[lvc-project] [PATCH] nfsd: fix memory leak in __cld_pipe_inprogress_downcall()

Fedor Pchelkin pchelkin at ispras.ru
Sun Feb 18 21:06:09 MSK 2024


Hello Aleksandr,

On 24/02/16 04:45PM, Aleksandr Burakov wrote:
> Dynamic memory, referenced by 'princhash.data' and 'name.data', 
> is allocated by calling function 'memdup_user' and lost 
> at __cld_pipe_inprogress_downcall() function return

It is not actually lost. If nfs4_client_to_reclaim() fails and thus
returns NULL - this error case is already properly handled.

If nfs4_client_to_reclaim() succeeds then reference to the memory in
question is passed to crp->cr_name.data and crp->cr_princhash.data
correspondingly, and crp->cr_strhash entry is added to the list associated
with nfsd_net. In this case the memory is supposed to be freed by
nfs4_remove_reclaim_record(). See comment for nfs4_client_to_reclaim().

So I think the patch just introduces a double-free.

> 
> Found by Linux Verification Center (linuxtesting.org) with SVACE.
> 
> Fixes: 11a60d159259 ("nfsd: add a "GetVersion" upcall for nfsdcld")
> Signed-off-by: Aleksandr Burakov <a.burakov at rosalinux.ru>
> ---
>  fs/nfsd/nfs4recover.c | 2 ++
>  1 file changed, 2 insertions(+)
> 
> diff --git a/fs/nfsd/nfs4recover.c b/fs/nfsd/nfs4recover.c
> index 2c060e0b1604..02663484782d 100644
> --- a/fs/nfsd/nfs4recover.c
> +++ b/fs/nfsd/nfs4recover.c
> @@ -850,6 +850,8 @@ __cld_pipe_inprogress_downcall(const struct cld_msg_v2 __user *cmsg,
>  			kfree(princhash.data);
>  			return -EFAULT;
>  		}
> +		kfree(name.data);
> +		kfree(princhash.data);
>  		return nn->client_tracking_ops->msglen;
>  	}
>  	return -EFAULT;
> -- 
> 2.25.1

--
Fedor



More information about the lvc-project mailing list