From: NeilBrown <neilb@suse.de>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: Neil Brown <neilb@suse.de>,
"J. Bruce Fields" <bfields@citi.umich.edu>,
Frank Filz <ffilzlnx@us.ibm.com>,
nfs@lists.sourceforge.net, linux-kernel@vger.kernel.org
Subject: [PATCH 003 of 8] knfsd: Fix resource leak resulting in module refcount leak for rpcsec_gss_krb5.ko
Date: Mon, 7 May 2007 10:35:27 +1000 [thread overview]
Message-ID: <1070507003527.24108@suse.de> (raw)
In-Reply-To: 20070507103211.23855.patches@notabene
From: Frank Filz <ffilzlnx@us.ibm.com>
I have been investigating a module reference count leak on the server
for rpcsec_gss_krb5.ko. It turns out the problem is a reference count
leak for the security context in net/sunrpc/auth_gss/svcauth_gss.c.
The problem is that gss_write_init_verf() calls gss_svc_searchbyctx()
which does a rsc_lookup() but never releases the reference to the
context. There is another issue that rpc.svcgssd sets an "end of time"
expiration for the context
By adding a cache_put() call in gss_svc_searchbyctx(), and setting an
expiration timeout in the downcall, cache_clean() does clean up the
context and the module reference count now goes to zero after unmount.
I also verified that if the context expires and then the client makes a
new request, a new context is established.
Here is the patch to fix the kernel, I will start a separate thread to
discuss what expiration time should be set by rpc.svcgssd.
Acked-by: "J. Bruce Fields" <bfields@citi.umich.edu>
Signed-off-by: Frank Filz <ffilzlnx@us.ibm.com>
diff --git a/net/sunrpc/auth_gss/svcauth_gss.c
b/net/sunrpc/auth_gss/svcauth_gss.c
index db298b5..eb16e30 100644
Signed-off-by: Neil Brown <neilb@suse.de>
### Diffstat output
./net/sunrpc/auth_gss/svcauth_gss.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff .prev/net/sunrpc/auth_gss/svcauth_gss.c ./net/sunrpc/auth_gss/svcauth_gss.c
--- .prev/net/sunrpc/auth_gss/svcauth_gss.c 2007-05-07 10:30:38.000000000 +1000
+++ ./net/sunrpc/auth_gss/svcauth_gss.c 2007-05-07 10:31:03.000000000 +1000
@@ -938,6 +938,7 @@ static inline int
gss_write_init_verf(struct svc_rqst *rqstp, struct rsi *rsip)
{
struct rsc *rsci;
+ int rc;
if (rsip->major_status != GSS_S_COMPLETE)
return gss_write_null_verf(rqstp);
@@ -946,7 +947,9 @@ gss_write_init_verf(struct svc_rqst *rqs
rsip->major_status = GSS_S_NO_CONTEXT;
return gss_write_null_verf(rqstp);
}
- return gss_write_verf(rqstp, rsci->mechctx, GSS_SEQ_WIN);
+ rc = gss_write_verf(rqstp, rsci->mechctx, GSS_SEQ_WIN);
+ cache_put(&rsci->h, &rsc_cache);
+ return rc;
}
/*
-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
NFS maillist - NFS@lists.sourceforge.net
https://lists.sourceforge.net/lists/listinfo/nfs
WARNING: multiple messages have this Message-ID (diff)
From: NeilBrown <neilb@suse.de>
To: Andrew Morton <akpm@linux-foundation.org>
Cc: nfs@lists.sourceforge.net, linux-kernel@vger.kernel.org
Cc: Frank Filz <ffilzlnx@us.ibm.com>
Cc: "J. Bruce Fields" <bfields@citi.umich.edu>
Cc: Neil Brown <neilb@suse.de>
Subject: [PATCH 003 of 8] knfsd: Fix resource leak resulting in module refcount leak for rpcsec_gss_krb5.ko
Date: Mon, 7 May 2007 10:35:27 +1000 [thread overview]
Message-ID: <1070507003527.24108@suse.de> (raw)
In-Reply-To: 20070507103211.23855.patches@notabene
From: Frank Filz <ffilzlnx@us.ibm.com>
I have been investigating a module reference count leak on the server
for rpcsec_gss_krb5.ko. It turns out the problem is a reference count
leak for the security context in net/sunrpc/auth_gss/svcauth_gss.c.
The problem is that gss_write_init_verf() calls gss_svc_searchbyctx()
which does a rsc_lookup() but never releases the reference to the
context. There is another issue that rpc.svcgssd sets an "end of time"
expiration for the context
By adding a cache_put() call in gss_svc_searchbyctx(), and setting an
expiration timeout in the downcall, cache_clean() does clean up the
context and the module reference count now goes to zero after unmount.
I also verified that if the context expires and then the client makes a
new request, a new context is established.
Here is the patch to fix the kernel, I will start a separate thread to
discuss what expiration time should be set by rpc.svcgssd.
Acked-by: "J. Bruce Fields" <bfields@citi.umich.edu>
Signed-off-by: Frank Filz <ffilzlnx@us.ibm.com>
diff --git a/net/sunrpc/auth_gss/svcauth_gss.c
b/net/sunrpc/auth_gss/svcauth_gss.c
index db298b5..eb16e30 100644
Signed-off-by: Neil Brown <neilb@suse.de>
### Diffstat output
./net/sunrpc/auth_gss/svcauth_gss.c | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff .prev/net/sunrpc/auth_gss/svcauth_gss.c ./net/sunrpc/auth_gss/svcauth_gss.c
--- .prev/net/sunrpc/auth_gss/svcauth_gss.c 2007-05-07 10:30:38.000000000 +1000
+++ ./net/sunrpc/auth_gss/svcauth_gss.c 2007-05-07 10:31:03.000000000 +1000
@@ -938,6 +938,7 @@ static inline int
gss_write_init_verf(struct svc_rqst *rqstp, struct rsi *rsip)
{
struct rsc *rsci;
+ int rc;
if (rsip->major_status != GSS_S_COMPLETE)
return gss_write_null_verf(rqstp);
@@ -946,7 +947,9 @@ gss_write_init_verf(struct svc_rqst *rqs
rsip->major_status = GSS_S_NO_CONTEXT;
return gss_write_null_verf(rqstp);
}
- return gss_write_verf(rqstp, rsci->mechctx, GSS_SEQ_WIN);
+ rc = gss_write_verf(rqstp, rsci->mechctx, GSS_SEQ_WIN);
+ cache_put(&rsci->h, &rsc_cache);
+ return rc;
}
/*
next prev parent reply other threads:[~2007-05-07 0:36 UTC|newest]
Thread overview: 18+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-05-07 0:35 [PATCH 000 of 8] knfsd: Assorted bugfixes for 2.6.22 NeilBrown
2007-05-07 0:35 ` NeilBrown
2007-05-07 0:35 ` [PATCH 001 of 8] knfsd: Avoid use of unitialised variables on error path when nfs exports NeilBrown
2007-05-07 0:35 ` NeilBrown
2007-05-07 0:35 ` [PATCH 002 of 8] knfsd: rpc: fix server-side wrapping of krb5i replies NeilBrown
2007-05-07 0:35 ` NeilBrown
2007-05-07 0:35 ` NeilBrown [this message]
2007-05-07 0:35 ` [PATCH 003 of 8] knfsd: Fix resource leak resulting in module refcount leak for rpcsec_gss_krb5.ko NeilBrown
2007-05-07 0:35 ` [PATCH 004 of 8] knfsd: rpcgss : RPC_GSS_PROC_ DESTROY request will get a bad rpc NeilBrown
2007-05-07 0:35 ` NeilBrown
2007-05-07 0:35 ` [PATCH 005 of 8] knfsd: Simplify a 'while' condition in svcsock.c NeilBrown
2007-05-07 0:35 ` NeilBrown
2007-05-07 0:35 ` [PATCH 006 of 8] knfsd: Trivial makefile cleanup NeilBrown
2007-05-07 0:35 ` NeilBrown
2007-05-07 0:35 ` [PATCH 007 of 8] knfsd: Various nfsd xdr cleanups NeilBrown
2007-05-07 0:35 ` NeilBrown
2007-05-07 0:36 ` [PATCH 008 of 8] knfsd: Avoid Oops if buggy userspace performs confusing filehandle->dentry mapping NeilBrown
2007-05-07 0:36 ` NeilBrown
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1070507003527.24108@suse.de \
--to=neilb@suse.de \
--cc=akpm@linux-foundation.org \
--cc=bfields@citi.umich.edu \
--cc=ffilzlnx@us.ibm.com \
--cc=linux-kernel@vger.kernel.org \
--cc=nfs@lists.sourceforge.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.