| Message ID | 20230522153020.32422-1-ptyadav@amazon.de |
|---|---|
| State | New |
| Headers |
Return-Path: <linux-kernel-owner@vger.kernel.org>
Delivered-To: ouuuleilei@gmail.com
Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp1538831vqo;
Mon, 22 May 2023 08:37:44 -0700 (PDT)
X-Google-Smtp-Source:
ACHHUZ48x3LEv/lQ5UPodIx8TbShkdsrl/oopt5eZzI8WLvBOpirB2VZeyZkUhxurWxYpTwVyCJS
X-Received: by 2002:a17:902:778c:b0:1a6:81fc:b585 with SMTP id
o12-20020a170902778c00b001a681fcb585mr9481680pll.41.1684769864321;
Mon, 22 May 2023 08:37:44 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1684769864; cv=none;
d=google.com; s=arc-20160816;
b=lQ3py3MUU8ck3JrwLWwugwL/DBIN0KgtZAO5Rm6ZpMAXuHN5hXtGGqK/iuY8NsWl58
Buq0NaFbvY9W7myXtI+WtTnZF1pMVDo+alAWXBnIEAn5m0rm8QWrW4/i2vgzp+ht86mF
hzZ2V16gHLvAy02W3KhCjosBYUJqQkB3IHCWqBMBymqqQzeVs9XFVg21f/swNrIZGSab
ZSZDrKBi2Dts8UB3WfA9u8rIXNBwlkHBZkUcRr7KQV5ZqSV4VxFjCKVntFeabIu8d8SZ
Lsm24Jodi8PUeXjp+oR5NhTUapeAg6hddbOPTH6kDadJwwNoOZkwuPKO1etzB+Hq7LVU
tKWQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com;
s=arc-20160816;
h=list-id:precedence:content-transfer-encoding:mime-version
:message-id:date:subject:cc:to:from:dkim-signature;
bh=/wZOTRTHC/iA8R8dp/VVaoHLOP9DeLCMvFB/lSHlqSI=;
b=f71dmG0C8VUxz5tlBnsYh8FguKIoJxwuRsWmxPZXlhOt96SOsP9hEAAWP3VgtbXVYO
zC2dE03R56kEVv5PjNbpOYDcU6RMmBABxGAy5Vdx/aLUsDX5Jj+nzHyO4lkVQqjNy9Mn
m6gYzwHKNNO7cq9H1GUaWShAIqntvYf5rEpUBm4G0yaQBT7scFPPDwBSqoeeqg4LvhEN
relC/Z0n3c0B+yyKZsEfQkpPFq+ooV4q1s+we4AS9v90S6WOE9wzZfher066i9OcCqyi
Y6oYHAAAEi9j2QQdqRuAHwI4qIZEvcrFY5D7Ggzl6JVzkHwxsfTbRDGDcPmp73aJsCgN
cgog==
ARC-Authentication-Results: i=1; mx.google.com;
dkim=pass header.i=@amazon.de header.s=amazon201209 header.b=sefgdGAB;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.de
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
by mx.google.com with ESMTP id
d6-20020a170903230600b001a6f0e81ec7si240120plh.237.2023.05.22.08.37.29;
Mon, 22 May 2023 08:37:44 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
dkim=pass header.i=@amazon.de header.s=amazon201209 header.b=sefgdGAB;
spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org
designates 2620:137:e000::1:20 as permitted sender)
smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.de
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
id S233795AbjEVPad (ORCPT <rfc822;wlfightup@gmail.com> + 99 others);
Mon, 22 May 2023 11:30:33 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33588 "EHLO
lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
with ESMTP id S231923AbjEVPab (ORCPT
<rfc822;linux-kernel@vger.kernel.org>);
Mon, 22 May 2023 11:30:31 -0400
Received: from smtp-fw-2101.amazon.com (smtp-fw-2101.amazon.com
[72.21.196.25])
by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B333EA1;
Mon, 22 May 2023 08:30:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
d=amazon.de; i=@amazon.de; q=dns/txt; s=amazon201209;
t=1684769429; x=1716305429;
h=from:to:cc:subject:date:message-id:mime-version:
content-transfer-encoding;
bh=/wZOTRTHC/iA8R8dp/VVaoHLOP9DeLCMvFB/lSHlqSI=;
b=sefgdGABmtvxH3kUibFmgEqgEZq7jP8ylULZoVP41Kuta7pxGm2fMuDF
jATAqzhO7OlZDxyANtmkZaYr+uWUTKYV1ejARvX9bhRXrgS08X7udQHtW
OksB1jGcJBbYkXNCQbWFo0ZpI27W0DodnAxgIu0X8Oo0dGM0unD7DcAuF
g=;
X-IronPort-AV: E=Sophos;i="6.00,184,1681171200";
d="scan'208";a="327640414"
Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO
email-inbound-relay-iad-1e-m6i4x-529f0975.us-east-1.amazon.com) ([10.43.8.6])
by smtp-border-fw-2101.iad2.amazon.com with
ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 May 2023 15:30:26 +0000
Received: from EX19D016EUA002.ant.amazon.com
(iad12-ws-svc-p26-lb9-vlan3.iad.amazon.com [10.40.163.38])
by email-inbound-relay-iad-1e-m6i4x-529f0975.us-east-1.amazon.com
(Postfix) with ESMTPS id 88893443C9;
Mon, 22 May 2023 15:30:24 +0000 (UTC)
Received: from EX19D028EUB002.ant.amazon.com (10.252.61.43) by
EX19D016EUA002.ant.amazon.com (10.252.50.57) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.2.1118.26; Mon, 22 May 2023 15:30:23 +0000
Received: from EX19MTAUEC001.ant.amazon.com (10.252.135.222) by
EX19D028EUB002.ant.amazon.com (10.252.61.43) with Microsoft SMTP Server
(version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
15.2.1118.26; Mon, 22 May 2023 15:30:23 +0000
Received: from dev-dsk-ptyadav-1c-37607b33.eu-west-1.amazon.com (10.15.11.255)
by mail-relay.amazon.com (10.252.135.200) with Microsoft SMTP Server id
15.2.1118.26 via Frontend Transport; Mon, 22 May 2023 15:30:22 +0000
Received: by dev-dsk-ptyadav-1c-37607b33.eu-west-1.amazon.com (Postfix,
from userid 23027615)
id 7F9E320E16; Mon, 22 May 2023 17:30:22 +0200 (CEST)
From: Pratyush Yadav <ptyadav@amazon.de>
To: "David S. Miller" <davem@davemloft.net>,
Eric Dumazet <edumazet@google.com>,
Jakub Kicinski <kuba@kernel.org>,
Paolo Abeni <pabeni@redhat.com>
CC: Pratyush Yadav <ptyadav@amazon.de>,
Kuniyuki Iwashima <kuniyu@amazon.com>,
Willem de Bruijn <willemb@google.com>,
Norbert Manthey <nmanthey@amazon.de>, <netdev@vger.kernel.org>,
<linux-kernel@vger.kernel.org>
Subject: [PATCH net] net: fix skb leak in __skb_tstamp_tx()
Date: Mon, 22 May 2023 17:30:20 +0200
Message-ID: <20230522153020.32422-1-ptyadav@amazon.de>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no
version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org
X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?=
X-GMAIL-THRID: =?utf-8?q?1766609245527185003?=
X-GMAIL-MSGID: =?utf-8?q?1766609245527185003?=
|
| Series |
[net] net: fix skb leak in __skb_tstamp_tx()
|
|
Commit Message
Pratyush Yadav
May 22, 2023, 3:30 p.m. UTC
Commit 50749f2dd685 ("tcp/udp: Fix memleaks of sk and zerocopy skbs with
TX timestamp.") added a call to skb_orphan_frags_rx() to fix leaks with
zerocopy skbs. But it ended up adding a leak of its own. When
skb_orphan_frags_rx() fails, the function just returns, leaking the skb
it just cloned. Free it before returning.
This bug was discovered and resolved using Coverity Static Analysis
Security Testing (SAST) by Synopsys, Inc.
Fixes: 50749f2dd685 ("tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp.")
Signed-off-by: Pratyush Yadav <ptyadav@amazon.de>
---
I do not know this code very well, this was caught by our static
analysis tool. I did not try specifically reproducing the leak but I did
do a boot test by adding this patch on 6.4-rc3 and the kernel boots
fine.
net/core/skbuff.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
--
2.39.2
Comments
From: Pratyush Yadav <ptyadav@amazon.de> Date: Mon, 22 May 2023 17:30:20 +0200 > Commit 50749f2dd685 ("tcp/udp: Fix memleaks of sk and zerocopy skbs with > TX timestamp.") added a call to skb_orphan_frags_rx() to fix leaks with > zerocopy skbs. But it ended up adding a leak of its own. When > skb_orphan_frags_rx() fails, the function just returns, leaking the skb > it just cloned. Free it before returning. > > This bug was discovered and resolved using Coverity Static Analysis > Security Testing (SAST) by Synopsys, Inc. > > Fixes: 50749f2dd685 ("tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp.") > Signed-off-by: Pratyush Yadav <ptyadav@amazon.de> Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com> Good catch, thanks! > --- > > I do not know this code very well, this was caught by our static > analysis tool. I did not try specifically reproducing the leak but I did > do a boot test by adding this patch on 6.4-rc3 and the kernel boots > fine. > > net/core/skbuff.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/net/core/skbuff.c b/net/core/skbuff.c > index 515ec5cdc79c..cea28d30abb5 100644 > --- a/net/core/skbuff.c > +++ b/net/core/skbuff.c > @@ -5224,8 +5224,10 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb, > } else { > skb = skb_clone(orig_skb, GFP_ATOMIC); > > - if (skb_orphan_frags_rx(skb, GFP_ATOMIC)) > + if (skb_orphan_frags_rx(skb, GFP_ATOMIC)) { > + kfree_skb(skb); > return; > + } > } > if (!skb) > return; > -- > 2.39.2
On Mon, May 22, 2023 at 11:46 AM Kuniyuki Iwashima <kuniyu@amazon.com> wrote: > > From: Pratyush Yadav <ptyadav@amazon.de> > Date: Mon, 22 May 2023 17:30:20 +0200 > > Commit 50749f2dd685 ("tcp/udp: Fix memleaks of sk and zerocopy skbs with > > TX timestamp.") added a call to skb_orphan_frags_rx() to fix leaks with > > zerocopy skbs. But it ended up adding a leak of its own. When > > skb_orphan_frags_rx() fails, the function just returns, leaking the skb > > it just cloned. Free it before returning. > > > > This bug was discovered and resolved using Coverity Static Analysis > > Security Testing (SAST) by Synopsys, Inc. > > > > Fixes: 50749f2dd685 ("tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp.") > > Signed-off-by: Pratyush Yadav <ptyadav@amazon.de> > > Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com> Reviewed-by: Willem de Bruijn <willemb@google.com>
Hi Pratyush, On Mon, 22 May 2023 17:30:20 +0200 Pratyush Yadav <ptyadav@amazon.de> wrote: > Commit 50749f2dd685 ("tcp/udp: Fix memleaks of sk and zerocopy skbs with > TX timestamp.") added a call to skb_orphan_frags_rx() to fix leaks with > zerocopy skbs. But it ended up adding a leak of its own. When > skb_orphan_frags_rx() fails, the function just returns, leaking the skb > it just cloned. Free it before returning. > > This bug was discovered and resolved using Coverity Static Analysis > Security Testing (SAST) by Synopsys, Inc. > > Fixes: 50749f2dd685 ("tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp.") Seems the commit has merged in several stable kernels. Is the bug also affecting those? If so, would it be better to Cc stable@vger.kernel.org? Thanks, SJ > Signed-off-by: Pratyush Yadav <ptyadav@amazon.de> > --- > > I do not know this code very well, this was caught by our static > analysis tool. I did not try specifically reproducing the leak but I did > do a boot test by adding this patch on 6.4-rc3 and the kernel boots > fine. > > net/core/skbuff.c | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/net/core/skbuff.c b/net/core/skbuff.c > index 515ec5cdc79c..cea28d30abb5 100644 > --- a/net/core/skbuff.c > +++ b/net/core/skbuff.c > @@ -5224,8 +5224,10 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb, > } else { > skb = skb_clone(orig_skb, GFP_ATOMIC); > > - if (skb_orphan_frags_rx(skb, GFP_ATOMIC)) > + if (skb_orphan_frags_rx(skb, GFP_ATOMIC)) { > + kfree_skb(skb); > return; > + } > } > if (!skb) > return; > -- > 2.39.2 >
On Mon, May 22 2023, SeongJae Park wrote: > Hi Pratyush, > > On Mon, 22 May 2023 17:30:20 +0200 Pratyush Yadav <ptyadav@amazon.de> wrote: > >> Commit 50749f2dd685 ("tcp/udp: Fix memleaks of sk and zerocopy skbs with >> TX timestamp.") added a call to skb_orphan_frags_rx() to fix leaks with >> zerocopy skbs. But it ended up adding a leak of its own. When >> skb_orphan_frags_rx() fails, the function just returns, leaking the skb >> it just cloned. Free it before returning. >> >> This bug was discovered and resolved using Coverity Static Analysis >> Security Testing (SAST) by Synopsys, Inc. >> >> Fixes: 50749f2dd685 ("tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp.") > > Seems the commit has merged in several stable kernels. Is the bug also > affecting those? If so, would it be better to Cc stable@vger.kernel.org? > It affects v5.4.243 at least, since that is where I first saw this. But I would expect it to affect other stable kernels it has been backported to as well. I thought using the Fixes tag pointing to the bad upstream commit would be enough for the stable maintainers' tooling/bots to pick this patch up. In either case, +Cc stable. Link to the patch this thread is talking about [0]. [0] https://lore.kernel.org/netdev/20230522153020.32422-1-ptyadav@amazon.de/T/#u > > > Thanks, > SJ > >> Signed-off-by: Pratyush Yadav <ptyadav@amazon.de> >> --- >> >> I do not know this code very well, this was caught by our static >> analysis tool. I did not try specifically reproducing the leak but I did >> do a boot test by adding this patch on 6.4-rc3 and the kernel boots >> fine. >> >> net/core/skbuff.c | 4 +++- >> 1 file changed, 3 insertions(+), 1 deletion(-) >> >> diff --git a/net/core/skbuff.c b/net/core/skbuff.c >> index 515ec5cdc79c..cea28d30abb5 100644 >> --- a/net/core/skbuff.c >> +++ b/net/core/skbuff.c >> @@ -5224,8 +5224,10 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb, >> } else { >> skb = skb_clone(orig_skb, GFP_ATOMIC); >> >> - if (skb_orphan_frags_rx(skb, GFP_ATOMIC)) >> + if (skb_orphan_frags_rx(skb, GFP_ATOMIC)) { >> + kfree_skb(skb); >> return; >> + } >> } >> if (!skb) >> return; >> -- >> 2.39.2 >>
Hello: This patch was applied to netdev/net.git (main) by Jakub Kicinski <kuba@kernel.org>: On Mon, 22 May 2023 17:30:20 +0200 you wrote: > Commit 50749f2dd685 ("tcp/udp: Fix memleaks of sk and zerocopy skbs with > TX timestamp.") added a call to skb_orphan_frags_rx() to fix leaks with > zerocopy skbs. But it ended up adding a leak of its own. When > skb_orphan_frags_rx() fails, the function just returns, leaking the skb > it just cloned. Free it before returning. > > This bug was discovered and resolved using Coverity Static Analysis > Security Testing (SAST) by Synopsys, Inc. > > [...] Here is the summary with links: - [net] net: fix skb leak in __skb_tstamp_tx() https://git.kernel.org/netdev/net/c/8a02fb71d719 You are awesome, thank you!
diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 515ec5cdc79c..cea28d30abb5 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -5224,8 +5224,10 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb, } else { skb = skb_clone(orig_skb, GFP_ATOMIC); - if (skb_orphan_frags_rx(skb, GFP_ATOMIC)) + if (skb_orphan_frags_rx(skb, GFP_ATOMIC)) { + kfree_skb(skb); return; + } } if (!skb) return;