lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <f255c85df01f3e9f9d4022436f13e2ed76a8d4eb.camel@kernel.org>
Date: Mon, 17 Nov 2025 10:36:34 -0500
From: Jeff Layton <jlayton@...nel.org>
To: Shardul Bankar <shardul.b@...ricsoftware.com>, shardulsb08@...il.com
Cc: linux-nfs@...r.kernel.org, linux-kernel@...r.kernel.org, 
	syzbot+099461f8558eb0a1f4f3@...kaller.appspotmail.com,
 chuck.lever@...cle.com, 	neil@...wn.name, okorniev@...hat.com,
 Dai.Ngo@...cle.com, tom@...pey.com, 	janak@...ricsoftware.com
Subject: Re: [PATCH] nfsd: fix memory leak in nfsd_create_serv error paths

On Mon, 2025-11-17 at 17:41 +0530, Shardul Bankar wrote:
> When nfsd_create_serv() calls percpu_ref_init() to initialize
> nn->nfsd_net_ref, it allocates both a percpu reference counter
> and a percpu_ref_data structure (64 bytes). However, if the
> function fails later due to svc_create_pooled() returning NULL
> or svc_bind() returning an error, these allocations are not
> cleaned up, resulting in a memory leak.
> 
> The leak manifests as:
> - Unreferenced percpu allocation (8 bytes per CPU)
> - Unreferenced percpu_ref_data structure (64 bytes)
> 
> Fix this by adding percpu_ref_exit() calls in both error paths
> to properly clean up the percpu_ref_init() allocations.
> 
> This patch fixes the percpu_ref leak in nfsd_create_serv() seen
> as an auxiliary leak in syzbot report 099461f8558eb0a1f4f3; the
> prepare_creds() and vsock-related leaks in the same report
> remain to be addressed separately.
> 
> Reported-by: syzbot+099461f8558eb0a1f4f3@...kaller.appspotmail.com
> Link: https://syzkaller.appspot.com/bug?extid=099461f8558eb0a1f4f3
> Fixes: 47e988147f40 ("nfsd: add nfsd_serv_try_get and nfsd_serv_put")
> Signed-off-by: Shardul Bankar <shardul.b@...ricsoftware.com>
> ---
>  fs/nfsd/nfssvc.c | 5 ++++-
>  1 file changed, 4 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/nfsd/nfssvc.c b/fs/nfsd/nfssvc.c
> index 7057ddd7a0a8..32cc03a7e7be 100644
> --- a/fs/nfsd/nfssvc.c
> +++ b/fs/nfsd/nfssvc.c
> @@ -633,12 +633,15 @@ int nfsd_create_serv(struct net *net)
>  	serv = svc_create_pooled(nfsd_programs, ARRAY_SIZE(nfsd_programs),
>  				 &nn->nfsd_svcstats,
>  				 nfsd_max_blksize, nfsd);
> -	if (serv == NULL)
> +	if (serv == NULL) {
> +		percpu_ref_exit(&nn->nfsd_net_ref);
>  		return -ENOMEM;
> +	}
>  
>  	error = svc_bind(serv, net);
>  	if (error < 0) {
>  		svc_destroy(&serv);
> +		percpu_ref_exit(&nn->nfsd_net_ref);
>  		return error;
>  	}
>  	spin_lock(&nfsd_notifier_lock);

Nice catch!

Reviewed-by: Jeff Layton <jlayton@...nel.org>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ