On Jun 8, 2021, at 1:06 AM, Pavel Skripkin <paskripkin@xxxxxxxxx> wrote:
>
> Syzbot reported memory leak in rds. The problem
> was in unputted refcount in case of error.
>
> int rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size,
> int msg_flags)
> {
> ...
>
> if (!rds_next_incoming(rs, &inc)) {
> ...
> }
>
> After this "if" inc refcount incremented and
>
> if (rds_cmsg_recv(inc, msg, rs)) {
> ret = -EFAULT;
> goto out;
> }
> ...
> out:
> return ret;
> }
>
> in case of rds_cmsg_recv() fail the refcount won't be
> decremented. And it's easy to see from ftrace log, that
> rds_inc_addref() don't have rds_inc_put() pair in
> rds_recvmsg() after rds_cmsg_recv()
>
> 1) | rds_recvmsg() {
> 1) 3.721 us | rds_inc_addref();
> 1) 3.853 us | rds_message_inc_copy_to_user();
> 1) + 10.395 us | rds_cmsg_recv();
> 1) + 34.260 us | }
>
> Fixes: bdbe6fbc6a2f ("RDS: recv.c")
> Reported-and-tested-by: syzbot+5134cdf021c4ed5aaa5f@xxxxxxxxxxxxxxxxxxxxxxxxx
> Signed-off-by: Pavel Skripkin <paskripkin@xxxxxxxxx>
> ---
>
> Changes in v2:
> Changed goto to break.
>
Looks fine by me. Thanks for the fix.
Acked-by: Santosh Shilimkar <santosh.shilimkar@xxxxxxxxxx>
