CVE-2021-47249

In the Linux kernel, the following vulnerability has been resolved:

net: rds: fix memory leak in rds_recvmsg

Syzbot reported memory leak in rds. The problem was in unputted refcount in case of error.

int rds_recvmsg(struct socket *sock, struct msghdr *msg, size_t size, int msg_flags) { ...

if (!rds_next_incoming(rs, &inc)) {
	...
}

After this "if" inc refcount incremented and

if (rds_cmsg_recv(inc, msg, rs)) {
	ret = -EFAULT;
	goto out;
}

... out: return ret; }

in case of rds_cmsg_recv() fail the refcount won't be decremented. And it's easy to see from ftrace log, that rds_inc_addref() don't have rds_inc_put() pair in rds_recvmsg() after rds_cmsg_recv()

1.           |  rds_recvmsg() {
   

2. 3.721 us | rds_inc_addref();
3. 3.853 us | rds_message_inc_copy_to_user();
4. • 10.395 us | rds_cmsg_recv();
5. • 34.260 us | }