Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp4688620pxj;
        Wed, 12 May 2021 10:56:11 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxDGUmYkvIN80ErfruhWnC+Nelwg7V0o896rXNL7xG+YAMJr+8imG11t8LyiwocvdKJ4nni
X-Received: by 2002:a9d:5c11:: with SMTP id o17mr31377441otk.178.1620842171021;
        Wed, 12 May 2021 10:56:11 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1620842171; cv=none;
        d=google.com; s=arc-20160816;
        b=EGbUSctOOqNGKSvm44gtgmHz6cXVRYr1y0SU9k7v40goOaPkRDIr9za94Y9xS26rix
         dROfOoDD/mThlM6HNEyPEcIfOVSkKtfGBKqK6jSQo0nZtslvmCxe6Ax2Ef1yiHa3mfH2
         CBQVkqSOQBBYdXhO04yQ6lDcJRhCIux1C4+vgjvUUozWcWE087962qpRKmAopljz2v8m
         S/r6XGu0BUV8wMsAHqPYosBCmQ+u8xCBKZ0j7bT/ohdzAiEqTM3f7FbZeL+XJZrwdzi2
         lxETCKBlsHMpluzdfAJoe438Nq41aX9/0Ta1fSUxIjk6WNPBtfEFDVEvKHQBVjNShb+4
         ZFXw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=h0Ex5fveW/56Vc+jYBAmGlQOoEcPQc7dseE7tlggujo=;
        b=FMyK0PoSienRnD7Tsfqka+bGLgnlGeyi+EHeuvSKaH+d9jzjwk7+oGqGDm8EatAxiK
         gCvCcekObxDpw80+sVp1aCnXcZtz3ck6KgsGYM4VrtsZG3Wuw4gjLNaFxirLw7fqEHG3
         rZLaJSA0zRtwZ0s2NOS9+dN/T7Y5NHivIKz77E5nFAGA4xjJxndTMODr/H5eUdd5F282
         3AIxg4AWst8lrUfeeRjYdNtH/Tu0fgFZJ78VVghStdFUxHL+z1QdV8W5RoYaiMNr+EkN
         ZF2U9sTp/y7YTVuZuEmeLj1kulD1LQMMmWPNs/JIEPAiumCZEIyfI0a5p5Op9mqy062u
         k2XQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=eWQHS4LE;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id v1si531611oic.198.2021.05.12.10.55.56;
        Wed, 12 May 2021 10:56:11 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b=eWQHS4LE;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1350922AbhELRwr (ORCPT <rfc822;lkmlinbox@gmail.com> + 99 others);
        Wed, 12 May 2021 13:52:47 -0400
Received: from mail.kernel.org ([198.145.29.99]:59068 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S236729AbhELQWz (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 12 May 2021 12:22:55 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id DA848613CB;
        Wed, 12 May 2021 15:47:06 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1620834427;
        bh=KZsc5yZIuWsrYya7OjS5DggjPvs/sLXeDrdmYlchDik=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=eWQHS4LEPJtL98CxwLodyZqF6IkjaLWT6Kgq6Wk1YmvRc35sS4SjnxKFOgIo0zDB2
         qp+1SxuCxhqpoPggd5zG8XbEef81hmEO2QLi2Le+ut/CDXRbaCtCcEt2tRLwLV/iLN
         FeTKkSluQ8bgNYg3OhwTZSn9OPyzjAH4FTIPsecc=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Stefano Garzarella <sgarzare@redhat.com>,
        "David S. Miller" <davem@davemloft.net>,
        Sasha Levin <sashal@kernel.org>,
        syzbot+24452624fc4c571eedd9@syzkaller.appspotmail.com
Subject: [PATCH 5.11 539/601] vsock/virtio: free queued packets when closing socket
Date:   Wed, 12 May 2021 16:50:16 +0200
Message-Id: <20210512144845.610203200@linuxfoundation.org>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210512144827.811958675@linuxfoundation.org>
References: <20210512144827.811958675@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Stefano Garzarella <sgarzare@redhat.com>

[ Upstream commit 8432b8114957235f42e070a16118a7f750de9d39 ]

As reported by syzbot [1], there is a memory leak while closing the
socket. We partially solved this issue with commit ac03046ece2b
("vsock/virtio: free packets during the socket release"), but we
forgot to drain the RX queue when the socket is definitely closed by
the scheduled work.

To avoid future issues, let's use the new virtio_transport_remove_sock()
to drain the RX queue before removing the socket from the af_vsock lists
calling vsock_remove_sock().

[1] https://syzkaller.appspot.com/bug?extid=24452624fc4c571eedd9

Fixes: ac03046ece2b ("vsock/virtio: free packets during the socket release")
Reported-and-tested-by: syzbot+24452624fc4c571eedd9@syzkaller.appspotmail.com
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/vmw_vsock/virtio_transport_common.c | 28 +++++++++++++++++--------
 1 file changed, 19 insertions(+), 9 deletions(-)

diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
index e4370b1b7494..902cb6dd710b 100644
--- a/net/vmw_vsock/virtio_transport_common.c
+++ b/net/vmw_vsock/virtio_transport_common.c
@@ -733,6 +733,23 @@ static int virtio_transport_reset_no_sock(const struct virtio_transport *t,
 	return t->send_pkt(reply);
 }
 
+/* This function should be called with sk_lock held and SOCK_DONE set */
+static void virtio_transport_remove_sock(struct vsock_sock *vsk)
+{
+	struct virtio_vsock_sock *vvs = vsk->trans;
+	struct virtio_vsock_pkt *pkt, *tmp;
+
+	/* We don't need to take rx_lock, as the socket is closing and we are
+	 * removing it.
+	 */
+	list_for_each_entry_safe(pkt, tmp, &vvs->rx_queue, list) {
+		list_del(&pkt->list);
+		virtio_transport_free_pkt(pkt);
+	}
+
+	vsock_remove_sock(vsk);
+}
+
 static void virtio_transport_wait_close(struct sock *sk, long timeout)
 {
 	if (timeout) {
@@ -765,7 +782,7 @@ static void virtio_transport_do_close(struct vsock_sock *vsk,
 	    (!cancel_timeout || cancel_delayed_work(&vsk->close_work))) {
 		vsk->close_work_scheduled = false;
 
-		vsock_remove_sock(vsk);
+		virtio_transport_remove_sock(vsk);
 
 		/* Release refcnt obtained when we scheduled the timeout */
 		sock_put(sk);
@@ -828,22 +845,15 @@ static bool virtio_transport_close(struct vsock_sock *vsk)
 
 void virtio_transport_release(struct vsock_sock *vsk)
 {
-	struct virtio_vsock_sock *vvs = vsk->trans;
-	struct virtio_vsock_pkt *pkt, *tmp;
 	struct sock *sk = &vsk->sk;
 	bool remove_sock = true;
 
 	if (sk->sk_type == SOCK_STREAM)
 		remove_sock = virtio_transport_close(vsk);
 
-	list_for_each_entry_safe(pkt, tmp, &vvs->rx_queue, list) {
-		list_del(&pkt->list);
-		virtio_transport_free_pkt(pkt);
-	}
-
 	if (remove_sock) {
 		sock_set_flag(sk, SOCK_DONE);
-		vsock_remove_sock(vsk);
+		virtio_transport_remove_sock(vsk);
 	}
 }
 EXPORT_SYMBOL_GPL(virtio_transport_release);
-- 
2.30.2