Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp3117420rwd;
        Mon, 22 May 2023 08:54:21 -0700 (PDT)
X-Google-Smtp-Source: ACHHUZ4EUiz2KTuSBWlLxwAKuD4cPx9KbaeOQvkCQPzPfQCONKJHZfmtzDPZhP0U9Bkg2zosXWQP
X-Received: by 2002:a17:902:ecd0:b0:1ae:8741:d1ca with SMTP id a16-20020a170902ecd000b001ae8741d1camr11268667plh.45.1684770860973;
        Mon, 22 May 2023 08:54:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1684770860; cv=none;
        d=google.com; s=arc-20160816;
        b=WFJnEtb1os8iCbe2rL9KmgJT+bucARWpvq3quMhSnTDI61BDwlJ3ONWagE8Uwxyzhb
         l6GkKhdkSzJZuKJnbtJmXpX0CR1pFxkQksmM4Ww7/UvazlTyA2D/a8QWLReTXM0gC9O2
         z5TlIj6uBHQzV+kt77jVmRFCVMVs0C0UGNTqhi3SoUw+K+zzXaXq1V+cIJdhb0CM8ExF
         HfeLRpgvzXNLfKPi9IqKNVg35+58FFbolaD3RFa4QBWPmDRYrm1eWlST03AbhQpGVq/D
         eL8DFv7oQA/Q+6np5UqN42y4SK9/cGDzHEszNh2nsr+clL1Ig8HVpTA+z2jDMXKMin/d
         /Ctw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-transfer-encoding:mime-version
         :message-id:date:subject:cc:to:from:dkim-signature;
        bh=/wZOTRTHC/iA8R8dp/VVaoHLOP9DeLCMvFB/lSHlqSI=;
        b=f71dmG0C8VUxz5tlBnsYh8FguKIoJxwuRsWmxPZXlhOt96SOsP9hEAAWP3VgtbXVYO
         zC2dE03R56kEVv5PjNbpOYDcU6RMmBABxGAy5Vdx/aLUsDX5Jj+nzHyO4lkVQqjNy9Mn
         m6gYzwHKNNO7cq9H1GUaWShAIqntvYf5rEpUBm4G0yaQBT7scFPPDwBSqoeeqg4LvhEN
         relC/Z0n3c0B+yyKZsEfQkpPFq+ooV4q1s+we4AS9v90S6WOE9wzZfher066i9OcCqyi
         Y6oYHAAAEi9j2QQdqRuAHwI4qIZEvcrFY5D7Ggzl6JVzkHwxsfTbRDGDcPmp73aJsCgN
         cgog==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@amazon.de header.s=amazon201209 header.b=sefgdGAB;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.de
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20])
        by mx.google.com with ESMTP id 9-20020a170902c14900b001a6a636eb6dsi1134399plj.215.2023.05.22.08.54.08;
        Mon, 22 May 2023 08:54:20 -0700 (PDT)
Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@amazon.de header.s=amazon201209 header.b=sefgdGAB;
       spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.de
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S233644AbjEVPad (ORCPT <rfc822;5losepatience@gmail.com>
        + 99 others); Mon, 22 May 2023 11:30:33 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33588 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S231923AbjEVPab (ORCPT
        <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 22 May 2023 11:30:31 -0400
Received: from smtp-fw-2101.amazon.com (smtp-fw-2101.amazon.com [72.21.196.25])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B333EA1;
        Mon, 22 May 2023 08:30:28 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
  d=amazon.de; i=@amazon.de; q=dns/txt; s=amazon201209;
  t=1684769429; x=1716305429;
  h=from:to:cc:subject:date:message-id:mime-version:
   content-transfer-encoding;
  bh=/wZOTRTHC/iA8R8dp/VVaoHLOP9DeLCMvFB/lSHlqSI=;
  b=sefgdGABmtvxH3kUibFmgEqgEZq7jP8ylULZoVP41Kuta7pxGm2fMuDF
   jATAqzhO7OlZDxyANtmkZaYr+uWUTKYV1ejARvX9bhRXrgS08X7udQHtW
   OksB1jGcJBbYkXNCQbWFo0ZpI27W0DodnAxgIu0X8Oo0dGM0unD7DcAuF
   g=;
X-IronPort-AV: E=Sophos;i="6.00,184,1681171200"; 
   d="scan'208";a="327640414"
Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-iad-1e-m6i4x-529f0975.us-east-1.amazon.com) ([10.43.8.6])
  by smtp-border-fw-2101.iad2.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 May 2023 15:30:26 +0000
Received: from EX19D016EUA002.ant.amazon.com (iad12-ws-svc-p26-lb9-vlan3.iad.amazon.com [10.40.163.38])
        by email-inbound-relay-iad-1e-m6i4x-529f0975.us-east-1.amazon.com (Postfix) with ESMTPS id 88893443C9;
        Mon, 22 May 2023 15:30:24 +0000 (UTC)
Received: from EX19D028EUB002.ant.amazon.com (10.252.61.43) by
 EX19D016EUA002.ant.amazon.com (10.252.50.57) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.1118.26; Mon, 22 May 2023 15:30:23 +0000
Received: from EX19MTAUEC001.ant.amazon.com (10.252.135.222) by
 EX19D028EUB002.ant.amazon.com (10.252.61.43) with Microsoft SMTP Server
 (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 15.2.1118.26; Mon, 22 May 2023 15:30:23 +0000
Received: from dev-dsk-ptyadav-1c-37607b33.eu-west-1.amazon.com (10.15.11.255)
 by mail-relay.amazon.com (10.252.135.200) with Microsoft SMTP Server id
 15.2.1118.26 via Frontend Transport; Mon, 22 May 2023 15:30:22 +0000
Received: by dev-dsk-ptyadav-1c-37607b33.eu-west-1.amazon.com (Postfix, from userid 23027615)
        id 7F9E320E16; Mon, 22 May 2023 17:30:22 +0200 (CEST)
From:   Pratyush Yadav <ptyadav@amazon.de>
To:     "David S. Miller" <davem@davemloft.net>,
        Eric Dumazet <edumazet@google.com>,
        Jakub Kicinski <kuba@kernel.org>,
        Paolo Abeni <pabeni@redhat.com>
CC:     Pratyush Yadav <ptyadav@amazon.de>,
        Kuniyuki Iwashima <kuniyu@amazon.com>,
        Willem de Bruijn <willemb@google.com>,
        Norbert Manthey <nmanthey@amazon.de>, <netdev@vger.kernel.org>,
        <linux-kernel@vger.kernel.org>
Subject: [PATCH net] net: fix skb leak in __skb_tstamp_tx()
Date:   Mon, 22 May 2023 17:30:20 +0200
Message-ID: <20230522153020.32422-1-ptyadav@amazon.de>
X-Mailer: git-send-email 2.39.2
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Content-Type: text/plain
X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH,
        DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,
        RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE,
        SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no
        version=3.4.6
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on
        lindbergh.monkeyblade.net
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

Commit 50749f2dd685 ("tcp/udp: Fix memleaks of sk and zerocopy skbs with
TX timestamp.") added a call to skb_orphan_frags_rx() to fix leaks with
zerocopy skbs. But it ended up adding a leak of its own. When
skb_orphan_frags_rx() fails, the function just returns, leaking the skb
it just cloned. Free it before returning.

This bug was discovered and resolved using Coverity Static Analysis
Security Testing (SAST) by Synopsys, Inc.

Fixes: 50749f2dd685 ("tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp.")
Signed-off-by: Pratyush Yadav <ptyadav@amazon.de>
---

I do not know this code very well, this was caught by our static
analysis tool. I did not try specifically reproducing the leak but I did
do a boot test by adding this patch on 6.4-rc3 and the kernel boots
fine.

 net/core/skbuff.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index 515ec5cdc79c..cea28d30abb5 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -5224,8 +5224,10 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb,
 	} else {
 		skb = skb_clone(orig_skb, GFP_ATOMIC);

-		if (skb_orphan_frags_rx(skb, GFP_ATOMIC))
+		if (skb_orphan_frags_rx(skb, GFP_ATOMIC)) {
+			kfree_skb(skb);
 			return;
+		}
 	}
 	if (!skb)
 		return;
--
2.39.2