Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp456860ybt; Sat, 13 Jun 2020 09:46:07 -0700 (PDT) X-Google-Smtp-Source: ABdhPJzC28ZzDzrAqi4/N+BO+fbhL70k8NL3pKfA7hPzXMeRy5qK3sZKgS5nCHu7LGwyP5YWlOOn X-Received: by 2002:aa7:cb4a:: with SMTP id w10mr16319356edt.46.1592066766966; Sat, 13 Jun 2020 09:46:06 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1592066766; cv=none; d=google.com; s=arc-20160816; b=Tz5Iqm1ZQ8bbIukHlQFURkYo0fVujHjXy5oLCnFKOLAzi8IX+dw+93a4iUc61q760W boI30lVQMBvB/VY6ujAUaoMzHuNxZDA/lFqbL+6Uw7EaREJ6svH4eYHTZqr2cAucIseb lzBTsgYSlD6ZsUzb17Kes9q3ZyrYYhUTivFkc8rSwmJ3kWQmPs3dTWNkbwLraKlIoytn Kv5Mi61zgMClN++69fFaMJw/rqbA0Hhz40pSTP1GhVOXoKasfye4I8sIEny+lV3SmkS0 2uFUql8pKREL6iB+1Z8K5YPb+TlEIj6GDrfvwRp7G1LF8J61cahQXmLquofXA+ERzbwS S/Bw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:in-reply-to:content-disposition :mime-version:references:message-id:subject:cc:to:from:date; bh=Ffdcp+4X6lQj1koL52huCa4qUB/B5XvGcY/GulZchHg=; b=DuvdF2PkKCb+jy4iOhRJ7q5FkJG/gTM14nC9tvA2rtd9z4SwqosEij+vwVUTckLtxP uGHiAXtihSzq7XeZO4Rr3AdntyXh2pbhasVMWRS3EHdT376rhkodBD0GvReAWXv1PRsb JeI65JaBYHFBNuFB07prfgYjt2OwG5L2N0NLR+pqgzz7FcKoilbwYVahAt3JQj4N9wWu meODcSoTxGN65mrtMe03nK8GBzwB4eP4nxRyYVyeJhuY0n52u5IhRBMuiPP0DngRHVRL qJDffGU5CBCBwCxx/Dr0cARkZDCez8FKKFmyJECkpr7/NeCQlKf7KUglEQCq9ubC5m5y eqww== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id od24si6287527ejb.103.2020.06.13.09.45.43; Sat, 13 Jun 2020 09:46:06 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726445AbgFMQlx (ORCPT + 99 others); Sat, 13 Jun 2020 12:41:53 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:41718 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726092AbgFMQlx (ORCPT ); Sat, 13 Jun 2020 12:41:53 -0400 X-Greylist: delayed 2610 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Sat, 13 Jun 2020 09:41:52 PDT Received: from smtp.tuxdriver.com (tunnel92311-pt.tunnel.tserv13.ash1.ipv6.he.net [IPv6:2001:470:7:9c9::2]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id A0966C03E96F for ; Sat, 13 Jun 2020 09:41:52 -0700 (PDT) Received: from 2606-a000-111b-4634-0000-0000-0000-1bf2.inf6.spectrum.com ([2606:a000:111b:4634::1bf2] helo=localhost) by smtp.tuxdriver.com with esmtpsa (TLSv1:AES256-SHA:256) (Exim 4.63) (envelope-from ) id 1jk8XY-0002Cu-MZ; Sat, 13 Jun 2020 11:57:55 -0400 Date: Sat, 13 Jun 2020 11:57:51 -0400 From: Neil Horman To: Xiyu Yang Cc: Vlad Yasevich , Marcelo Ricardo Leitner , "David S. Miller" , Jakub Kicinski , linux-sctp@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org, yuanxzhang@fudan.edu.cn, kjlu@umn.edu, Xin Tan Subject: Re: [PATCH] sctp: Fix sk_buff leak when receiving a datagram Message-ID: <20200613155751.GA161691@hmswarspite.think-freely.org> References: <1592051965-94731-1-git-send-email-xiyuyang19@fudan.edu.cn> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: <1592051965-94731-1-git-send-email-xiyuyang19@fudan.edu.cn> X-Spam-Score: -2.9 (--) X-Spam-Status: No Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org On Sat, Jun 13, 2020 at 08:39:25PM +0800, Xiyu Yang wrote: > In sctp_skb_recv_datagram(), the function fetch a sk_buff object from > the receiving queue to "skb" by calling skb_peek() or __skb_dequeue() > and return its reference to the caller. > > However, when calling __skb_dequeue() successfully, the function forgets > to hold a reference count of the "skb" object and directly return it, > causing a potential memory leak in the caller function. > > Fix this issue by calling refcount_inc after __skb_dequeue() > successfully executed. > > Signed-off-by: Xiyu Yang > Signed-off-by: Xin Tan > --- > net/sctp/socket.c | 2 ++ > 1 file changed, 2 insertions(+) > > diff --git a/net/sctp/socket.c b/net/sctp/socket.c > index d57e1a002ffc..4c8f0b83efd0 100644 > --- a/net/sctp/socket.c > +++ b/net/sctp/socket.c > @@ -8990,6 +8990,8 @@ struct sk_buff *sctp_skb_recv_datagram(struct sock *sk, int flags, > refcount_inc(&skb->users); > } else { > skb = __skb_dequeue(&sk->sk_receive_queue); > + if (skb) > + refcount_inc(&skb->users); For completeness, you should probably use skb_get here, rather than refcount_inc directly. Also, I'm not entirely sure I see how a memory leak can happen here. we take an extra reference in the skb_peek clause of this code area because if we return an skb that continues to exist on the sk_receive_queue list, we legitimately have two users for the skb (the user who called sctp_skb_recv_datagram(...,MSG_PEEK), and the potential next caller who will actually dequeue the skb. In the else clause however, that condition doesn't exist. the user count for the skb should alreday be 1, if the caller is the only user of the skb), or more than 1, if 1 or more callers have gotten a reference to the message using MSG_PEEK. I don't think this code is needed, and in fact will actually cause memory leaks, because theres no subsequent skb_unref call to drop refcount that you are adding here. Neil > } > > if (skb) > -- > 2.7.4 > >