Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp4754372pxj;
        Wed, 12 May 2021 12:28:32 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxKIMz9LjviCEKIsP8LeP70c3zG/BOReaqtR5zMr7MmhvT1p+yQvT/y1UhRuofafS5aX1MZ
X-Received: by 2002:a17:907:990f:: with SMTP id ka15mr32030300ejc.132.1620847711827;
        Wed, 12 May 2021 12:28:31 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1620847711; cv=none;
        d=google.com; s=arc-20160816;
        b=voGLyxtbdScO+jqLEnSRTNxwAmDW8tAmVTGDvlPtawpqSKz5byoGmcf49RlkrbSxOO
         22f029Meyaj+/XjX9ed8fUAvX4dZIGq5T8ynWvLpO4dLXQq8ye2qxCn66FwRO84qR4Ce
         Y2mftiQ2laX6v/cT7YyThyFmrJsBnJ5HP7YUEdBilT9GSa3QzHAFBajnx2h1PVLuQFu0
         tTrsMb4vR2Tm87rvwPiim4fskaOI4J8bfYgXArh6u86HDoPz3p15+9+Ww1/2Su3bDvPi
         YU1QbMFjSvIEOJKaf//wFxTKRHyKzH8HUxnvNn06twmu72HoWjVIGZ3+HnxNudtXbXiz
         uXEQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=h0Ex5fveW/56Vc+jYBAmGlQOoEcPQc7dseE7tlggujo=;
        b=J7oYWSWtHVcA59McO+Oalgy20tNpzLxtY7dfZcsjcWiKkug0onhfL+xhgJz7+bmYlI
         6cPpE7MDVcy4IsvCc9/pW0IvCdB9uGbwjmR8X/+8Q4KAJWyMYGJh+tRfT/V+UWsXUX7S
         AnvJlJxhX16xSXsLl2IBpwxqLqpY2GoN0/mkPsoANibnUqd0clIzuUMLZnae8JstZL2r
         0ALGYU8cl/q4vuPdSkTPcio/p0EIRJeRMt0olJO/IZOGHuFgGsmsmy4+sSlHXe84DzqZ
         4Ux+gmMvDwzufbPU7KpCNEA2gGHeik4fe/Ht0uMuFWWgBr5TojmD3rGJ25N0kn+DAEYY
         s7Yw==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="U/pK216w";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id cx22si489926edb.175.2021.05.12.12.28.07;
        Wed, 12 May 2021 12:28:31 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@linuxfoundation.org header.s=korg header.b="U/pK216w";
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=linuxfoundation.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1379241AbhELTTA (ORCPT <rfc822;lkmlinbox@gmail.com> + 99 others);
        Wed, 12 May 2021 15:19:00 -0400
Received: from mail.kernel.org ([198.145.29.99]:46180 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S238973AbhELQuH (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 12 May 2021 12:50:07 -0400
Received: by mail.kernel.org (Postfix) with ESMTPSA id DD34761D5A;
        Wed, 12 May 2021 16:16:16 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=linuxfoundation.org;
        s=korg; t=1620836177;
        bh=KZsc5yZIuWsrYya7OjS5DggjPvs/sLXeDrdmYlchDik=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=U/pK216wN9ufuwf3KwFdTCsQl7ezQIx4oJPj0xYSFPymxC20MnvLYq1F5Wb7KapeH
         CsvzeOTcMTsKIUxOP+Xxd89H+nDn9+/ClqqMZsNxbcrHD6u1ruNdYyyyzZsAhxt3MW
         2vWtlk7oRRGY+7nsOFrWTLSJfRlatUs3p4zc/Ozg=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Stefano Garzarella <sgarzare@redhat.com>,
        "David S. Miller" <davem@davemloft.net>,
        Sasha Levin <sashal@kernel.org>,
        syzbot+24452624fc4c571eedd9@syzkaller.appspotmail.com
Subject: [PATCH 5.12 607/677] vsock/virtio: free queued packets when closing socket
Date:   Wed, 12 May 2021 16:50:53 +0200
Message-Id: <20210512144857.535068746@linuxfoundation.org>
X-Mailer: git-send-email 2.31.1
In-Reply-To: <20210512144837.204217980@linuxfoundation.org>
References: <20210512144837.204217980@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

From: Stefano Garzarella <sgarzare@redhat.com>

[ Upstream commit 8432b8114957235f42e070a16118a7f750de9d39 ]

As reported by syzbot [1], there is a memory leak while closing the
socket. We partially solved this issue with commit ac03046ece2b
("vsock/virtio: free packets during the socket release"), but we
forgot to drain the RX queue when the socket is definitely closed by
the scheduled work.

To avoid future issues, let's use the new virtio_transport_remove_sock()
to drain the RX queue before removing the socket from the af_vsock lists
calling vsock_remove_sock().

[1] https://syzkaller.appspot.com/bug?extid=24452624fc4c571eedd9

Fixes: ac03046ece2b ("vsock/virtio: free packets during the socket release")
Reported-and-tested-by: syzbot+24452624fc4c571eedd9@syzkaller.appspotmail.com
Signed-off-by: Stefano Garzarella <sgarzare@redhat.com>
Signed-off-by: David S. Miller <davem@davemloft.net>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/vmw_vsock/virtio_transport_common.c | 28 +++++++++++++++++--------
 1 file changed, 19 insertions(+), 9 deletions(-)

diff --git a/net/vmw_vsock/virtio_transport_common.c b/net/vmw_vsock/virtio_transport_common.c
index e4370b1b7494..902cb6dd710b 100644
--- a/net/vmw_vsock/virtio_transport_common.c
+++ b/net/vmw_vsock/virtio_transport_common.c
@@ -733,6 +733,23 @@ static int virtio_transport_reset_no_sock(const struct virtio_transport *t,
 	return t->send_pkt(reply);
 }
 
+/* This function should be called with sk_lock held and SOCK_DONE set */
+static void virtio_transport_remove_sock(struct vsock_sock *vsk)
+{
+	struct virtio_vsock_sock *vvs = vsk->trans;
+	struct virtio_vsock_pkt *pkt, *tmp;
+
+	/* We don't need to take rx_lock, as the socket is closing and we are
+	 * removing it.
+	 */
+	list_for_each_entry_safe(pkt, tmp, &vvs->rx_queue, list) {
+		list_del(&pkt->list);
+		virtio_transport_free_pkt(pkt);
+	}
+
+	vsock_remove_sock(vsk);
+}
+
 static void virtio_transport_wait_close(struct sock *sk, long timeout)
 {
 	if (timeout) {
@@ -765,7 +782,7 @@ static void virtio_transport_do_close(struct vsock_sock *vsk,
 	    (!cancel_timeout || cancel_delayed_work(&vsk->close_work))) {
 		vsk->close_work_scheduled = false;
 
-		vsock_remove_sock(vsk);
+		virtio_transport_remove_sock(vsk);
 
 		/* Release refcnt obtained when we scheduled the timeout */
 		sock_put(sk);
@@ -828,22 +845,15 @@ static bool virtio_transport_close(struct vsock_sock *vsk)
 
 void virtio_transport_release(struct vsock_sock *vsk)
 {
-	struct virtio_vsock_sock *vvs = vsk->trans;
-	struct virtio_vsock_pkt *pkt, *tmp;
 	struct sock *sk = &vsk->sk;
 	bool remove_sock = true;
 
 	if (sk->sk_type == SOCK_STREAM)
 		remove_sock = virtio_transport_close(vsk);
 
-	list_for_each_entry_safe(pkt, tmp, &vvs->rx_queue, list) {
-		list_del(&pkt->list);
-		virtio_transport_free_pkt(pkt);
-	}
-
 	if (remove_sock) {
 		sock_set_flag(sk, SOCK_DONE);
-		vsock_remove_sock(vsk);
+		virtio_transport_remove_sock(vsk);
 	}
 }
 EXPORT_SYMBOL_GPL(virtio_transport_release);
-- 
2.30.2