Received: by 2002:a05:6358:3188:b0:123:57c1:9b43 with SMTP id q8csp3117420rwd; Mon, 22 May 2023 08:54:21 -0700 (PDT) X-Google-Smtp-Source: ACHHUZ4EUiz2KTuSBWlLxwAKuD4cPx9KbaeOQvkCQPzPfQCONKJHZfmtzDPZhP0U9Bkg2zosXWQP X-Received: by 2002:a17:902:ecd0:b0:1ae:8741:d1ca with SMTP id a16-20020a170902ecd000b001ae8741d1camr11268667plh.45.1684770860973; Mon, 22 May 2023 08:54:20 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1684770860; cv=none; d=google.com; s=arc-20160816; b=WFJnEtb1os8iCbe2rL9KmgJT+bucARWpvq3quMhSnTDI61BDwlJ3ONWagE8Uwxyzhb l6GkKhdkSzJZuKJnbtJmXpX0CR1pFxkQksmM4Ww7/UvazlTyA2D/a8QWLReTXM0gC9O2 z5TlIj6uBHQzV+kt77jVmRFCVMVs0C0UGNTqhi3SoUw+K+zzXaXq1V+cIJdhb0CM8ExF HfeLRpgvzXNLfKPi9IqKNVg35+58FFbolaD3RFa4QBWPmDRYrm1eWlST03AbhQpGVq/D eL8DFv7oQA/Q+6np5UqN42y4SK9/cGDzHEszNh2nsr+clL1Ig8HVpTA+z2jDMXKMin/d /Ctw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from:dkim-signature; bh=/wZOTRTHC/iA8R8dp/VVaoHLOP9DeLCMvFB/lSHlqSI=; b=f71dmG0C8VUxz5tlBnsYh8FguKIoJxwuRsWmxPZXlhOt96SOsP9hEAAWP3VgtbXVYO zC2dE03R56kEVv5PjNbpOYDcU6RMmBABxGAy5Vdx/aLUsDX5Jj+nzHyO4lkVQqjNy9Mn m6gYzwHKNNO7cq9H1GUaWShAIqntvYf5rEpUBm4G0yaQBT7scFPPDwBSqoeeqg4LvhEN relC/Z0n3c0B+yyKZsEfQkpPFq+ooV4q1s+we4AS9v90S6WOE9wzZfher066i9OcCqyi Y6oYHAAAEi9j2QQdqRuAHwI4qIZEvcrFY5D7Ggzl6JVzkHwxsfTbRDGDcPmp73aJsCgN cgog== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@amazon.de header.s=amazon201209 header.b=sefgdGAB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.de Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id 9-20020a170902c14900b001a6a636eb6dsi1134399plj.215.2023.05.22.08.54.08; Mon, 22 May 2023 08:54:20 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@amazon.de header.s=amazon201209 header.b=sefgdGAB; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=amazon.de Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233644AbjEVPad (ORCPT + 99 others); Mon, 22 May 2023 11:30:33 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33588 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231923AbjEVPab (ORCPT ); Mon, 22 May 2023 11:30:31 -0400 Received: from smtp-fw-2101.amazon.com (smtp-fw-2101.amazon.com [72.21.196.25]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id B333EA1; Mon, 22 May 2023 08:30:28 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=amazon.de; i=@amazon.de; q=dns/txt; s=amazon201209; t=1684769429; x=1716305429; h=from:to:cc:subject:date:message-id:mime-version: content-transfer-encoding; bh=/wZOTRTHC/iA8R8dp/VVaoHLOP9DeLCMvFB/lSHlqSI=; b=sefgdGABmtvxH3kUibFmgEqgEZq7jP8ylULZoVP41Kuta7pxGm2fMuDF jATAqzhO7OlZDxyANtmkZaYr+uWUTKYV1ejARvX9bhRXrgS08X7udQHtW OksB1jGcJBbYkXNCQbWFo0ZpI27W0DodnAxgIu0X8Oo0dGM0unD7DcAuF g=; X-IronPort-AV: E=Sophos;i="6.00,184,1681171200"; d="scan'208";a="327640414" Received: from iad12-co-svc-p1-lb1-vlan3.amazon.com (HELO email-inbound-relay-iad-1e-m6i4x-529f0975.us-east-1.amazon.com) ([10.43.8.6]) by smtp-border-fw-2101.iad2.amazon.com with ESMTP/TLS/ECDHE-RSA-AES256-GCM-SHA384; 22 May 2023 15:30:26 +0000 Received: from EX19D016EUA002.ant.amazon.com (iad12-ws-svc-p26-lb9-vlan3.iad.amazon.com [10.40.163.38]) by email-inbound-relay-iad-1e-m6i4x-529f0975.us-east-1.amazon.com (Postfix) with ESMTPS id 88893443C9; Mon, 22 May 2023 15:30:24 +0000 (UTC) Received: from EX19D028EUB002.ant.amazon.com (10.252.61.43) by EX19D016EUA002.ant.amazon.com (10.252.50.57) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.26; Mon, 22 May 2023 15:30:23 +0000 Received: from EX19MTAUEC001.ant.amazon.com (10.252.135.222) by EX19D028EUB002.ant.amazon.com (10.252.61.43) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.2.1118.26; Mon, 22 May 2023 15:30:23 +0000 Received: from dev-dsk-ptyadav-1c-37607b33.eu-west-1.amazon.com (10.15.11.255) by mail-relay.amazon.com (10.252.135.200) with Microsoft SMTP Server id 15.2.1118.26 via Frontend Transport; Mon, 22 May 2023 15:30:22 +0000 Received: by dev-dsk-ptyadav-1c-37607b33.eu-west-1.amazon.com (Postfix, from userid 23027615) id 7F9E320E16; Mon, 22 May 2023 17:30:22 +0200 (CEST) From: Pratyush Yadav To: "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni CC: Pratyush Yadav , Kuniyuki Iwashima , Willem de Bruijn , Norbert Manthey , , Subject: [PATCH net] net: fix skb leak in __skb_tstamp_tx() Date: Mon, 22 May 2023 17:30:20 +0200 Message-ID: <20230522153020.32422-1-ptyadav@amazon.de> X-Mailer: git-send-email 2.39.2 MIME-Version: 1.0 Content-Transfer-Encoding: 8bit Content-Type: text/plain X-Spam-Status: No, score=-4.1 required=5.0 tests=BAYES_00,DKIMWL_WL_HIGH, DKIM_SIGNED,DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS, RCVD_IN_DNSWL_MED,RCVD_IN_MSPIKE_H3,RCVD_IN_MSPIKE_WL,SPF_HELO_NONE, SPF_NONE,T_SCC_BODY_TEXT_LINE autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org Commit 50749f2dd685 ("tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp.") added a call to skb_orphan_frags_rx() to fix leaks with zerocopy skbs. But it ended up adding a leak of its own. When skb_orphan_frags_rx() fails, the function just returns, leaking the skb it just cloned. Free it before returning. This bug was discovered and resolved using Coverity Static Analysis Security Testing (SAST) by Synopsys, Inc. Fixes: 50749f2dd685 ("tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp.") Signed-off-by: Pratyush Yadav --- I do not know this code very well, this was caught by our static analysis tool. I did not try specifically reproducing the leak but I did do a boot test by adding this patch on 6.4-rc3 and the kernel boots fine. net/core/skbuff.c | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/net/core/skbuff.c b/net/core/skbuff.c index 515ec5cdc79c..cea28d30abb5 100644 --- a/net/core/skbuff.c +++ b/net/core/skbuff.c @@ -5224,8 +5224,10 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb, } else { skb = skb_clone(orig_skb, GFP_ATOMIC); - if (skb_orphan_frags_rx(skb, GFP_ATOMIC)) + if (skb_orphan_frags_rx(skb, GFP_ATOMIC)) { + kfree_skb(skb); return; + } } if (!skb) return; -- 2.39.2