All of lore.kernel.org
 help / color / mirror / Atom feed
From: Pavel Skripkin <paskripkin@gmail.com>
To: Cong Wang <xiyou.wangcong@gmail.com>, David Miller <davem@davemloft.net>
Cc: Jakub Kicinski <kuba@kernel.org>,
	Tom Herbert <tom@herbertland.com>,
	Linux Kernel Network Developers <netdev@vger.kernel.org>,
	LKML <linux-kernel@vger.kernel.org>,
	syzbot+b039f5699bd82e1fb011@syzkaller.appspotmail.com,
	stable <stable@vger.kernel.org>
Subject: Re: [PATCH] net: kcm: fix memory leak in kcm_sendmsg
Date: Fri, 4 Jun 2021 14:38:50 +0300	[thread overview]
Message-ID: <20210604143850.61c1845c@gmail.com> (raw)
In-Reply-To: <CAM_iQpU+1UUZhP9wHok4bajmRFeocr8d2mLZ8TtxqwyWuLgMAw@mail.gmail.com>

On Thu, 3 Jun 2021 15:32:03 -0700
Cong Wang <xiyou.wangcong@gmail.com> wrote:

> On Wed, Jun 2, 2021 at 12:29 PM Pavel Skripkin <paskripkin@gmail.com>
> wrote:
> >
> > Syzbot reported memory leak in kcm_sendmsg()[1].
> > The problem was in non-freed frag_list in case of error.
> >
> > In the while loop:
> >
> >         if (head == skb)
> >                 skb_shinfo(head)->frag_list = tskb;
> >         else
> >                 skb->next = tskb;
> >
> > frag_list filled with skbs, but nothing was freeing them.
> 
> What do you mean by "nothing was freeing them"?
> 
> I am sure kfree_skb() will free those in frag_list:
> 
>  654 static void skb_release_data(struct sk_buff *skb)
>  655 {
>  656         struct skb_shared_info *shinfo = skb_shinfo(skb);
>  657         int i;
> ...
>  669         if (shinfo->frag_list)
>  670                 kfree_skb_list(shinfo->frag_list);
> 
> 

Indeed. I didn't know about that. Im sorry.

> >
> > backtrace:
> >   [<0000000094c02615>] __alloc_skb+0x5e/0x250 net/core/skbuff.c:198
> >   [<00000000e5386cbd>] alloc_skb include/linux/skbuff.h:1083
> > [inline] [<00000000e5386cbd>] kcm_sendmsg+0x3b6/0xa50
> > net/kcm/kcmsock.c:967 [1] [<00000000f1613a8a>] sock_sendmsg_nosec
> > net/socket.c:652 [inline] [<00000000f1613a8a>]
> > sock_sendmsg+0x4c/0x60 net/socket.c:672
> >
> > Reported-and-tested-by:
> > syzbot+b039f5699bd82e1fb011@syzkaller.appspotmail.com Fixes:
> > ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module") Cc:
> > stable@vger.kernel.org Signed-off-by: Pavel Skripkin
> > <paskripkin@gmail.com> ---
> >  net/kcm/kcmsock.c | 5 +++++
> >  1 file changed, 5 insertions(+)
> >
> > diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
> > index 6201965bd822..1c572c8daced 100644
> > --- a/net/kcm/kcmsock.c
> > +++ b/net/kcm/kcmsock.c
> > @@ -1066,6 +1066,11 @@ static int kcm_sendmsg(struct socket *sock,
> > struct msghdr *msg, size_t len) goto partial_message;
> >         }
> >
> > +       if (skb_has_frag_list(head)) {
> > +               kfree_skb_list(skb_shinfo(head)->frag_list);
> > +               skb_shinfo(head)->frag_list = NULL;
> > +       }
> > +
> >         if (head != kcm->seq_skb)
> >                 kfree_skb(head);
> 
> This exact kfree_skb() should free those in frag_list. If the above
> if condition does not meet for some reason, then fix that condition?
> 
> Thanks.

I will debug this today later. I think, this commit should be reverted,
because it's broken. Or I can send next patch on top of this. What do
you think of that, David? 


With regards,
Pavel Skripkin

      reply	other threads:[~2021-06-04 11:39 UTC|newest]

Thread overview: 4+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2021-06-02 19:26 [PATCH] net: kcm: fix memory leak in kcm_sendmsg Pavel Skripkin
2021-06-03 21:20 ` patchwork-bot+netdevbpf
2021-06-03 22:32 ` Cong Wang
2021-06-04 11:38   ` Pavel Skripkin [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20210604143850.61c1845c@gmail.com \
    --to=paskripkin@gmail.com \
    --cc=davem@davemloft.net \
    --cc=kuba@kernel.org \
    --cc=linux-kernel@vger.kernel.org \
    --cc=netdev@vger.kernel.org \
    --cc=stable@vger.kernel.org \
    --cc=syzbot+b039f5699bd82e1fb011@syzkaller.appspotmail.com \
    --cc=tom@herbertland.com \
    --cc=xiyou.wangcong@gmail.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.