Re: [PATCH net v1] kcm: fix zero-frag skb in frag_list on partial sendmsg error

Next message: Konrad Dybcio: "Re: [PATCH v5 11/13] i2c: qcom-geni: Use resources helper APIs in runtime PM functions"
Previous message: Sean Rhodes: "[PATCH] ALSA: hda/realtek: Fix speaker pop on Star Labs StarFighter"
Next in thread: Jiayuan Chen: "Re: [PATCH net v1] kcm: fix zero-frag skb in frag_list on partial sendmsg error"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Paolo Abeni

Date: Tue Feb 17 2026 - 06:53:48 EST

On 2/13/26 7:12 AM, Jiayuan Chen wrote:
> From: Jiayuan Chen <jiayuan.chen@xxxxxxxxxx>
>
> Syzkaller reported a warning in kcm_write_msgs() when processing a
> message with a zero-fragment skb in the frag_list.
>
> When kcm_sendmsg() fills MAX_SKB_FRAGS fragments in the current skb,
> it allocates a new skb (tskb) and links it into the frag_list before
> copying data. If the copy subsequently fails (e.g. -EFAULT from
> user memory), tskb remains in the frag_list with zero fragments:
>
> head skb (msg being assembled, NOT yet in sk_write_queue)
> +-----------+
> | frags[17] | (MAX_SKB_FRAGS, all filled with data)
> | frag_list-+--> tskb
> +-----------+ +----------+
> | frags[0] | (empty! copy failed before filling)
> +----------+
>
> For SOCK_SEQPACKET with partial data already copied, the error path
> saves this message via partial_message for later completion. A
> subsequent zero-length write(fd, NULL, 0) implies MSG_EOR, which
> queues the message to sk_write_queue.

AI review noted that the above statement is dubious. Specifically,
looking it looks like that write(fd, NULL, 0) implies EOR for SOCK_DGRAM
packets:

int eor = (sock->type == SOCK_DGRAM) ?
!(msg->msg_flags & MSG_MORE) : !!(msg->msg_flags & MSG_EOR);

I guess the changelog needs some clarification.

Thanks,

Paolo