lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-ID: <a3036ea4ee2a06e4b3acd3b438025754d11f65fc.camel@gmail.com>
Date:   Sun, 14 Mar 2021 11:23:10 +0300
From:   Fatih Yildirim <yildirim.fatih@...il.com>
To:     santosh.shilimkar@...cle.com, davem@...emloft.net, kuba@...nel.org
Cc:     gregkh@...uxfoundation.org, netdev@...r.kernel.org,
        linux-rdma@...r.kernel.org, rds-devel@....oracle.com,
        linux-kernel@...r.kernel.org
Subject: [BUG] net: rds: rds_send_probe memory leak

Hi Santosh,

I've been working on a memory leak bug reported by syzbot.
https://syzkaller.appspot.com/bug?id=39b72114839a6dbd66c1d2104522698a813f9ae2

It seems that memory allocated in rds_send_probe function is not freed.

Let me share my observations.
rds_message is allocated at the beginning of rds_send_probe function.
Then it is added to cp_send_queue list of rds_conn_path and refcount
is increased by one.
Next, in rds_send_xmit function it is moved from cp_send_queue list to
cp_retrans list, and again refcount is increased by one.
Finally in rds_loop_xmit function refcount is increased by one.
So, total refcount is 4.
However, rds_message_put is called three times, in rds_send_probe,
rds_send_remove_from_sock and rds_send_xmit functions. It seems that
one more rds_message_put is needed.
Would you please check and share your comments on this issue?

Thanks,
Fatih

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ