[PATCH] lockd: release memory for non-normal situation

[PATCH] lockd: release memory for non-normal situation

[Wengang Wang]

nlmclnt_proc() is neither releasing nlm_rqst nor dropping the ref on nlm_host.
Do the release work though I am not sure if it can really hit the situation.

Signed-off-by: Wengang Wang <wen.gang.wang@oracle.com>
---
 fs/lockd/clntproc.c |    4 +++-
 1 files changed, 3 insertions(+), 1 deletions(-)

diff --git a/fs/lockd/clntproc.c b/fs/lockd/clntproc.c
index 332c54c..ec9f0f5 100644
--- a/fs/lockd/clntproc.c
+++ b/fs/lockd/clntproc.c
@@ -173,8 +173,10 @@ int nlmclnt_proc(struct nlm_host *host, int cmd, struct file_lock *fl)
 			status = nlmclnt_unlock(call, fl);
 	} else if (IS_GETLK(cmd))
 		status = nlmclnt_test(call, fl);
-	else
+	else {
+		nlm_release_call(call);
 		status = -EINVAL;
+	}
 	fl->fl_ops->fl_release_private(fl);
 	fl->fl_ops = NULL;
 
-- 
1.7.2.3

Re: [PATCH] lockd: release memory for non-normal situation

[Chuck Lever]

Hi-

On Nov 22, 2010, at 7:40 AM, Wengang Wang wrote:

> nlmclnt_proc() is neither releasing nlm_rqst nor dropping the ref on nlm_host.
> Do the release work though I am not sure if it can really hit the situation.

Based on casual code review, the only case where this is a possibility is the "out_unlock" label in nlmclnt_lock().  Otherwise, this patch introduces a double release in other cases, doesn't it?

Is there a reproducer that can demonstrate a leak?

> Signed-off-by: Wengang Wang <wen.gang.wang@oracle.com>
> ---
> fs/lockd/clntproc.c |    4 +++-
> 1 files changed, 3 insertions(+), 1 deletions(-)
> 
> diff --git a/fs/lockd/clntproc.c b/fs/lockd/clntproc.c
> index 332c54c..ec9f0f5 100644
> --- a/fs/lockd/clntproc.c
> +++ b/fs/lockd/clntproc.c
> @@ -173,8 +173,10 @@ int nlmclnt_proc(struct nlm_host *host, int cmd, struct file_lock *fl)
> 			status = nlmclnt_unlock(call, fl);
> 	} else if (IS_GETLK(cmd))
> 		status = nlmclnt_test(call, fl);
> -	else
> +	else {
> +		nlm_release_call(call);
> 		status = -EINVAL;
> +	}
> 	fl->fl_ops->fl_release_private(fl);
> 	fl->fl_ops = NULL;

-- 
Chuck Lever
chuck[dot]lever[at]oracle[dot]com

Re: [PATCH] lockd: release memory for non-normal situation

[Trond Myklebust]

On Mon, 2010-11-22 at 12:15 -0500, Chuck Lever wrote:
> Hi-
> 
> On Nov 22, 2010, at 7:40 AM, Wengang Wang wrote:
> 
> > nlmclnt_proc() is neither releasing nlm_rqst nor dropping the ref on nlm_host.
> > Do the release work though I am not sure if it can really hit the situation.
> 
> Based on casual code review, the only case where this is a possibility is the "out_unlock" label in nlmclnt_lock().  Otherwise, this patch introduces a double release in other cases, doesn't it?

No. It only occurs if !IS_GETLK(cmd) && !IS_SETLK(cmd) && !
IS_SETLKW(cmd). The VFS should ensure this never happens, so I don't
think this is an exploitable bug.

The question therefore is: do we add this fix, or do we just remove the
-EINVAL error condition and replace it by a BUG()?

Cheers
  Trond