From mboxrd@z Thu Jan 1 00:00:00 1970 From: David Miller Subject: Re: [PATCH net] kcm: fix races on sk_receive_queue Date: Fri, 08 Jun 2018 10:53:11 -0400 (EDT) Message-ID: <20180608.105311.1644703021787191738.davem@davemloft.net> References: <628e0398546aefabd68669450621909d269e1ba8.1528289745.git.pabeni@redhat.com> Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Content-Transfer-Encoding: 7bit Cc: netdev@vger.kernel.org, tom@quantonium.net, ktkhai@virtuozzo.com To: pabeni@redhat.com Return-path: Received: from shards.monkeyblade.net ([184.105.139.130]:44118 "EHLO shards.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1752642AbeFHOxQ (ORCPT ); Fri, 8 Jun 2018 10:53:16 -0400 In-Reply-To: <628e0398546aefabd68669450621909d269e1ba8.1528289745.git.pabeni@redhat.com> Sender: netdev-owner@vger.kernel.org List-ID: From: Paolo Abeni Date: Wed, 6 Jun 2018 15:16:29 +0200 > @@ -1126,7 +1132,7 @@ static int kcm_recvmsg(struct socket *sock, struct msghdr *msg, > > lock_sock(sk); > > - skb = kcm_wait_data(sk, flags, timeo, &err); > + skb = kcm_wait_data(sk, flags, peek, timeo, &err); > if (!skb) > goto out; > Because kcm_wait_data() potentially unlinks now, you will have to kfree the SKB in the error paths, for example if skb_copy_datagram_msg() fails. Otherwise we have an SKB leak. Yeah, it's kind of ugly that kcm_recvmsg() is going to become a pile of conditional operations based upon the peek boolean. :-/