kcm: fix zero-frag skb in frag_list on partial sendmsg error

Syzkaller reported a warning in kcm_write_msgs() when processing a
message with a zero-fragment skb in the frag_list.

When kcm_sendmsg() fills MAX_SKB_FRAGS fragments in the current skb,
it allocates a new skb (tskb) and links it into the frag_list before
copying data. If the copy subsequently fails (e.g. -EFAULT from
user memory), tskb remains in the frag_list with zero fragments:

head skb (msg being assembled, NOT yet in sk_write_queue)
+-----------+
| frags[17] | (MAX_SKB_FRAGS, all filled with data)
| frag_list-+--> tskb
+-----------+ +----------+
| frags[0] | (empty! copy failed before filling)
+----------+

For SOCK_SEQPACKET with partial data already copied, the error path
saves this message via partial_message for later completion. For
SOCK_SEQPACKET, sock_write_iter() automatically sets MSG_EOR, so a
subsequent zero-length write(fd, NULL, 0) completes the message and
queues it to sk_write_queue. kcm_write_msgs() then walks the
frag_list and hits:

WARN_ON(!skb_shinfo(skb)->nr_frags)

TCP has a similar pattern where skbs are enqueued before data copy
and cleaned up on failure via tcp_remove_empty_skb(). KCM was
missing the equivalent cleanup.

Fix this by tracking the predecessor skb (frag_prev) when allocating
a new frag_list entry. On error, if the tail skb has zero frags,
use frag_prev to unlink and free it in O(1) without walking the
singly-linked frag_list. frag_prev is safe to dereference because
the entire message chain is only held locally (or in kcm->seq_skb)
and is not added to sk_write_queue until MSG_EOR, so the send path
cannot free it underneath us.

Also change the WARN_ON to WARN_ON_ONCE to avoid flooding the log
if the condition is somehow hit repeatedly.

There are currently no KCM selftests in the kernel tree; a simple
reproducer is available at [1].

[1] https://gist.github.com/mrpre/a94d431c757e8d6f168f4dd1a3749daa

Reported-by: syzbot+52624bdfbf2746d37d70@syzkaller.appspotmail.com
Closes: https://lore.kernel.org/all/000000000000269a1405a12fdc77@google.com/T/
Fixes: ab7ac4eb9832 ("kcm: Kernel Connection Multiplexor module")
Signed-off-by: Jiayuan Chen <jiayuan.chen@shopee.com>
Link: https://patch.msgid.link/20260219014256.370092-1-jiayuan.chen@linux.dev
Signed-off-by: Jakub Kicinski <kuba@kernel.org>

authored by

Jiayuan Chen and committed by

Jakub Kicinski 4 months ago ca220141 fb868db5

+19 -2

1 changed file

expand all

net

kcm

kcmsock.c

+19 -2

net/kcm/kcmsock.c

··· 628 628 skb = txm->frag_skb; 629 629 } 630 630 631 - if (WARN_ON(!skb_shinfo(skb)->nr_frags) || 631 + if (WARN_ON_ONCE(!skb_shinfo(skb)->nr_frags) || 632 632 WARN_ON_ONCE(!skb_frag_page(&skb_shinfo(skb)->frags[0]))) { 633 633 ret = -EINVAL; 634 634 goto out; ··· 749 749 { 750 750 struct sock *sk = sock->sk; 751 751 struct kcm_sock *kcm = kcm_sk(sk); 752 - struct sk_buff *skb = NULL, *head = NULL; 752 + struct sk_buff *skb = NULL, *head = NULL, *frag_prev = NULL; 753 753 size_t copy, copied = 0; 754 754 long timeo = sock_sndtimeo(sk, msg->msg_flags & MSG_DONTWAIT); 755 755 int eor = (sock->type == SOCK_DGRAM) ? ··· 824 824 else 825 825 skb->next = tskb; 826 826 827 + frag_prev = skb; 827 828 skb = tskb; 828 829 skb->ip_summed = CHECKSUM_UNNECESSARY; 829 830 continue; ··· 933 932 934 933 out_error: 935 934 kcm_push(kcm); 935 + 936 + /* When MAX_SKB_FRAGS was reached, a new skb was allocated and 937 + * linked into the frag_list before data copy. If the copy 938 + * subsequently failed, this skb has zero frags. Remove it from 939 + * the frag_list to prevent kcm_write_msgs from later hitting 940 + * WARN_ON(!skb_shinfo(skb)->nr_frags). 941 + */ 942 + if (frag_prev && !skb_shinfo(skb)->nr_frags) { 943 + if (head == frag_prev) 944 + skb_shinfo(head)->frag_list = NULL; 945 + else 946 + frag_prev->next = NULL; 947 + kfree_skb(skb); 948 + /* Update skb as it may be saved in partial_message via goto */ 949 + skb = frag_prev; 950 + } 936 951 937 952 if (sock->type == SOCK_SEQPACKET) { 938 953 /* Wrote some bytes before encountering an

Configure Feed

Configure Feed