Re: [PATCH] nfsd: fix memory leak in nfsd_create_serv error paths
From: Jeff Layton
Date: Mon Nov 17 2025 - 10:40:13 EST
On Mon, 2025-11-17 at 17:41 +0530, Shardul Bankar wrote:
> When nfsd_create_serv() calls percpu_ref_init() to initialize
> nn->nfsd_net_ref, it allocates both a percpu reference counter
> and a percpu_ref_data structure (64 bytes). However, if the
> function fails later due to svc_create_pooled() returning NULL
> or svc_bind() returning an error, these allocations are not
> cleaned up, resulting in a memory leak.
>
> The leak manifests as:
> - Unreferenced percpu allocation (8 bytes per CPU)
> - Unreferenced percpu_ref_data structure (64 bytes)
>
> Fix this by adding percpu_ref_exit() calls in both error paths
> to properly clean up the percpu_ref_init() allocations.
>
> This patch fixes the percpu_ref leak in nfsd_create_serv() seen
> as an auxiliary leak in syzbot report 099461f8558eb0a1f4f3; the
> prepare_creds() and vsock-related leaks in the same report
> remain to be addressed separately.
>
> Reported-by: syzbot+099461f8558eb0a1f4f3@xxxxxxxxxxxxxxxxxxxxxxxxx
> Link: https://syzkaller.appspot.com/bug?extid=099461f8558eb0a1f4f3
> Fixes: 47e988147f40 ("nfsd: add nfsd_serv_try_get and nfsd_serv_put")
> Signed-off-by: Shardul Bankar <shardul.b@xxxxxxxxxxxxxxxxxx>
> ---
> fs/nfsd/nfssvc.c | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/fs/nfsd/nfssvc.c b/fs/nfsd/nfssvc.c
> index 7057ddd7a0a8..32cc03a7e7be 100644
> --- a/fs/nfsd/nfssvc.c
> +++ b/fs/nfsd/nfssvc.c
> @@ -633,12 +633,15 @@ int nfsd_create_serv(struct net *net)
> serv = svc_create_pooled(nfsd_programs, ARRAY_SIZE(nfsd_programs),
> &nn->nfsd_svcstats,
> nfsd_max_blksize, nfsd);
> - if (serv == NULL)
> + if (serv == NULL) {
> + percpu_ref_exit(&nn->nfsd_net_ref);
> return -ENOMEM;
> + }
>
> error = svc_bind(serv, net);
> if (error < 0) {
> svc_destroy(&serv);
> + percpu_ref_exit(&nn->nfsd_net_ref);
> return error;
> }
> spin_lock(&nfsd_notifier_lock);
Nice catch!
Reviewed-by: Jeff Layton <jlayton@xxxxxxxxxx>