Received: by 2002:a05:6a10:206:0:0:0:0 with SMTP id 6csp828004pxj;
        Wed, 2 Jun 2021 12:29:15 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJxbhIPzL9C65RHa56Zn1WcA2ZqNSBaRVonF9eZUsSvnsjfsGZwej5xSU21pLQaIQkDeLCkM
X-Received: by 2002:aa7:c445:: with SMTP id n5mr20897667edr.64.1622662154966;
        Wed, 02 Jun 2021 12:29:14 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1622662154; cv=none;
        d=google.com; s=arc-20160816;
        b=rdEPOZb/W5F/lP1ufaUYM6d1UUpBWgW65sx8Y6Xq9a+fGuVaa52PnI0UCtM+b6ssAR
         9Daaic98Vh7mNBdrAdHDTl7uZA1qbuyTYuaFJOZw9mT6mtwNjgsUp42aV8vXBoLLuBlB
         +wan/GWquT1dcJbPAuCwan9G6ZIh/KmC0A0RxtqILYDXe16ekg1E55D/o0khlqulc3C4
         8ZnZ4viV0EWPduBgZzE1/clSeq/0q8uzQr2z13dWEe7aNiLWfAFO2ryUnHptXLH8tDln
         rcLYfbHJ4vUIaA/6K3MO7vQTKr/FUACF217NSXlfU0DCHFDnwDg8k/7eRtyGIbXPPU+j
         lCPg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=3eTcKsWffVVKPjZgROWnlvuBXI7UvAVKKPxxp+2QZlg=;
        b=BWs+xg2V8V3dvgM2nwUcJabRZVsc73CIHLIh2x4YspWPmhZ9TMike12b+UhHwidnXp
         Tg6d8kTC26edOjnDIdGUKyCmgJxdGHxQA3bO1iPSyaCGS0edUzzTI05A++oE2Vk6weRU
         g+TL3BouFuwH+/ODMxMhaD0iFb8BgghqqK/kHU8LwYrzgR6p0c6dQgwl0ZHYbpz8BLLD
         nX/ZadRURgfmF/iJUqxwYinUD52mHvkkAKRDJnBg7dovDUg+HvR87bHVIuApnfg6aPcv
         2v+9ODfI9dZJbOL36Q7UTNoFHxJXHawqBI9JkpzmQzhQyNBl0WiYULxVYeli3QDazGTw
         He/w==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=VmSDYsE6;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id cz6si543744edb.555.2021.06.02.12.28.51;
        Wed, 02 Jun 2021 12:29:14 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@gmail.com header.s=20161025 header.b=VmSDYsE6;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=QUARANTINE dis=NONE) header.from=gmail.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S229675AbhFBT2n (ORCPT <rfc822;lukasz.wituch.linux@gmail.com>
        + 99 others); Wed, 2 Jun 2021 15:28:43 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:49374 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S229552AbhFBT2m (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Wed, 2 Jun 2021 15:28:42 -0400
Received: from mail-lf1-x136.google.com (mail-lf1-x136.google.com [IPv6:2a00:1450:4864:20::136])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3A121C061756;
        Wed,  2 Jun 2021 12:26:51 -0700 (PDT)
Received: by mail-lf1-x136.google.com with SMTP id r198so1733278lff.11;
        Wed, 02 Jun 2021 12:26:51 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=3eTcKsWffVVKPjZgROWnlvuBXI7UvAVKKPxxp+2QZlg=;
        b=VmSDYsE6qXuKdsNbzP+1a5Fb8IMfzB8xg1zz8XrQUtTPsSJ0dtdnWLdzLGjyA0TyE0
         j6Xut2notzCNhkZh2rfcRhfS8LN26+woBgoMQ30tkSBhROLRxFR4InBS4hjHfyOxKILg
         r9SaIhBCh482gLYqcu2pDrPnU/694khEiv6VwzIw+arNZERh1KQ+lHOU6IVlf2EZRE7g
         Z/XzZeaaG6NdLGXyh97u7Bd+AMljVPkcRa8UF1PCvZsB66/uRPHFLhyVUOso0GEhnbEC
         pmR72bsDROB1ke0GZf7tWT2y7N15abAI3VFKVbiMt3nQXvRSUPsXILJ2yTS/emKYkyjA
         ueZg==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:date:message-id:mime-version
         :content-transfer-encoding;
        bh=3eTcKsWffVVKPjZgROWnlvuBXI7UvAVKKPxxp+2QZlg=;
        b=hlmc/Rp5kWR0wxSjYxb5k0/2631IqzIt82nID7V2N0AIpvxPHVA9nwRYwfpULA4vHy
         RQjKJm68H9ZgE7ke6NpbdI5Lkt24c7Y7UTKmPYhsfWTVrO2/+8tsi9tJDLukv7b46KpD
         p1KqJQU3xYxG5i0nraRE+7eRv+0zhjls3cVy5yLMgb98iSi7fLm0Jd5U8EJpwZ9OCyh+
         EEnvqS4e1IBGy8e5spVu7VdysaK0jBFF/69EGvdzwG0/1zK3d97sXJ3jEL/7Gv4/8mFS
         ekqF/3PPPA1WtQo1Xk9UuRtGxOBN7ZEmM8fSaEBK0gnKt02JUPqa84J+4W8kMaB/lr4V
         uuGQ==
X-Gm-Message-State: AOAM530H0ex3/nA1hQvr1WKSndD7NI/WGg0jIu0GmsnqT1qqrgn2TbKR
        4HrJtMSAPQdq7ezEpwvkvfw=
X-Received: by 2002:ac2:5d6c:: with SMTP id h12mr24423879lft.354.1622662009569;
        Wed, 02 Jun 2021 12:26:49 -0700 (PDT)
Received: from localhost.localdomain ([94.103.224.40])
        by smtp.gmail.com with ESMTPSA id w21sm76683lfu.174.2021.06.02.12.26.48
        (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256);
        Wed, 02 Jun 2021 12:26:49 -0700 (PDT)
From:   Pavel Skripkin <paskripkin@gmail.com>
To:     davem@davemloft.net, kuba@kernel.org, tom@herbertland.com
Cc:     netdev@vger.kernel.org, linux-kernel@vger.kernel.org,
        Pavel Skripkin <paskripkin@gmail.com>,
        syzbot+b039f5699bd82e1fb011@syzkaller.appspotmail.com,
        stable@vger.kernel.org
Subject: [PATCH] net: kcm: fix memory leak in kcm_sendmsg
Date:   Wed,  2 Jun 2021 22:26:40 +0300
Message-Id: <20210602192640.13597-1-paskripkin@gmail.com>
X-Mailer: git-send-email 2.31.1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Syzbot reported memory leak in kcm_sendmsg()[1].
The problem was in non-freed frag_list in case of error.

In the while loop:

	if (head == skb)
		skb_shinfo(head)->frag_list = tskb;
	else
		skb->next = tskb;

frag_list filled with skbs, but nothing was freeing them.

backtrace:
  [<0000000094c02615>] __alloc_skb+0x5e/0x250 net/core/skbuff.c:198
  [<00000000e5386cbd>] alloc_skb include/linux/skbuff.h:1083 [inline]
  [<00000000e5386cbd>] kcm_sendmsg+0x3b6/0xa50 net/kcm/kcmsock.c:967 [1]
  [<00000000f1613a8a>] sock_sendmsg_nosec net/socket.c:652 [inline]
  [<00000000f1613a8a>] sock_sendmsg+0x4c/0x60 net/socket.c:672

Reported-and-tested-by: syzbot+b039f5699bd82e1fb011@syzkaller.appspotmail.com
Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module")
Cc: stable@vger.kernel.org
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
---
 net/kcm/kcmsock.c | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/net/kcm/kcmsock.c b/net/kcm/kcmsock.c
index 6201965bd822..1c572c8daced 100644
--- a/net/kcm/kcmsock.c
+++ b/net/kcm/kcmsock.c
@@ -1066,6 +1066,11 @@ static int kcm_sendmsg(struct socket *sock, struct msghdr *msg, size_t len)
 		goto partial_message;
 	}
 
+	if (skb_has_frag_list(head)) {
+		kfree_skb_list(skb_shinfo(head)->frag_list);
+		skb_shinfo(head)->frag_list = NULL;
+	}
+
 	if (head != kcm->seq_skb)
 		kfree_skb(head);
 
-- 
2.31.1