On Thu, Jul 1, 2021 at 5:12 PM John Fastabend <john.fastabend@xxxxxxxxx> wrote:
>
> If skb_linearize is needed and fails we could leak a msg on the error
> handling. To fix ensure we kfree the msg block before returning error.
> Found during code review.
>
> Fixes: 4363023d2668e ("bpf, sockmap: Avoid failures from skb_to_sgvec when skb has frag_list")
> Signed-off-by: John Fastabend <john.fastabend@xxxxxxxxx>
> ---
> net/core/skmsg.c | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/net/core/skmsg.c b/net/core/skmsg.c
> index 9b6160a191f8..22603289c2b2 100644
> --- a/net/core/skmsg.c
> +++ b/net/core/skmsg.c
> @@ -505,8 +505,10 @@ static int sk_psock_skb_ingress_enqueue(struct sk_buff *skb,
> * drop the skb. We need to linearize the skb so that the mapping
> * in skb_to_sgvec can not error.
> */
> - if (skb_linearize(skb))
> + if (skb_linearize(skb)) {
> + kfree(msg);
> return -EAGAIN;
> + }
> num_sge = skb_to_sgvec(skb, msg->sg.data, 0, skb->len);
> if (unlikely(num_sge < 0)) {
> kfree(msg);
I think it is better to let whoever allocates msg free it, IOW,
let sk_psock_skb_ingress_enqueue()'s callers handle its failure.
Thanks.
