Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp549826ybb; Fri, 10 Apr 2020 05:30:59 -0700 (PDT) X-Google-Smtp-Source: APiQypK/BsFZdQY9RiDEVLiQLLRQl1WnrjTAQjTvjwv6BrtiBqsl18zrBx3f7sRHkn1A+DrlW/VY X-Received: by 2002:a37:9d48:: with SMTP id g69mr3736467qke.135.1586521859066; Fri, 10 Apr 2020 05:30:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1586521859; cv=none; d=google.com; s=arc-20160816; b=JMYeNIrDkzRCjbRo3RwroNZ0HrcgyQ6p51CPi8SHlYuha3c4xlvScm0TXsy2lhNLlL RmPdULc/U6Lko3GdBuBORBhhnKblFxB7gnAuRbK2YE0Xa3qmKvoCoEOd4kH3rdNvLUNS rut1qtJnjAgJ1tzQ4edGO8DNGNjmS56Ps+DX4KA0ZuPdHGWLHjBj26GVItFyZhMtjCfw Jau35eCAL/DiMuoE9pap/n1hZPIgzANiCZLZvZYUsmM28efP+yiWBKTQnf6bSlPd+sfH edrnJ9Cs7HIV/yPR5zuKkIGxrIO3k9GNA9+WhAwDRkUwC/nEDf/Vu30fKMgEhLu6N8Tk MU4g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:message-id:date:subject:cc:to:from :dkim-signature; bh=dyzXmKu6IT/Un75AvtMcFm0MmYMRWfAsrqCi/hItOfE=; b=pvaVa8IULyCt5GuC8J794+b1B1IYWxqBmcX6z/HFFPgskOjPh1Spjeo00fIlRPPMNS PFDC8tCOriuaEemoi1linl2R9z+E2Jhock6Plrw3HUeuDHywMwUbA7qYEpZRIT8Mks/w 99BRjxjdc22WXn1E6qm62i3PLKvim2If3wQtuaL4hykvjtQyBiHMvYLqJMdJxHOAaV7+ dRrRxx6HH+jd6kkbZFhagWIHw0OUYgk4anlH21s5wihHp0sWp475UwdvrJxrJjTTFLkv apVI2NyjFABYuycDFoYNytf0NLVyRSeyOmLdUTNkXzLgvkdrW/IQNPINxn0ermJNrDQV pLvQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=dFATq622; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id w44si1057595qtj.63.2020.04.10.05.30.43; Fri, 10 Apr 2020 05:30:59 -0700 (PDT) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=fail header.i=@gmail.com header.s=20161025 header.b=dFATq622; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726173AbgDJM3X (ORCPT + 99 others); Fri, 10 Apr 2020 08:29:23 -0400 Received: from mail-lf1-f65.google.com ([209.85.167.65]:45999 "EHLO mail-lf1-f65.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725926AbgDJM3X (ORCPT ); Fri, 10 Apr 2020 08:29:23 -0400 Received: by mail-lf1-f65.google.com with SMTP id f8so1226398lfe.12; Fri, 10 Apr 2020 05:29:21 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=sender:from:to:cc:subject:date:message-id; bh=dyzXmKu6IT/Un75AvtMcFm0MmYMRWfAsrqCi/hItOfE=; b=dFATq6225UkB+ndW1q0MUtbxWax/bpYH/lVDUCCZoR/bytXFFKlAvqU0ogKu1vZkRm Z6XEBY73WGQruhzmC+P0je0W9srJO1Z6H90Agqn9j/HblTKoTAedwlex9pfEoXdektBt 3WzuqQc6zlXYYXGFaYsi7xtfRtvltqXZKDzp8FcIldCIcbB1814nLAAkO43RlBgacEEh YLisjYAFkDbbqJ6j4J/cYb9EYVLwKzJZxbllMRaYEVwKD6xJvGwHhpm5Juy8lRMlCeeS 3J6P5l+ycqOcAU+tLO6wBVUi5d+Au10o//CznthQiwSjQOmqC5w0eAyaypyjtstLY78I Zv0w== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:sender:from:to:cc:subject:date:message-id; bh=dyzXmKu6IT/Un75AvtMcFm0MmYMRWfAsrqCi/hItOfE=; b=LlnmE1MnWnoQQYcDlwk7IcqHbEnTSCvylPyhLiQBoqWfnO970g3hDuDyQvB9XP0lPe WH8z6AplEnKV3qsW2eGhaLItF08tQ8Y/7+nHn+yhTnr5pLgs2djESpqX/imvLQbaqypt iiswSRl6xEgFBjKtxs7ULZ1nptFwLHy8ReC/eH2XR47dnJ/bnEnWiWKiN8Slz/Ciq75w wr5LM2k1zildEGt6E676AmhawjfvGd7ZsUunNEFJTvlVimcbXsdLhcY1AMo4UpSbeL59 6fhBkCqY33USI6vNDggrtrPJbR32QurPGDbZLXLceSZywIN/GIA3qUyem74H9FvisI1H ctSg== X-Gm-Message-State: AGi0Puagx6oFSmgy34G5EpGoWcvbUSM99Bb1uN9Euglz0MTpMCz8ey72 H67C7Tc2TPOGsRusNOPwRSc= X-Received: by 2002:ac2:4a9d:: with SMTP id l29mr2420626lfp.4.1586521760984; Fri, 10 Apr 2020 05:29:20 -0700 (PDT) Received: from work.bb.dnainternet.fi (dffyyyyyyyyyyyysyd4py-3.rev.dnainternet.fi. [2001:14ba:2100::1e0:1e18]) by smtp.gmail.com with ESMTPSA id x17sm1012977ljc.33.2020.04.10.05.29.19 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Fri, 10 Apr 2020 05:29:20 -0700 (PDT) From: Tuomas Tynkkynen To: axboe@kernel.dk, josef@toxicpanda.com Cc: linux-block@vger.kernel.org, nbd@other.debian.org, linux-kernel@vger.kernel.org, syzbot+934037347002901b8d2a@syzkaller.appspotmail.com, Tuomas Tynkkynen , stable@kernel.org Subject: [PATCH] nbd: Fix memory leak from krealloc() if another allocation fails Date: Fri, 10 Apr 2020 15:29:13 +0300 Message-Id: <20200410122913.14339-1-tuomas.tynkkynen@iki.fi> X-Mailer: git-send-email 2.17.1 Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org syzkaller reports a memory leak when injecting allocation failures: FAULT_INJECTION: forcing a failure. name failslab, interval 1, probability 0, space 0, times 0 ... kmem_cache_alloc_trace+0x26/0x2c0 nbd_add_socket+0xa8/0x1e0 nbd_ioctl+0x175/0x430 ... BUG: memory leak [<0000000090cb73c8>] __do_krealloc mm/slab_common.c:1671 [inline] [<0000000090cb73c8>] krealloc+0x7c/0xa0 mm/slab_common.c:1700 [<00000000cf9e6ba7>] nbd_add_socket+0x7d/0x1e0 drivers/block/nbd.c:1040 ... This happens when krealloc() succeeds but the kzalloc() fails: 1040 socks = krealloc(config->socks, (config->num_connections + 1) * 1041 sizeof(struct nbd_sock *), GFP_KERNEL); 1042 if (!socks) { 1043 sockfd_put(sock); 1044 return -ENOMEM; 1045 } 1046 1047 config->socks = socks; 1048 1049 nsock = kzalloc(sizeof(struct nbd_sock), GFP_KERNEL); 1050 if (!nsock) { 1051 sockfd_put(sock); 1052 return -ENOMEM; 1053 } as then config->num_connections is not incremented and the cleanup code freeing config->socks is skipped. Just make it run always. Reported-by: syzbot+934037347002901b8d2a@syzkaller.appspotmail.com Cc: stable@kernel.org Signed-off-by: Tuomas Tynkkynen --- Compile tested only. --- drivers/block/nbd.c | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index 43cff01a5a67..f851883ef9f4 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -1199,6 +1199,8 @@ static void nbd_config_put(struct nbd_device *nbd) if (refcount_dec_and_mutex_lock(&nbd->config_refs, &nbd->config_lock)) { struct nbd_config *config = nbd->config; + int i; + nbd_dev_dbg_close(nbd); nbd_size_clear(nbd); if (test_and_clear_bit(NBD_RT_HAS_PID_FILE, @@ -1206,14 +1208,11 @@ static void nbd_config_put(struct nbd_device *nbd) device_remove_file(disk_to_dev(nbd->disk), &pid_attr); nbd->task_recv = NULL; nbd_clear_sock(nbd); - if (config->num_connections) { - int i; - for (i = 0; i < config->num_connections; i++) { - sockfd_put(config->socks[i]->sock); - kfree(config->socks[i]); - } - kfree(config->socks); + for (i = 0; i < config->num_connections; i++) { + sockfd_put(config->socks[i]->sock); + kfree(config->socks[i]); } + kfree(config->socks); kfree(nbd->config); nbd->config = NULL; -- 2.17.1