From: "J. Bruce Fields" <bfields@redhat.com>
To: linux-nfs@vger.kernel.org
Cc: "J. Bruce Fields" <bfields@redhat.com>
Subject: [PATCH 3/4] svcrpc: fix double-free on shutdown of nfsd after changing pool mode
Date: Tue, 3 Jan 2012 17:56:20 -0500 [thread overview]
Message-ID: <1325631381-9231-4-git-send-email-bfields@redhat.com> (raw)
In-Reply-To: <1325631381-9231-1-git-send-email-bfields@redhat.com>
From: "J. Bruce Fields" <bfields@redhat.com>
The pool_to and to_pool fields of the global svc_pool_map are freed on
shutdown, but are initialized in nfsd startup only in the
SVC_POOL_PERCPU and SVC_POOL_PERNODE cases.
They *are* initialized to zero on kernel startup. So as long as you use
only SVC_POOL_GLOBAL (the default), this will never be a problem.
You're also OK if you only ever use SVC_POOL_PERCPU or SVC_POOL_PERNODE.
However, the following sequence events leads to a double-free:
1. set SVC_POOL_PERCPU or SVC_POOL_PERNODE
2. start nfsd: both fields are initialized.
3. shutdown nfsd: both fields are freed.
4. set SVC_POOL_GLOBAL
5. start nfsd: the fields are left untouched.
6. shutdown nfsd: now we try to free them again.
Step 4 is actually unnecessary, since (for some bizarre reason), nfsd
automatically resets the pool mode to SVC_POOL_GLOBAL on shutdown.
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
---
net/sunrpc/svc.c | 3 +++
1 files changed, 3 insertions(+), 0 deletions(-)
diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
index e9632bb..1dd5fd0 100644
--- a/net/sunrpc/svc.c
+++ b/net/sunrpc/svc.c
@@ -167,6 +167,7 @@ svc_pool_map_alloc_arrays(struct svc_pool_map *m, unsigned int maxpools)
fail_free:
kfree(m->to_pool);
+ m->to_pool = NULL;
fail:
return -ENOMEM;
}
@@ -287,7 +288,9 @@ svc_pool_map_put(void)
if (!--m->count) {
m->mode = SVC_POOL_DEFAULT;
kfree(m->to_pool);
+ m->to_pool = NULL;
kfree(m->pool_to);
+ m->pool_to = NULL;
m->npools = 0;
}
--
1.7.5.4
next prev parent reply other threads:[~2012-01-03 22:56 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2012-01-03 22:56 3.3 nfsd fixes J. Bruce Fields
2012-01-03 22:56 ` [PATCH 1/4] nfsd4: fix spurious 4.1 post-reboot failures J. Bruce Fields
2012-01-03 22:56 ` [PATCH 2/4] nfsd4: be forgiving in the absence of the recovery directory J. Bruce Fields
2012-01-03 22:56 ` J. Bruce Fields [this message]
2012-01-03 22:57 ` [PATCH 3/4] svcrpc: fix double-free on shutdown of nfsd after changing pool mode J. Bruce Fields
2012-01-03 22:56 ` [PATCH 4/4] svcrpc: don't revert to SVC_POOL_DEFAULT on nfsd shutdown J. Bruce Fields
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1325631381-9231-4-git-send-email-bfields@redhat.com \
--to=bfields@redhat.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.