Re: [PATCH net v1] kcm: fix zero-frag skb in frag_list on partial sendmsg error

[Jiayuan Chen]

2026/2/17 19:52, "Paolo Abeni" <pabeni@xxxxxxxxxx mailto:pabeni@xxxxxxxxxx?to=%22Paolo%20Abeni%22%20%3Cpabeni%40redhat.com%3E > wrote:


> 
> On 2/13/26 7:12 AM, Jiayuan Chen wrote:
> 
> > 
> > From: Jiayuan Chen <jiayuan.chen@xxxxxxxxxx>
> >  
> >  Syzkaller reported a warning in kcm_write_msgs() when processing a
> >  message with a zero-fragment skb in the frag_list.
> >  
> >  When kcm_sendmsg() fills MAX_SKB_FRAGS fragments in the current skb,
> >  it allocates a new skb (tskb) and links it into the frag_list before
> >  copying data. If the copy subsequently fails (e.g. -EFAULT from
> >  user memory), tskb remains in the frag_list with zero fragments:
> >  
> >  head skb (msg being assembled, NOT yet in sk_write_queue)
> >  +-----------+
> >  | frags[17] | (MAX_SKB_FRAGS, all filled with data)
> >  | frag_list-+--> tskb
> >  +-----------+ +----------+
> >  | frags[0] | (empty! copy failed before filling)
> >  +----------+
> >  
> >  For SOCK_SEQPACKET with partial data already copied, the error path
> >  saves this message via partial_message for later completion. A
> >  subsequent zero-length write(fd, NULL, 0) implies MSG_EOR, which
> >  queues the message to sk_write_queue.
> > 
> AI review noted that the above statement is dubious. Specifically,
> looking it looks like that write(fd, NULL, 0) implies EOR for SOCK_DGRAM
> packets:
> 
>  int eor = (sock->type == SOCK_DGRAM) ?
>  !(msg->msg_flags & MSG_MORE) : !!(msg->msg_flags & MSG_EOR);
> 
> I guess the changelog needs some clarification.
> 
> Thanks,
> 
> Paolo
>

Thanks for pointing this out. I'll update the changelog to clarify that
for SOCK_SEQPACKET, sock_write_iter() automatically sets MSG_EOR
(net/socket.c:1189), which is what makes the subsequent write()
complete the message.