public inbox for linux-rdma@vger.kernel.org
 help / color / mirror / Atom feed
* [PATCH net v2] RDS: Fix memory leak in rds_rdma_extra_size()
@ 2026-04-13  7:00 Xiaobo Liu
  2026-04-14  0:15 ` Allison Henderson
  2026-04-16  8:20 ` Paolo Abeni
  0 siblings, 2 replies; 4+ messages in thread
From: Xiaobo Liu @ 2026-04-13  7:00 UTC (permalink / raw)
  To: Allison Henderson, David S. Miller
  Cc: Eric Dumazet, Jakub Kicinski, Paolo Abeni, Simon Horman, netdev,
	linux-rdma, rds-devel, linux-kernel, Xiaobo Liu

Free iov->iov when copy_from_user() or page count validation fails
in rds_rdma_extra_size().

This preserves the existing success path and avoids leaking the
allocated iovec array on error.

Signed-off-by: Xiaobo Liu <cppcoffee@gmail.com>
---
 net/rds/rdma.c | 28 +++++++++++++++++++++-------
 1 file changed, 21 insertions(+), 7 deletions(-)

diff --git a/net/rds/rdma.c b/net/rds/rdma.c
index aa6465dc7..91a20c1e2 100644
--- a/net/rds/rdma.c
+++ b/net/rds/rdma.c
@@ -560,6 +560,7 @@ int rds_rdma_extra_size(struct rds_rdma_args *args,
 	struct rds_iovec *vec;
 	struct rds_iovec __user *local_vec;
 	int tot_pages = 0;
+	int ret = 0;
 	unsigned int nr_pages;
 	unsigned int i;
 
@@ -578,16 +579,20 @@ int rds_rdma_extra_size(struct rds_rdma_args *args,
 	vec = &iov->iov[0];
 
 	if (copy_from_user(vec, local_vec, args->nr_local *
-			   sizeof(struct rds_iovec)))
-		return -EFAULT;
+			   sizeof(struct rds_iovec))) {
+		ret = -EFAULT;
+		goto out;
+	}
 	iov->len = args->nr_local;
 
 	/* figure out the number of pages in the vector */
 	for (i = 0; i < args->nr_local; i++, vec++) {
 
 		nr_pages = rds_pages_in_vec(vec);
-		if (nr_pages == 0)
-			return -EINVAL;
+		if (nr_pages == 0) {
+			ret = -EINVAL;
+			goto out;
+		}
 
 		tot_pages += nr_pages;
 
@@ -595,11 +600,20 @@ int rds_rdma_extra_size(struct rds_rdma_args *args,
 		 * nr_pages for one entry is limited to (UINT_MAX>>PAGE_SHIFT)+1,
 		 * so tot_pages cannot overflow without first going negative.
 		 */
-		if (tot_pages < 0)
-			return -EINVAL;
+		if (tot_pages < 0) {
+			ret = -EINVAL;
+			goto out;
+		}
 	}
 
-	return tot_pages * sizeof(struct scatterlist);
+	ret = tot_pages * sizeof(struct scatterlist);
+
+out:
+	if (ret < 0) {
+		kfree(iov->iov);
+		iov->iov = NULL;
+	}
+	return ret;
 }
 
 /*
-- 
2.34.1


^ permalink raw reply related	[flat|nested] 4+ messages in thread
* Re: [PATCH net v2] RDS: Fix memory leak in rds_rdma_extra_size()
  2026-04-13  7:00 [PATCH net v2] RDS: Fix memory leak in rds_rdma_extra_size() Xiaobo Liu
@ 2026-04-14  0:15 ` Allison Henderson
  2026-04-16  8:20 ` Paolo Abeni
  1 sibling, 0 replies; 4+ messages in thread
From: Allison Henderson @ 2026-04-14  0:15 UTC (permalink / raw)
  To: Xiaobo Liu, David S. Miller
  Cc: Eric Dumazet, Jakub Kicinski, Paolo Abeni, Simon Horman, netdev,
	linux-rdma, rds-devel, linux-kernel

On Mon, 2026-04-13 at 15:00 +0800, Xiaobo Liu wrote:
> Free iov->iov when copy_from_user() or page count validation fails
> in rds_rdma_extra_size().
> 
> This preserves the existing success path and avoids leaking the
> allocated iovec array on error.
> 
> Signed-off-by: Xiaobo Liu <cppcoffee@gmail.com>

I think this looks good now.  Thanks Xiaobo.
Reviewed-by: Allison Henderson <achender@kernel.org>

> ---
>  net/rds/rdma.c | 28 +++++++++++++++++++++-------
>  1 file changed, 21 insertions(+), 7 deletions(-)
> 
> diff --git a/net/rds/rdma.c b/net/rds/rdma.c
> index aa6465dc7..91a20c1e2 100644
> --- a/net/rds/rdma.c
> +++ b/net/rds/rdma.c
> @@ -560,6 +560,7 @@ int rds_rdma_extra_size(struct rds_rdma_args *args,
>  	struct rds_iovec *vec;
>  	struct rds_iovec __user *local_vec;
>  	int tot_pages = 0;
> +	int ret = 0;
>  	unsigned int nr_pages;
>  	unsigned int i;
>  
> @@ -578,16 +579,20 @@ int rds_rdma_extra_size(struct rds_rdma_args *args,
>  	vec = &iov->iov[0];
>  
>  	if (copy_from_user(vec, local_vec, args->nr_local *
> -			   sizeof(struct rds_iovec)))
> -		return -EFAULT;
> +			   sizeof(struct rds_iovec))) {
> +		ret = -EFAULT;
> +		goto out;
> +	}
>  	iov->len = args->nr_local;
>  
>  	/* figure out the number of pages in the vector */
>  	for (i = 0; i < args->nr_local; i++, vec++) {
>  
>  		nr_pages = rds_pages_in_vec(vec);
> -		if (nr_pages == 0)
> -			return -EINVAL;
> +		if (nr_pages == 0) {
> +			ret = -EINVAL;
> +			goto out;
> +		}
>  
>  		tot_pages += nr_pages;
>  
> @@ -595,11 +600,20 @@ int rds_rdma_extra_size(struct rds_rdma_args *args,
>  		 * nr_pages for one entry is limited to (UINT_MAX>>PAGE_SHIFT)+1,
>  		 * so tot_pages cannot overflow without first going negative.
>  		 */
> -		if (tot_pages < 0)
> -			return -EINVAL;
> +		if (tot_pages < 0) {
> +			ret = -EINVAL;
> +			goto out;
> +		}
>  	}
>  
> -	return tot_pages * sizeof(struct scatterlist);
> +	ret = tot_pages * sizeof(struct scatterlist);
> +
> +out:
> +	if (ret < 0) {
> +		kfree(iov->iov);
> +		iov->iov = NULL;
> +	}
> +	return ret;
>  }
>  
>  /*


^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH net v2] RDS: Fix memory leak in rds_rdma_extra_size()
  2026-04-13  7:00 [PATCH net v2] RDS: Fix memory leak in rds_rdma_extra_size() Xiaobo Liu
  2026-04-14  0:15 ` Allison Henderson
@ 2026-04-16  8:20 ` Paolo Abeni
       [not found]   ` <CAJeqHv+kCScdMLYgOPG0TaRwTH5-Vo-=HEPs+oX24OprbmtbwA@mail.gmail.com>
  1 sibling, 1 reply; 4+ messages in thread
From: Paolo Abeni @ 2026-04-16  8:20 UTC (permalink / raw)
  To: Xiaobo Liu, Allison Henderson, David S. Miller
  Cc: Eric Dumazet, Jakub Kicinski, Simon Horman, netdev, linux-rdma,
	rds-devel, linux-kernel

On 4/13/26 9:00 AM, Xiaobo Liu wrote:
> @@ -595,11 +600,20 @@ int rds_rdma_extra_size(struct rds_rdma_args *args,
>  		 * nr_pages for one entry is limited to (UINT_MAX>>PAGE_SHIFT)+1,
>  		 * so tot_pages cannot overflow without first going negative.
>  		 */
> -		if (tot_pages < 0)
> -			return -EINVAL;
> +		if (tot_pages < 0) {
> +			ret = -EINVAL;
> +			goto out;
> +		}
>  	}
>  
> -	return tot_pages * sizeof(struct scatterlist);
> +	ret = tot_pages * sizeof(struct scatterlist);
> +
> +out:
> +	if (ret < 0) {
> +		kfree(iov->iov);
> +		iov->iov = NULL;

Is this really needed?!? AFAICS rds_rdma_extra_size() is invoked only
via: rds_sendmsg() -> rds_rm_size() -> rds_rdma_extra_size(), and the
rds_sendmsg() error path already frees any non NULL iov.

/P


^ permalink raw reply	[flat|nested] 4+ messages in thread
* Re: [PATCH net v2] RDS: Fix memory leak in rds_rdma_extra_size()
       [not found]   ` <CAJeqHv+kCScdMLYgOPG0TaRwTH5-Vo-=HEPs+oX24OprbmtbwA@mail.gmail.com>
@ 2026-04-16 22:18     ` Allison Henderson
  0 siblings, 0 replies; 4+ messages in thread
From: Allison Henderson @ 2026-04-16 22:18 UTC (permalink / raw)
  To: Xiaobo Liu, Paolo Abeni
  Cc: David S. Miller, Eric Dumazet, Jakub Kicinski, Simon Horman,
	netdev, linux-rdma, rds-devel, linux-kernel

On Thu, 2026-04-16 at 18:00 +0800, Xiaobo Liu wrote:
> The internal addition of kfree and setting the pointer to NULL in
> rds_rdma_extra_size makes the function more self‑consistent and secure.
> After applying this patch, kfree(NULL) in rds_sendmsg is also safe and will
> not cause a double‑free.

Hi Xiaobo,                                                                               
                  
Paolo makes a good point that I had missed in that rds_sendmsg owns the
cleanup. So even though iov->iov isn't freed here, it isn't leaked
either. Self-consistency is fair as a style point, but it's not
strong enough to justify the change on its own since it isn't a bug
fix. That said, thank you for taking the time to look at this area;
we appreciate the effort to help track down and fix bugs.

Thanks,         
Allison

> 
> On 4/16/2616:20 Paolo Abeni <pabeni@redhat.com> wrote:
> > 
> > On 4/13/26 9:00 AM, Xiaobo Liu wrote:
> > > @@ -595,11 +600,20 @@ int rds_rdma_extra_size(struct rds_rdma_args
> *args,
> > >                * nr_pages for one entry is limited to
> (UINT_MAX>>PAGE_SHIFT)+1,
> > >                * so tot_pages cannot overflow without first going
> negative.
> > >                */
> > > -             if (tot_pages < 0)
> > > -                     return -EINVAL;
> > > +             if (tot_pages < 0) {
> > > +                     ret = -EINVAL;
> > > +                     goto out;
> > > +             }
> > >       }
> > > 
> > > -     return tot_pages * sizeof(struct scatterlist);
> > > +     ret = tot_pages * sizeof(struct scatterlist);
> > > +
> > > +out:
> > > +     if (ret < 0) {
> > > +             kfree(iov->iov);
> > > +             iov->iov = NULL;
> > 
> > Is this really needed?!? AFAICS rds_rdma_extra_size() is invoked only
> > via: rds_sendmsg() -> rds_rm_size() -> rds_rdma_extra_size(), and the
> > rds_sendmsg() error path already frees any non NULL iov.
> > 
> > /P


^ permalink raw reply	[flat|nested] 4+ messages in thread
end of thread, other threads:[~2026-04-16 22:18 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-04-13  7:00 [PATCH net v2] RDS: Fix memory leak in rds_rdma_extra_size() Xiaobo Liu
2026-04-14  0:15 ` Allison Henderson
2026-04-16  8:20 ` Paolo Abeni
     [not found]   ` <CAJeqHv+kCScdMLYgOPG0TaRwTH5-Vo-=HEPs+oX24OprbmtbwA@mail.gmail.com>
2026-04-16 22:18     ` Allison Henderson

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox