From: Pratyush Yadav <ptyadav@amazon.de>
Date: Mon, 22 May 2023 15:30:20 +0000 (+0200)
Subject: net: fix skb leak in __skb_tstamp_tx()
X-Git-Tag: baikal/aarch64/sdk6.2~57
X-Git-Url: https://git.baikalelectronics.ru/sdk/?a=commitdiff_plain;h=af183bf726490a512150044f42bf1a1755ca7fb2;p=kernel.git

net: fix skb leak in __skb_tstamp_tx()

commit 8a02fb71d7192ff1a9a47c9d937624966c6e09af upstream.

Commit 50749f2dd685 ("tcp/udp: Fix memleaks of sk and zerocopy skbs with
TX timestamp.") added a call to skb_orphan_frags_rx() to fix leaks with
zerocopy skbs. But it ended up adding a leak of its own. When
skb_orphan_frags_rx() fails, the function just returns, leaking the skb
it just cloned. Free it before returning.

This bug was discovered and resolved using Coverity Static Analysis
Security Testing (SAST) by Synopsys, Inc.

Fixes: 50749f2dd685 ("tcp/udp: Fix memleaks of sk and zerocopy skbs with TX timestamp.")
Signed-off-by: Pratyush Yadav <ptyadav@amazon.de>
Reviewed-by: Kuniyuki Iwashima <kuniyu@amazon.com>
Reviewed-by: Willem de Bruijn <willemb@google.com>
Link: https://lore.kernel.org/r/20230522153020.32422-1-ptyadav@amazon.de
Signed-off-by: Jakub Kicinski <kuba@kernel.org>
Signed-off-by: Greg Kroah-Hartman <gregkh@linuxfoundation.org>
---

diff --git a/net/core/skbuff.c b/net/core/skbuff.c
index e37830ef2a4b9..ef9772b12624c 100644
--- a/net/core/skbuff.c
+++ b/net/core/skbuff.c
@@ -4983,8 +4983,10 @@ void __skb_tstamp_tx(struct sk_buff *orig_skb,
 	} else {
 		skb = skb_clone(orig_skb, GFP_ATOMIC);
 
-		if (skb_orphan_frags_rx(skb, GFP_ATOMIC))
+		if (skb_orphan_frags_rx(skb, GFP_ATOMIC)) {
+			kfree_skb(skb);
 			return;
+		}
 	}
 	if (!skb)
 		return;