[PATCH net] net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6

[PATCH net] net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6

[Christoph Paasch via B4 Relay]

From: Christoph Paasch <cpaasch@openai.com>

When tcp_ao_copy_all_matching() fails in tcp_v6_syn_recv_sock() it just
exits the function. This ends up causing a memory-leak:

unreferenced object 0xffff0000281a8200 (size 2496):
  comm "softirq", pid 0, jiffies 4295174684
  hex dump (first 32 bytes):
    7f 00 00 06 7f 00 00 06 00 00 00 00 cb a8 88 13  ................
    0a 00 03 61 00 00 00 00 00 00 00 00 00 00 00 00  ...a............
  backtrace (crc 5ebdbe15):
    kmemleak_alloc+0x44/0xe0
    kmem_cache_alloc_noprof+0x248/0x470
    sk_prot_alloc+0x48/0x120
    sk_clone_lock+0x38/0x3b0
    inet_csk_clone_lock+0x34/0x150
    tcp_create_openreq_child+0x3c/0x4a8
    tcp_v6_syn_recv_sock+0x1c0/0x620
    tcp_check_req+0x588/0x790
    tcp_v6_rcv+0x5d0/0xc18
    ip6_protocol_deliver_rcu+0x2d8/0x4c0
    ip6_input_finish+0x74/0x148
    ip6_input+0x50/0x118
    ip6_sublist_rcv+0x2fc/0x3b0
    ipv6_list_rcv+0x114/0x170
    __netif_receive_skb_list_core+0x16c/0x200
    netif_receive_skb_list_internal+0x1f0/0x2d0

This is because in tcp_v6_syn_recv_sock (and the IPv4 counterpart), when
exiting upon error, inet_csk_prepare_forced_close() and tcp_done() need
to be called. They make sure the newsk will end up being correctly
free'd.

tcp_v4_syn_recv_sock() makes this very clear by having the put_and_exit
label that takes care of things. So, this patch here makes sure
tcp_v4_syn_recv_sock and tcp_v6_syn_recv_sock have similar
error-handling and thus fixes the leak for TCP-AO.

Fixes: 06b22ef29591 ("net/tcp: Wire TCP-AO to request sockets")
Signed-off-by: Christoph Paasch <cpaasch@openai.com>
---
 net/ipv6/tcp_ipv6.c | 32 +++++++++++++++-----------------
 1 file changed, 15 insertions(+), 17 deletions(-)

diff --git a/net/ipv6/tcp_ipv6.c b/net/ipv6/tcp_ipv6.c
index 7577e7eb2c97b821826f633a11dd5567dde7b7cb..e885629312a4a7a98df00222b420b646a351868f 100644
--- a/net/ipv6/tcp_ipv6.c
+++ b/net/ipv6/tcp_ipv6.c
@@ -1431,17 +1431,17 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
 	ireq = inet_rsk(req);
 
 	if (sk_acceptq_is_full(sk))
-		goto out_overflow;
+		goto exit_overflow;
 
 	if (!dst) {
 		dst = inet6_csk_route_req(sk, &fl6, req, IPPROTO_TCP);
 		if (!dst)
-			goto out;
+			goto exit;
 	}
 
 	newsk = tcp_create_openreq_child(sk, req, skb);
 	if (!newsk)
-		goto out_nonewsk;
+		goto exit_nonewsk;
 
 	/*
 	 * No need to charge this sock to the relevant IPv6 refcnt debug socks
@@ -1525,25 +1525,19 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
 			const union tcp_md5_addr *addr;
 
 			addr = (union tcp_md5_addr *)&newsk->sk_v6_daddr;
-			if (tcp_md5_key_copy(newsk, addr, AF_INET6, 128, l3index, key)) {
-				inet_csk_prepare_forced_close(newsk);
-				tcp_done(newsk);
-				goto out;
-			}
+			if (tcp_md5_key_copy(newsk, addr, AF_INET6, 128, l3index, key))
+				goto put_and_exit;
 		}
 	}
 #endif
 #ifdef CONFIG_TCP_AO
 	/* Copy over tcp_ao_info if any */
 	if (tcp_ao_copy_all_matching(sk, newsk, req, skb, AF_INET6))
-		goto out; /* OOM */
+		goto put_and_exit; /* OOM */
 #endif
 
-	if (__inet_inherit_port(sk, newsk) < 0) {
-		inet_csk_prepare_forced_close(newsk);
-		tcp_done(newsk);
-		goto out;
-	}
+	if (__inet_inherit_port(sk, newsk) < 0)
+		goto put_and_exit;
 	*own_req = inet_ehash_nolisten(newsk, req_to_sk(req_unhash),
 				       &found_dup_sk);
 	if (*own_req) {
@@ -1570,13 +1564,17 @@ static struct sock *tcp_v6_syn_recv_sock(const struct sock *sk, struct sk_buff *
 
 	return newsk;
 
-out_overflow:
+exit_overflow:
 	__NET_INC_STATS(sock_net(sk), LINUX_MIB_LISTENOVERFLOWS);
-out_nonewsk:
+exit_nonewsk:
 	dst_release(dst);
-out:
+exit:
 	tcp_listendrop(sk);
 	return NULL;
+put_and_exit:
+	inet_csk_prepare_forced_close(newsk);
+	tcp_done(newsk);
+	goto exit;
 }
 
 INDIRECT_CALLABLE_DECLARE(struct dst_entry *ipv4_dst_check(struct dst_entry *,

---
base-commit: 788bc43d8330511af433bf282021a8fecb6b9009
change-id: 20250830-tcpao_leak-f31ece59abe4

Best regards,
-- 
Christoph Paasch <cpaasch@openai.com>

Re: [PATCH net] net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6

[Dmitry Safonov]

On Sat, 30 Aug 2025 at 23:55, Christoph Paasch via B4 Relay
<devnull+cpaasch.openai.com@kernel.org> wrote:
>
> From: Christoph Paasch <cpaasch@openai.com>
>
> When tcp_ao_copy_all_matching() fails in tcp_v6_syn_recv_sock() it just
> exits the function. This ends up causing a memory-leak:
>
> unreferenced object 0xffff0000281a8200 (size 2496):
>   comm "softirq", pid 0, jiffies 4295174684
>   hex dump (first 32 bytes):
>     7f 00 00 06 7f 00 00 06 00 00 00 00 cb a8 88 13  ................
>     0a 00 03 61 00 00 00 00 00 00 00 00 00 00 00 00  ...a............
>   backtrace (crc 5ebdbe15):
>     kmemleak_alloc+0x44/0xe0
>     kmem_cache_alloc_noprof+0x248/0x470
>     sk_prot_alloc+0x48/0x120
>     sk_clone_lock+0x38/0x3b0
>     inet_csk_clone_lock+0x34/0x150
>     tcp_create_openreq_child+0x3c/0x4a8
>     tcp_v6_syn_recv_sock+0x1c0/0x620
>     tcp_check_req+0x588/0x790
>     tcp_v6_rcv+0x5d0/0xc18
>     ip6_protocol_deliver_rcu+0x2d8/0x4c0
>     ip6_input_finish+0x74/0x148
>     ip6_input+0x50/0x118
>     ip6_sublist_rcv+0x2fc/0x3b0
>     ipv6_list_rcv+0x114/0x170
>     __netif_receive_skb_list_core+0x16c/0x200
>     netif_receive_skb_list_internal+0x1f0/0x2d0
>
> This is because in tcp_v6_syn_recv_sock (and the IPv4 counterpart), when
> exiting upon error, inet_csk_prepare_forced_close() and tcp_done() need
> to be called. They make sure the newsk will end up being correctly
> free'd.
>
> tcp_v4_syn_recv_sock() makes this very clear by having the put_and_exit
> label that takes care of things. So, this patch here makes sure
> tcp_v4_syn_recv_sock and tcp_v6_syn_recv_sock have similar
> error-handling and thus fixes the leak for TCP-AO.
>
> Fixes: 06b22ef29591 ("net/tcp: Wire TCP-AO to request sockets")
> Signed-off-by: Christoph Paasch <cpaasch@openai.com>

Thanks, Christoph!

Reviewed-by: Dmitry Safonov <0x7f454c46@gmail.com>

Quite a blunder to miss error path like that, ugh.

Thanks,
             Dmitry

Re: [PATCH net] net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6

[patchwork-bot+netdevbpf]

Hello:

This patch was applied to netdev/net.git (main)
by Jakub Kicinski <kuba@kernel.org>:

On Sat, 30 Aug 2025 15:55:38 -0700 you wrote:
> From: Christoph Paasch <cpaasch@openai.com>
> 
> When tcp_ao_copy_all_matching() fails in tcp_v6_syn_recv_sock() it just
> exits the function. This ends up causing a memory-leak:
> 
> unreferenced object 0xffff0000281a8200 (size 2496):
>   comm "softirq", pid 0, jiffies 4295174684
>   hex dump (first 32 bytes):
>     7f 00 00 06 7f 00 00 06 00 00 00 00 cb a8 88 13  ................
>     0a 00 03 61 00 00 00 00 00 00 00 00 00 00 00 00  ...a............
>   backtrace (crc 5ebdbe15):
>     kmemleak_alloc+0x44/0xe0
>     kmem_cache_alloc_noprof+0x248/0x470
>     sk_prot_alloc+0x48/0x120
>     sk_clone_lock+0x38/0x3b0
>     inet_csk_clone_lock+0x34/0x150
>     tcp_create_openreq_child+0x3c/0x4a8
>     tcp_v6_syn_recv_sock+0x1c0/0x620
>     tcp_check_req+0x588/0x790
>     tcp_v6_rcv+0x5d0/0xc18
>     ip6_protocol_deliver_rcu+0x2d8/0x4c0
>     ip6_input_finish+0x74/0x148
>     ip6_input+0x50/0x118
>     ip6_sublist_rcv+0x2fc/0x3b0
>     ipv6_list_rcv+0x114/0x170
>     __netif_receive_skb_list_core+0x16c/0x200
>     netif_receive_skb_list_internal+0x1f0/0x2d0
> 
> [...]

Here is the summary with links:
  - [net] net/tcp: Fix socket memory leak in TCP-AO failure handling for IPv6
    https://git.kernel.org/netdev/net/c/fa390321aba0

You are awesome, thank you!
-- 
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html