Received: by 2002:a05:6902:102b:0:0:0:0 with SMTP id x11csp2390268ybt; Sun, 28 Jun 2020 18:19:31 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxxBtHwnZDlaTbUnjZTegw6PJ3+X7ugQVgUqnb+saEoUAf2EqkqOW159YBAsl7HQVWt354A X-Received: by 2002:a50:d1c2:: with SMTP id i2mr14794439edg.42.1593393571450; Sun, 28 Jun 2020 18:19:31 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1593393571; cv=none; d=google.com; s=arc-20160816; b=vfhNVu0Gjiu0PiFB4sSt2+p7oyxk2fvt9f/1fAZ5npIR5r3t4pBGcPPqqQIEE8c43J yKHMjP8rFszc76Rg0ir9e0IECxprZjqHR6cOMlQHoktJZymX93TNxR0ekKvDdhFt/dde SQ2pK790XL8AELdmSnKNghpczIHIBz9XKf8pKXopiF51vPV3ZkD84sChE2c1o+3Ku7ht QYbgnoMm8X3mmp+IVuQvNB+OFaTeIjTGinTSAjFZgIUCcP+2PJlJPD/yTQLJc43Po3DM vjr3Uda0S0NUgsNlXjeht0D9teh1rTeO34OXzZRUi5Amd6P0RBTeen7Jes5iveKy2qpc 9z0w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :message-id:date:subject:cc:to:from; bh=Qvq4c3paebn3QRW2Qd/8yJm+ZGTc3CBBsAY6tKdZFEU=; b=yHvjc/NF6SWEpqDLRyOti2tn3aN2bmj+GlYgYuJKkSPrzO1BlabnK3sY7ulFL37sf3 eT48Ha1d6bcMNck+4xbhq5iYZwoaHqk6UmUbYyOLKHCuLWW6fN8mOslVuRjLm8anZ+up FrIP+96KWP9MeDaZUbmlKPkCJ5Mcw26Xh6UFylgsOby1QYchIvm9GXuU3cGMWc2abgWQ iMMPWbbvzl40BMKbOCT4o+UT5y9fAE4yK1y1Uw4DjY51pdZnvmCENDZPftgLW0ZsQsNN y9Mu9ujadPpg94kcsSnV5Ix5fzPIJHZKUjpnhHrXX4loD6vt9ctgK+5Oa+cS1wHIBzkl kjvA== ARC-Authentication-Results: i=1; mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id f15si12483593edt.552.2020.06.28.18.19.07; Sun, 28 Jun 2020 18:19:31 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726749AbgF2BQ5 (ORCPT + 99 others); Sun, 28 Jun 2020 21:16:57 -0400 Received: from szxga04-in.huawei.com ([45.249.212.190]:6848 "EHLO huawei.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726229AbgF2BQ5 (ORCPT ); Sun, 28 Jun 2020 21:16:57 -0400 Received: from DGGEMS402-HUB.china.huawei.com (unknown [172.30.72.59]) by Forcepoint Email with ESMTP id 13C10858DA3A05C5B6EA; Mon, 29 Jun 2020 09:16:55 +0800 (CST) Received: from huawei.com (10.90.53.225) by DGGEMS402-HUB.china.huawei.com (10.3.19.202) with Microsoft SMTP Server id 14.3.487.0; Mon, 29 Jun 2020 09:16:48 +0800 From: Zheng Bin To: , , , , , , , CC: , Subject: [PATCH v4] nbd: Fix memory leak in nbd_add_socket Date: Mon, 29 Jun 2020 09:23:49 +0800 Message-ID: <20200629012349.26641-1-zhengbin13@huawei.com> X-Mailer: git-send-email 2.26.0.106.g9fadedd MIME-Version: 1.0 Content-Transfer-Encoding: 7BIT Content-Type: text/plain; charset=US-ASCII X-Originating-IP: [10.90.53.225] X-CFilter-Loop: Reflected Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org When adding first socket to nbd, if nsock's allocation failed, the data structure member "config->socks" was reallocated, but the data structure member "config->num_connections" was not updated. A memory leak will occur then because the function "nbd_config_put" will free "config->socks" only when "config->num_connections" is not zero. Fixes: 03bf73c315ed ("nbd: prevent memory leak") Reported-by: syzbot+934037347002901b8d2a@syzkaller.appspotmail.com Signed-off-by: Zheng Bin --- v1->v2: improve change description v2->v3: fix some code style issues, improve change description v3->v4: add "Reported-by" tag drivers/block/nbd.c | 25 +++++++++++++++---------- 1 file changed, 15 insertions(+), 10 deletions(-) diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c index 01794cd2b6ca..3ff4054d6834 100644 --- a/drivers/block/nbd.c +++ b/drivers/block/nbd.c @@ -1036,25 +1036,26 @@ static int nbd_add_socket(struct nbd_device *nbd, unsigned long arg, test_bit(NBD_RT_BOUND, &config->runtime_flags))) { dev_err(disk_to_dev(nbd->disk), "Device being setup by another task"); - sockfd_put(sock); - return -EBUSY; + err = -EBUSY; + goto put_socket; + } + + nsock = kzalloc(sizeof(*nsock), GFP_KERNEL); + if (!nsock) { + err = -ENOMEM; + goto put_socket; } socks = krealloc(config->socks, (config->num_connections + 1) * sizeof(struct nbd_sock *), GFP_KERNEL); if (!socks) { - sockfd_put(sock); - return -ENOMEM; + kfree(nsock); + err = -ENOMEM; + goto put_socket; } config->socks = socks; - nsock = kzalloc(sizeof(struct nbd_sock), GFP_KERNEL); - if (!nsock) { - sockfd_put(sock); - return -ENOMEM; - } - nsock->fallback_index = -1; nsock->dead = false; mutex_init(&nsock->tx_lock); @@ -1066,6 +1067,10 @@ static int nbd_add_socket(struct nbd_device *nbd, unsigned long arg, atomic_inc(&config->live_connections); return 0; + +put_socket: + sockfd_put(sock); + return err; } static int nbd_reconnect_socket(struct nbd_device *nbd, unsigned long arg) -- 2.26.0.106.g9fadedd