Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp4632155pxj; Wed, 12 May 2021 09:39:10 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxlGu2xpsdJseN6/W0PEO3V0nmO3PHdbzyzgJZcMzJUw/5Ma+kmHEVaT/l7xhfoHYkqU/Uo X-Received: by 2002:a54:4090:: with SMTP id i16mr26464027oii.96.1620837434987; Wed, 12 May 2021 09:37:14 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1620837434; cv=none; d=google.com; s=arc-20160816; b=ScyQAb7NL7dE2Hgfakx2wZOJMU7UQmqs/RhTZK3jfj0NWmvRBww5sJskZvMy5bgtuM g9BThegZzrPyIbT8eguCHwajBiaWVFrS7ugtUoeuVqmOrXXp70qE2GU+HDR4rQC+n5Wc cRd6CepBjtcwzEmCzR7FOabPMymz1A98X8bRLGx3F0B2rPISJ1ladwGm1j2pR+tve53j knW0JSxjvxel6nC/c0hTY+s3cVF+dJ1dqSeSOWmA1E1SN67mGLvGbQIt3UnL7BMAwbgE 4uoKroM2EWxL5fqcphQXuvpc3MgCR4KrLZPlCuVC3q3FjTcdnIjez2Dhf4HOGlp99Iny HcfQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=h0Ex5fveW/56Vc+jYBAmGlQOoEcPQc7dseE7tlggujo=; b=0yAcADuyWoj8FVo0vS/rWVxHRpolDkTQuLM+RUVA4EvlgkodYQp8vmbKFozVpApdyL 4Rw/Nck0lz2pwX4Iaw0LK5PZLgzFGIHBU7mK0WtFycD3AaaW66N+rn8CHUOJM9KoDt+0 rXb1vtf5Vl9aBvV9jat7C7prI+aIE2lhgi2iF7Ar3ZmGUuYFttvf6lx7mzNqYx8RtxEc k3D558kEXZCAhXNVCcBRAFJnxJZSyp2vlwGh+jzs/PAkg3zgSbn2MbuwarZAZ6JGmfvq 3IOerMuCTHwbWhW5E3DI0xusf8tE2oLyAJ3BlnvlU+L9/L3kekoc888gIyQIW1hoxiuc tfiw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=GWld0aaf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id v10si337130otj.283.2021.05.12.09.37.01; Wed, 12 May 2021 09:37:14 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=GWld0aaf; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S242388AbhELQem (ORCPT + 99 others); Wed, 12 May 2021 12:34:42 -0400 Received: from mail.kernel.org ([198.145.29.99]:40102 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S235085AbhELPmX (ORCPT ); Wed, 12 May 2021 11:42:23 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 8C4BB61C83; Wed, 12 May 2021 15:21:57 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org; s=korg; t=1620832918; bh=KZsc5yZIuWsrYya7OjS5DggjPvs/sLXeDrdmYlchDik=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=GWld0aafaePn+u+XIZsCvPj4efTYYQiOgLVbhjaEOXKfi4QJ9DbXU4I4mhr7mf6E6 MyojpOBx+1NbdXkcvsmqeHj7sq+HQ0XHGEQXL/yFxiXvKCJf35+5r7P8UXNvAqIDB/ FI+mpR2UzERjv5pikzuGGAPhNWuWukTbF/MAbWr4= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Stefano Garzarella , "David S. Miller" , Sasha Levin , syzbot+24452624fc4c571eedd9@syzkaller.appspotmail.com Subject: [PATCH 5.10 474/530] vsock/virtio: free queued packets when closing socket Date: Wed, 12 May 2021 16:49:44 +0200 Message-Id: <20210512144835.334768477@linuxfoundation.org> X-Mailer: git-send-email 2.31.1 In-Reply-To: <20210512144819.664462530@linuxfoundation.org> References: <20210512144819.664462530@linuxfoundation.org> User-Agent: quilt/0.66 MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Stefano Garzarella [ Upstream commit 8432b8114957235f42e070a16118a7f750de9d39 ] As reported by syzbot [1], there is a memory leak while closing the socket. We partially solved this issue with commit ac03046ece2b ("vsock/virtio: free packets during the socket release"), but we forgot to drain the RX queue when the socket is definitely closed by the scheduled work. To avoid future issues, let's use the new virtio_transport_remove_sock() to drain the RX queue before removing the socket from the af_vsock lists calling vsock_remove_sock(). [1] https://syzkaller.appspot.com/bug?extid=24452624fc4c571eedd9 Fixes: ac03046ece2b ("vsock/virtio: free packets during the socket release") Reported-and-tested-by: syzbot+24452624fc4c571eedd9@syzkaller.appspotmail.com Signed-off-by: Stefano Garzarella Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/vmw_vsock/virtio_transport_common.c | 28 +++++++++++++++++-------- 1 file changed, 19 insertions(+), 9 deletions(-) diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c index e4370b1b7494..902cb6dd710b 100644 --- a/net/vmw_vsock/virtio_transport_common.c +++ b/net/vmw_vsock/virtio_transport_common.c @@ -733,6 +733,23 @@ static int virtio_transport_reset_no_sock(const struct virtio_transport *t, return t->send_pkt(reply); } +/* This function should be called with sk_lock held and SOCK_DONE set */ +static void virtio_transport_remove_sock(struct vsock_sock *vsk) +{ + struct virtio_vsock_sock *vvs = vsk->trans; + struct virtio_vsock_pkt *pkt, *tmp; + + /* We don't need to take rx_lock, as the socket is closing and we are + * removing it. + */ + list_for_each_entry_safe(pkt, tmp, &vvs->rx_queue, list) { + list_del(&pkt->list); + virtio_transport_free_pkt(pkt); + } + + vsock_remove_sock(vsk); +} + static void virtio_transport_wait_close(struct sock *sk, long timeout) { if (timeout) { @@ -765,7 +782,7 @@ static void virtio_transport_do_close(struct vsock_sock *vsk, (!cancel_timeout || cancel_delayed_work(&vsk->close_work))) { vsk->close_work_scheduled = false; - vsock_remove_sock(vsk); + virtio_transport_remove_sock(vsk); /* Release refcnt obtained when we scheduled the timeout */ sock_put(sk); @@ -828,22 +845,15 @@ static bool virtio_transport_close(struct vsock_sock *vsk) void virtio_transport_release(struct vsock_sock *vsk) { - struct virtio_vsock_sock *vvs = vsk->trans; - struct virtio_vsock_pkt *pkt, *tmp; struct sock *sk = &vsk->sk; bool remove_sock = true; if (sk->sk_type == SOCK_STREAM) remove_sock = virtio_transport_close(vsk); - list_for_each_entry_safe(pkt, tmp, &vvs->rx_queue, list) { - list_del(&pkt->list); - virtio_transport_free_pkt(pkt); - } - if (remove_sock) { sock_set_flag(sk, SOCK_DONE); - vsock_remove_sock(vsk); + virtio_transport_remove_sock(vsk); } } EXPORT_SYMBOL_GPL(virtio_transport_release); -- 2.30.2