From: Eric Biggers <ebiggers@kernel.org>
To: Chaitanya Kulkarni <Chaitanya.Kulkarni@wdc.com>
Cc: Zheng Bin <zhengbin13@huawei.com>,
"josef@toxicpanda.com" <josef@toxicpanda.com>,
"axboe@kernel.dk" <axboe@kernel.dk>,
"linux-block@vger.kernel.org" <linux-block@vger.kernel.org>,
"nbd@other.debian.org" <nbd@other.debian.org>,
"yi.zhang@huawei.com" <yi.zhang@huawei.com>
Subject: Re: [PATCH] nbd: Fix memory leak in nbd_add_socket
Date: Sun, 28 Jun 2020 08:58:45 -0700 [thread overview]
Message-ID: <20200628155845.GB2310@sol.localdomain> (raw)
In-Reply-To: <BYAPR04MB4965BCC5D59A22A417274A5486920@BYAPR04MB4965.namprd04.prod.outlook.com>
On Thu, Jun 25, 2020 at 12:16:33AM +0000, Chaitanya Kulkarni wrote:
> On 6/12/20 1:57 AM, Zheng Bin wrote:
> > nbd_add_socket
> > socks = krealloc(num_connections+1) -->if num_connections is 0, alloc 1
> > nsock = kzalloc -->If fail, will return
> >
> > nbd_config_put
> > if (config->num_connections) -->0, not free
> > kfree(config->socks)
> >
> > Thus memleak happens, this patch fixes that.
> >
> > Signed-off-by: Zheng Bin<zhengbin13@huawei.com>
This appears to address the syzbot report "memory leak in nbd_add_socket"
https://syzkaller.appspot.com/bug?id=08283193956ab772623e65242b3ed6d0e7c7d9ce
Can you please add:
Reported-by: syzbot+934037347002901b8d2a@syzkaller.appspotmail.com
>
> Not an nbd expert but wouldn't it be easier use following which matches
> the + 1 in the nbd_add_socket() :-
>
> diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
> index 01794cd2b6ca..e67c790039c9 100644
> --- a/drivers/block/nbd.c
> +++ b/drivers/block/nbd.c
> @@ -1209,9 +1209,9 @@ static void nbd_config_put(struct nbd_device *nbd)
> device_remove_file(disk_to_dev(nbd->disk),
> &pid_attr);
> nbd->task_recv = NULL;
> nbd_clear_sock(nbd);
> - if (config->num_connections) {
> + if (config->num_connections + 1) {
> int i;
> - for (i = 0; i < config->num_connections; i++) {
> + for (i = 0; i < (config->num_connections + 1);
> i++) {
> sockfd_put(config->socks[i]->sock);
> kfree(config->socks[i]);
> }
That looks wrong. The + 1 is just nbd_add_socket() preparing to append an entry
to the array.
Why not just check whether the pointer is NULL or not:
diff --git a/drivers/block/nbd.c b/drivers/block/nbd.c
index 43cff01a5a67..cb8e86174edb 100644
--- a/drivers/block/nbd.c
+++ b/drivers/block/nbd.c
@@ -1206,7 +1206,7 @@ static void nbd_config_put(struct nbd_device *nbd)
device_remove_file(disk_to_dev(nbd->disk), &pid_attr);
nbd->task_recv = NULL;
nbd_clear_sock(nbd);
- if (config->num_connections) {
+ if (config->socks) {
int i;
for (i = 0; i < config->num_connections; i++) {
sockfd_put(config->socks[i]->sock);
prev parent reply other threads:[~2020-06-28 15:58 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-06-12 9:04 [PATCH] nbd: Fix memory leak in nbd_add_socket Zheng Bin
2020-06-25 0:16 ` Chaitanya Kulkarni
2020-06-28 15:58 ` Eric Biggers [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200628155845.GB2310@sol.localdomain \
--to=ebiggers@kernel.org \
--cc=Chaitanya.Kulkarni@wdc.com \
--cc=axboe@kernel.dk \
--cc=josef@toxicpanda.com \
--cc=linux-block@vger.kernel.org \
--cc=nbd@other.debian.org \
--cc=yi.zhang@huawei.com \
--cc=zhengbin13@huawei.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox