From patchwork Mon May 22 15:30:20 2023 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Pratyush Yadav X-Patchwork-Id: 97513 Return-Path: Delivered-To: ouuuleilei@gmail.com Received: by 2002:a59:b0ea:0:b0:3b6:4342:cba0 with SMTP id b10csp1538831vqo; Mon, 22 May 2023 08:37:44 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ48x3LEv/lQ5UPodIx8TbShkdsrl/oopt5eZzI8WLvBOpirB2VZeyZkUhxurWxYpTwVyCJS X-Received: by 2002:a17:902:778c:b0:1a6:81fc:b585 with SMTP id o12-20020a170902778c00b001a681fcb585mr9481680pll.41.1684769864321; Mon, 22 May 2023 08:37:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684769864; cv=none; d=google.com; s=arc-20160816; b=lQ3py3MUU8ck3JrwLWwugwL/DBIN0KgtZAO5Rm6ZpMAXuHN5hXtGGqK/iuY8NsWl58 Buq0NaFbvY9W7myXtI+WtTnZF1pMVDo+alAWXBnIEAn5m0rm8QWrW4/i2vgzp+ht86mF hzZ2V16gHLvAy02W3KhCjosBYUJqQkB3IHCWqBMBymqqQzeVs9XFVg21f/swNrIZGSab ZSZDrKBi2Dts8UB3WfA9u8rIXNBwlkHBZkUcRr7KQV5ZqSV4VxFjCKVntFeabIu8d8SZ Lsm24Jodi8PUeXjp+oR5NhTUapeAg6hddbOPTH6kDadJwwNoOZkwuPKO1etzB+Hq7LVU tKWQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=/wZOTRTHC/iA8R8dp/VVaoHLOP9DeLCMvFB/lSHlqSI=; b=f71dmG0C8VUxz5tlBnsYh8FguKIoJxwuRsWmxPZXlhOt96SOsP9hEAAWP3VgtbXVYO zC2dE03R56kEVv5PjNbpOYDcU6RMmBABxGAy5Vdx/aLUsDX5Jj+nzHyO4lkVQqjNy9Mn m6gYzwHKNNO7cq9H1GUaWShAIqntvYf5rEpUBm4G0yaQBT7scFPPDwBSqoeeqg4LvhEN relC/Z0n3c0B+yyKZsEfQkpPFq+ooV4q1s+we4AS9v90S6WOE9wzZfher066i9OcCqyi Y6oYHAAAEi9j2QQdqRuAHwI4qIZEvcrFY5D7Ggzl6JVzkHwxsfTbRDGDcPmp73aJsCgN cgog== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amazon.de header.s=amazon201209 header.b=sefgdGAB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.de Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id d6-20020a170903230600b001a6f0e81ec7si240120plh.237.2023.05.22.08.37.29; Mon, 22 May 2023 08:37:44 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@amazon.de header.s=amazon201209 header.b=sefgdGAB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233795AbjEVPad (ORCPT + 99 others); Mon, 22 May 2023 11:30:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33588 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231923AbjEVPab (ORCPT ); Mon, 22 May 2023 11:30:31 -0400 Received: from smtp-fw-2101.amazon.com (smtp-fw-2101.amazon.com [72.21.196.25]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B333EA1; Mon, 22 May 2023 08:30:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.de; i=@amazon.de; q=dns/txt; s=amazon201209; t=1684769429; x=1716305429; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=/wZOTRTHC/iA8R8dp/VVaoHLOP9DeLCMvFB/lSHlqSI=; b=sefgdGABmtvxH3kUibFmgEqgEZq7jP8ylULZoVP41Kuta7pxGm2fMuDF jATAqzhO7OlZDxyANtmkZaYr+uWUTKYV1ejARvX9bhRXrgS08X7udQHtW OksB1jGcJBbYkXNCQbWFo0ZpI27W0DodnAxgIu0X8Oo0dGM0unD7DcAuF g=; X-IronPort-AV: E=Sophos;i="6.00,184,1681171200"; d="scan'208";a="327640414" Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-iad-1e-m6i4x-529f0975.us-east-1.amazon.com) ([10.43.8.6]) by smtp-border-fw-2101.iad2.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 May 2023 15:30:26 +0000 Received: from EX19D016EUA002.ant.amazon.com (iad12-ws-svc-p26-lb9-vlan3.iad.amazon.com [10.40.163.38]) by email-inbound-relay-iad-1e-m6i4x-529f0975.us-east-1.amazon.com (Postfix) with ESMTPS id 88893443C9; Mon, 22 May 2023 15:30:24 +0000 (UTC) Received: from EX19D028EUB002.ant.amazon.com (10.252.61.43) by EX19D016EUA002.ant.amazon.com (10.252.50.57) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.26; Mon, 22 May 2023 15:30:23 +0000 Received: from EX19MTAUEC001.ant.amazon.com (10.252.135.222) by EX19D028EUB002.ant.amazon.com (10.252.61.43) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.26; Mon, 22 May 2023 15:30:23 +0000 Received: from dev-dsk-ptyadav-1c-37607b33.eu-west-1.amazon.com (10.15.11.255) by mail-relay.amazon.com (10.252.135.200) with Microsoft SMTP Server id 15.2.1118.26 via Frontend Transport; Mon, 22 May 2023 15:30:22 +0000 Received: by dev-dsk-ptyadav-1c-37607b33.eu-west-1.amazon.com (Postfix, from userid 23027615) id 7F9E320E16; Mon, 22 May 2023 17:30:22 +0200 (CEST) From: Pratyush Yadav To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni CC: Pratyush Yadav , Kuniyuki Iwashima , Willem de Bruijn , Norbert Manthey , , Subject: [PATCH net] net: fix skb leak in __skb_tstamp_tx() Date: Mon, 22 May 2023 17:30:20 +0200 Message-ID: <20230522153020.32422-1-ptyadav@amazon.de> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE, SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org X-getmail-retrieved-from-mailbox: =?utf-8?q?INBOX?= X-GMAIL-THRID: =?utf-8?q?1766609245527185003?= X-GMAIL-MSGID: =?utf-8?q?1766609245527185003?= Commit 50749f2dd685 ("tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp.") added a call to skb_orphan_frags_rx() to fix leaks with zerocopy skbs. But it ended up adding a leak of its own. When skb_orphan_frags_rx() fails, the function just returns, leaking the skb it just cloned. Free it before returning. This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc. Fixes: 50749f2dd685 ("tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp.") Signed-off-by: Pratyush Yadav Reviewed-by: Kuniyuki Iwashima Reviewed-by: Willem de Bruijn --- I do not know this code very well, this was caught by our static analysis tool. I did not try specifically reproducing the leak but I did do a boot test by adding this patch on 6.4-rc3 and the kernel boots fine. net/core/skbuff.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) -- 2.39.2 diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 515ec5cdc79c..cea28d30abb5 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -5224,8 +5224,10 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb, } else { skb = skb_clone(orig_skb, GFP_ATOMIC); - if (skb_orphan_frags_rx(skb, GFP_ATOMIC)) + if (skb_orphan_frags_rx(skb, GFP_ATOMIC)) { + kfree_skb(skb); return; + } } if (!skb) return;