lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <b1b796b48a75b3ef3d6cebac89b0be45c5bf4611.camel@gmail.com>
Date:   Sun, 14 Mar 2021 15:19:05 +0300
From:   Fatih Yildirim <yildirim.fatih@...il.com>
To:     Greg KH <gregkh@...uxfoundation.org>
Cc:     santosh.shilimkar@...cle.com, davem@...emloft.net, kuba@...nel.org,
        netdev@...r.kernel.org, linux-rdma@...r.kernel.org,
        rds-devel@....oracle.com, linux-kernel@...r.kernel.org
Subject: Re: [BUG] net: rds: rds_send_probe memory leak

On Sun, 2021-03-14 at 09:36 +0100, Greg KH wrote:
> On Sun, Mar 14, 2021 at 11:23:10AM +0300, Fatih Yildirim wrote:
> > Hi Santosh,
> > 
> > I've been working on a memory leak bug reported by syzbot.
> > https://syzkaller.appspot.com/bug?id=39b72114839a6dbd66c1d2104522698a813f9ae2
> > 
> > It seems that memory allocated in rds_send_probe function is not
> > freed.
> > 
> > Let me share my observations.
> > rds_message is allocated at the beginning of rds_send_probe
> > function.
> > Then it is added to cp_send_queue list of rds_conn_path and
> > refcount
> > is increased by one.
> > Next, in rds_send_xmit function it is moved from cp_send_queue list
> > to
> > cp_retrans list, and again refcount is increased by one.
> > Finally in rds_loop_xmit function refcount is increased by one.
> > So, total refcount is 4.
> > However, rds_message_put is called three times, in rds_send_probe,
> > rds_send_remove_from_sock and rds_send_xmit functions. It seems
> > that
> > one more rds_message_put is needed.
> > Would you please check and share your comments on this issue?
> 
> Do you have a proposed patch that syzbot can test to verify if this
> is
> correct or not?
> 
> thanks,
> 
> gre gk-h

Hi Greg,

Actually, using the .config and the C reproducer, syzbot reports the
memory leak in rds_send_probe function. Also by enabling
CONFIG_RDS_DEBUG=y, the debug messages indicates the similar as I
mentioned above. To give an example, below is the RDS_DEBUG messages.
Allocated address 000000008a7476e5 has initial ref_count 1. Then there
are three rds_message_addref calls for the same address making the
refcount 4, but only three rds_message_put calls which leave the
address still allocated.

[   60.570681] rds_message_addref(): addref rm 000000008a7476e5 ref 1
[   60.570707] rds_message_put(): put rm 000000008a7476e5 ref 2
[   60.570845] rds_message_addref(): addref rm 000000008a7476e5 ref 1
[   60.570870] rds_message_addref(): addref rm 000000008a7476e5 ref 2
[   60.570960] rds_message_put(): put rm 000000008a7476e5 ref 3
[   60.570995] rds_message_put(): put rm 000000008a7476e5 ref 2

Thanks,
Fatih


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ