[rds-devel] [External] : Re: [PATCH net v2] RDS: Fix memory leak in rds_rdma_extra_size()
Xiaobo Liu
cppcoffee at gmail.com
Thu Apr 16 10:00:23 UTC 2026
The internal addition of kfree and setting the pointer to NULL in
rds_rdma_extra_size makes the function more self‑consistent and secure.
After applying this patch, kfree(NULL) in rds_sendmsg is also safe and will
not cause a double‑free.
On 4/16/2616:20 Paolo Abeni <pabeni at redhat.com> wrote:
>
> On 4/13/26 9:00 AM, Xiaobo Liu wrote:
> > @@ -595,11 +600,20 @@ int rds_rdma_extra_size(struct rds_rdma_args
*args,
> > * nr_pages for one entry is limited to
(UINT_MAX>>PAGE_SHIFT)+1,
> > * so tot_pages cannot overflow without first going
negative.
> > */
> > - if (tot_pages < 0)
> > - return -EINVAL;
> > + if (tot_pages < 0) {
> > + ret = -EINVAL;
> > + goto out;
> > + }
> > }
> >
> > - return tot_pages * sizeof(struct scatterlist);
> > + ret = tot_pages * sizeof(struct scatterlist);
> > +
> > +out:
> > + if (ret < 0) {
> > + kfree(iov->iov);
> > + iov->iov = NULL;
>
> Is this really needed?!? AFAICS rds_rdma_extra_size() is invoked only
> via: rds_sendmsg() -> rds_rm_size() -> rds_rdma_extra_size(), and the
> rds_sendmsg() error path already frees any non NULL iov.
>
> /P
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://oss.oracle.com/pipermail/rds-devel/attachments/20260416/c80b4b80/attachment.htm>
More information about the rds-devel
mailing list