Received: by 2002:a05:6a10:f3d0:0:0:0:0 with SMTP id a16csp3812593pxv; Mon, 28 Jun 2021 13:34:00 -0700 (PDT) X-Google-Smtp-Source: ABdhPJxsX/xqunELUTn8y9GGwzB0TeTCNsHiZhPWvQq0JAhVlILlzqn++w6cc3kdRGRbNs5KNYWT X-Received: by 2002:a02:3781:: with SMTP id r123mr1256439jar.26.1624912439878; Mon, 28 Jun 2021 13:33:59 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1624912439; cv=none; d=google.com; s=arc-20160816; b=Ov6QhMAfas/dPeAsqK/OQuhYFMyd3AgRMZcbcq8AbcMFFZFkIlrHl5IT/lny5Fdso0 V2lmCypE1DYdD/KEOkYjOSQZ1XIWjivSqL8go8FTVMhXYCHo9yHzRAOawbeJ5tLyblQ1 9098G4bu++dYrUIix2ydjaqvwsWVSRtVXdixkwjztBpIt2F3QP4TB3al2ttnQEpZJdMO XdBOm+sMvg1dt0DCBzx6uKgMAEfvffj/kyBma+NAhyAh4f1ADvLPoueYT1gmvaWSBrMr pEqlJXkqpjRj4tmPchzieroNdSXTOlAOAKTbyCRBOrBmUkhCiihy6aCp6P6uCKWoUagQ QPaQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=NkGwUYaB0/XM136hzDhEhmSVgR4WFHvdHswJT24FZKs=; b=SnX6t/KAieD66t5C/LvbBl/1V3Kqbe0k29YZI58+SGvyHoCJhR6bbrH9Z0IxcTuDea 2saXt3LJlc5IHU3O2jK88T4i/mrDz4qwJXxaf40qce7eHrhtKp7LouR/1eeC3N8k5PHJ IKZL1sFkOzsWBOJVuNKBENSEREvtXviGoIkXDX54hS9mWnHY6Hui5McvjvsVpdyYjatk 4qHLeSbqg2l8JlpFsQt6PDPYJbmh5qZVcBXxJH5o6XEMEJqERb79Ik9l6xLgUAlCXzaB nV02K+ysPRV+rWA14u1X7D1EkUNfqjDghVsVsFJZSkVyNOVV7tHCxSIlyI+jJ3uX99RI 6X6A== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=EV6fLFSM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id z25si15779781jao.65.2021.06.28.13.33.46; Mon, 28 Jun 2021 13:33:59 -0700 (PDT) Received-SPF: pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=k20201202 header.b=EV6fLFSM; spf=pass (google.com: domain of linux-kernel-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S237651AbhF1PKG (ORCPT + 99 others); Mon, 28 Jun 2021 11:10:06 -0400 Received: from mail.kernel.org ([198.145.29.99]:54506 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236442AbhF1OtS (ORCPT ); Mon, 28 Jun 2021 10:49:18 -0400 Received: by mail.kernel.org (Postfix) with ESMTPSA id 5B61C61D1E; Mon, 28 Jun 2021 14:36:51 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=k20201202; t=1624891012; bh=q5r+zc2/+ZEOlRlFm4x+KNypvJJNCVoTKDXamzjtQkg=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=EV6fLFSMB/Lcn81AotxnEpUP0m5EyfmD/PtwJU2kktOmArYioCb05jFR9g5CfT5dU lFRv8puDEsmhm9sAzGNwprqpRqY3xCa93Guf/71hNy6A8XlFQxfpmTIOeuidUrvxFS DR6kuos+RE8iyIgn+AbA7DcvTY6l8Cc2Jscg1UA3btYIeQdHn5wLvzOGhA1qyemrbw Litw1LcZXjoykVqKKFBMXI4lEIssUfq2eTaIYbE4O0xTNB5Qaj0bCX8eTIrqnpxhbN 6m++Q2CgI/hhYb8x14JqN3vIhG6978OIE71plPyz8zB1YUUC+nesUHuoPCCXc6F9mY Uo88n6tKpCW9w== From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Pavel Skripkin , syzbot+5134cdf021c4ed5aaa5f@syzkaller.appspotmail.com, =?UTF-8?q?H=C3=A5kon=20Bugge?= , Santosh Shilimkar , "David S . Miller" , Sasha Levin Subject: [PATCH 4.14 24/88] net: rds: fix memory leak in rds_recvmsg Date: Mon, 28 Jun 2021 10:35:24 -0400 Message-Id: <20210628143628.33342-25-sashal@kernel.org> X-Mailer: git-send-email 2.30.2 In-Reply-To: <20210628143628.33342-1-sashal@kernel.org> References: <20210628143628.33342-1-sashal@kernel.org> MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 X-KernelTest-Patch: http://kernel.org/pub/linux/kernel/v4.x/stable-review/patch-4.14.238-rc1.gz X-KernelTest-Tree: git://git.kernel.org/pub/scm/linux/kernel/git/stable/linux-stable-rc.git X-KernelTest-Branch: linux-4.14.y X-KernelTest-Patches: git://git.kernel.org/pub/scm/linux/kernel/git/stable/stable-queue.git X-KernelTest-Version: 4.14.238-rc1 X-KernelTest-Deadline: 2021-06-30T14:36+00:00 X-stable: review X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Pavel Skripkin [ Upstream commit 49bfcbfd989a8f1f23e705759a6bb099de2cff9f ] Syzbot reported memory leak in rds. The problem was in unputted refcount in case of error. int rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size, int msg_flags) { ... if (!rds_next_incoming(rs, &inc)) { ... } After this "if" inc refcount incremented and if (rds_cmsg_recv(inc, msg, rs)) { ret = -EFAULT; goto out; } ... out: return ret; } in case of rds_cmsg_recv() fail the refcount won't be decremented. And it's easy to see from ftrace log, that rds_inc_addref() don't have rds_inc_put() pair in rds_recvmsg() after rds_cmsg_recv() 1) | rds_recvmsg() { 1) 3.721 us | rds_inc_addref(); 1) 3.853 us | rds_message_inc_copy_to_user(); 1) + 10.395 us | rds_cmsg_recv(); 1) + 34.260 us | } Fixes: bdbe6fbc6a2f ("RDS: recv.c") Reported-and-tested-by: syzbot+5134cdf021c4ed5aaa5f@syzkaller.appspotmail.com Signed-off-by: Pavel Skripkin Reviewed-by: HÃ¥kon Bugge Acked-by: Santosh Shilimkar Signed-off-by: David S. Miller Signed-off-by: Sasha Levin --- net/rds/recv.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/net/rds/recv.c b/net/rds/recv.c index ef022d24f87a..a1b2bdab6655 100644 --- a/net/rds/recv.c +++ b/net/rds/recv.c @@ -663,7 +663,7 @@ int rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size, if (rds_cmsg_recv(inc, msg, rs)) { ret = -EFAULT; - goto out; + break; } rds_stats_inc(s_recv_delivered); -- 2.30.2