diff mbox series

[v2] net: rds: fix memory leak in rds_recvmsg

Message ID 20210608080641.16543-1-paskripkin@gmail.com (mailing list archive)
State Accepted
Commit 49bfcbfd989a8f1f23e705759a6bb099de2cff9f
Delegated to: Netdev Maintainers
Headers show
Series [v2] net: rds: fix memory leak in rds_recvmsg | expand

Checks

Context Check Description
netdev/cover_letter success Link
netdev/fixes_present success Link
netdev/patch_count success Link
netdev/tree_selection success Guessed tree name to be net-next
netdev/subject_prefix warning Target tree name not specified in the subject
netdev/cc_maintainers fail 1 blamed authors not CCed: andy.grover@oracle.com; 1 maintainers not CCed: andy.grover@oracle.com
netdev/source_inline success Was 0 now: 0
netdev/verify_signedoff success Link
netdev/module_param success Was 0 now: 0
netdev/build_32bit success Errors and warnings before: 7 this patch: 7
netdev/kdoc success Errors and warnings before: 0 this patch: 0
netdev/verify_fixes success Link
netdev/checkpatch success total: 0 errors, 0 warnings, 0 checks, 8 lines checked
netdev/build_allmodconfig_warn success Errors and warnings before: 7 this patch: 7
netdev/header_inline success Link

Commit Message

Pavel Skripkin June 8, 2021, 8:06 a.m. UTC 
Syzbot reported memory leak in rds. The problem
was in unputted refcount in case of error.

int rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
		int msg_flags)
{
...

	if (!rds_next_incoming(rs, &inc)) {
		...
	}

After this "if" inc refcount incremented and

	if (rds_cmsg_recv(inc, msg, rs)) {
		ret = -EFAULT;
		goto out;
	}
...
out:
	return ret;
}

in case of rds_cmsg_recv() fail the refcount won't be
decremented. And it's easy to see from ftrace log, that
rds_inc_addref() don't have rds_inc_put() pair in
rds_recvmsg() after rds_cmsg_recv()

 1)               |  rds_recvmsg() {
 1)   3.721 us    |    rds_inc_addref();
 1)   3.853 us    |    rds_message_inc_copy_to_user();
 1) + 10.395 us   |    rds_cmsg_recv();
 1) + 34.260 us   |  }

Fixes: bdbe6fbc6a2f ("RDS: recv.c")
Reported-and-tested-by: syzbot+5134cdf021c4ed5aaa5f@syzkaller.appspotmail.com
Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
---

Changes in v2:
	Changed goto to break.

---
 net/rds/recv.c | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comments

Haakon Bugge June 8, 2021, 12:29 p.m. UTC | #1 
> On 8 Jun 2021, at 10:06, Pavel Skripkin <paskripkin@gmail.com> wrote:
> 
> Syzbot reported memory leak in rds. The problem
> was in unputted refcount in case of error.
> 
> int rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
> 		int msg_flags)
> {
> ...
> 
> 	if (!rds_next_incoming(rs, &inc)) {
> 		...
> 	}
> 
> After this "if" inc refcount incremented and
> 
> 	if (rds_cmsg_recv(inc, msg, rs)) {
> 		ret = -EFAULT;
> 		goto out;
> 	}
> ...
> out:
> 	return ret;
> }
> 
> in case of rds_cmsg_recv() fail the refcount won't be
> decremented. And it's easy to see from ftrace log, that
> rds_inc_addref() don't have rds_inc_put() pair in
> rds_recvmsg() after rds_cmsg_recv()
> 
> 1)               |  rds_recvmsg() {
> 1)   3.721 us    |    rds_inc_addref();
> 1)   3.853 us    |    rds_message_inc_copy_to_user();
> 1) + 10.395 us   |    rds_cmsg_recv();
> 1) + 34.260 us   |  }
> 
> Fixes: bdbe6fbc6a2f ("RDS: recv.c")
> Reported-and-tested-by: syzbot+5134cdf021c4ed5aaa5f@syzkaller.appspotmail.com
> Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>

Reviewed-by: Håkon Bugge <haakon.bugge@oracle.com>


Thanks for fixing this, Håkon

> ---
> 
> Changes in v2:
> 	Changed goto to break.
> 
> ---
> net/rds/recv.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
> 
> diff --git a/net/rds/recv.c b/net/rds/recv.c
> index 4db109fb6ec2..5b426dc3634d 100644
> --- a/net/rds/recv.c
> +++ b/net/rds/recv.c
> @@ -714,7 +714,7 @@ int rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
> 
> 		if (rds_cmsg_recv(inc, msg, rs)) {
> 			ret = -EFAULT;
> -			goto out;
> +			break;
> 		}
> 		rds_recvmsg_zcookie(rs, msg);
> 
> -- 
> 2.31.1
>
Santosh Shilimkar June 8, 2021, 2:41 p.m. UTC | #2 
On Jun 8, 2021, at 1:06 AM, Pavel Skripkin <paskripkin@gmail.com> wrote:
> 
> Syzbot reported memory leak in rds. The problem
> was in unputted refcount in case of error.
> 
> int rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
> 		int msg_flags)
> {
> ...
> 
> 	if (!rds_next_incoming(rs, &inc)) {
> 		...
> 	}
> 
> After this "if" inc refcount incremented and
> 
> 	if (rds_cmsg_recv(inc, msg, rs)) {
> 		ret = -EFAULT;
> 		goto out;
> 	}
> ...
> out:
> 	return ret;
> }
> 
> in case of rds_cmsg_recv() fail the refcount won't be
> decremented. And it's easy to see from ftrace log, that
> rds_inc_addref() don't have rds_inc_put() pair in
> rds_recvmsg() after rds_cmsg_recv()
> 
> 1)               |  rds_recvmsg() {
> 1)   3.721 us    |    rds_inc_addref();
> 1)   3.853 us    |    rds_message_inc_copy_to_user();
> 1) + 10.395 us   |    rds_cmsg_recv();
> 1) + 34.260 us   |  }
> 
> Fixes: bdbe6fbc6a2f ("RDS: recv.c")
> Reported-and-tested-by: syzbot+5134cdf021c4ed5aaa5f@syzkaller.appspotmail.com
> Signed-off-by: Pavel Skripkin <paskripkin@gmail.com>
> ---
> 
> Changes in v2:
> 	Changed goto to break.
> 
Looks fine by me. Thanks for the fix.

Acked-by: Santosh Shilimkar <santosh.shilimkar@oracle.com>
patchwork-bot+netdevbpf@kernel.org June 8, 2021, 11:40 p.m. UTC | #3 
Hello:

This patch was applied to netdev/net.git (refs/heads/master):

On Tue,  8 Jun 2021 11:06:41 +0300 you wrote:
> Syzbot reported memory leak in rds. The problem
> was in unputted refcount in case of error.
> 
> int rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
> 		int msg_flags)
> {
> ...
> 
> [...]

Here is the summary with links:
  - [v2] net: rds: fix memory leak in rds_recvmsg
    https://git.kernel.org/netdev/net/c/49bfcbfd989a

You are awesome, thank you!
--
Deet-doot-dot, I am a bot.
https://korg.docs.kernel.org/patchwork/pwbot.html
diff mbox series

Patch

diff --git a/net/rds/recv.c b/net/rds/recv.c
index 4db109fb6ec2..5b426dc3634d 100644
--- a/net/rds/recv.c
+++ b/net/rds/recv.c
@@ -714,7 +714,7 @@  int rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
 
 		if (rds_cmsg_recv(inc, msg, rs)) {
 			ret = -EFAULT;
-			goto out;
+			break;
 		}
 		rds_recvmsg_zcookie(rs, msg);