ("sock_map: Lift socket state restriction for datagram > sockets") > Suggested-by: Kuniyuki Iwashima <[email protected]> > Signed-off-by: Michal Luczaj <[email protected]>
Looks good, thanks ! Reviewed-by: Kuniyuki Iwashima <[email protected]>
