From: Boaz Harrosh <bharrosh@panasas.com>
To: Benny Halevy <bhalevy@panasas.com>,
Trond Myklebust <Trond.Myklebust@netapp.com>,
linux-nfs@vger.kernel.org, Andy Adamson <andros@netapp.com>,
Fred Isaman <iisaman@netapp.com>
Subject: [PATCH V2] SQUASHME: pnfs: Fix NULL dereference and leak in the -ENOMEM path
Date: Wed, 25 May 2011 19:19:54 +0300 [thread overview]
Message-ID: <4DDD2C2A.1070102@panasas.com> (raw)
In-Reply-To: <4DDD2933.3000209@panasas.com>
In _pnfs_return_layout:
lrp pointer is checked for NULL after it was already accessed.
The rational here is that in _pnfs_return_layout we want to
de-ref and release the layout regardless of if we sent the
return or not (forgetfull). An eventual recall can return -ENOMATCHING
instead of -EDELAY.
So to keep the reasoning above, copy the stateid twice.
Benny if it is OK to not release the layout on -ENOMEM then the check
could just be moved above the spin_lock(), and the put_layout_hdr removed.
Also the error returns would leak the lrp so fix it.
Signed-off-by: Boaz Harrosh <bharrosh@panasas.com>
---
fs/nfs/pnfs.c | 14 +++++++++-----
1 files changed, 9 insertions(+), 5 deletions(-)
diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
index a07b007..3847406 100644
--- a/fs/nfs/pnfs.c
+++ b/fs/nfs/pnfs.c
@@ -627,13 +627,12 @@ _pnfs_return_layout(struct inode *ino)
struct pnfs_layout_hdr *lo = NULL;
struct nfs_inode *nfsi = NFS_I(ino);
LIST_HEAD(tmp_list);
- struct nfs4_layoutreturn *lrp;
+ struct nfs4_layoutreturn *lrp = NULL;
+ nfs4_stateid stateid;
int status = 0;
dprintk("--> %s\n", __func__);
- lrp = kzalloc(sizeof(*lrp), GFP_KERNEL);
-
spin_lock(&ino->i_lock);
lo = nfsi->layout;
if (!lo || !mark_matching_lsegs_invalid(lo, &tmp_list, NULL)) {
@@ -642,7 +641,7 @@ _pnfs_return_layout(struct inode *ino)
kfree(lrp);
goto out;
}
- lrp->args.stateid = nfsi->layout->plh_stateid;
+ stateid = nfsi->layout->plh_stateid;
/* Reference matched in nfs4_layoutreturn_release */
get_layout_hdr(lo);
spin_unlock(&ino->i_lock);
@@ -650,11 +649,14 @@ _pnfs_return_layout(struct inode *ino)
WARN_ON(test_bit(NFS_INO_LAYOUTCOMMIT, &nfsi->flags));
- if (lrp == NULL) {
+ /* lrp is freed in nfs4_layoutreturn_release */
+ lrp = kzalloc(sizeof(*lrp), GFP_KERNEL);
+ if (unlikely(!lrp)) {
put_layout_hdr(NFS_I(ino)->layout);
status = -ENOMEM;
goto out;
}
+ lrp->args.stateid = stateid;
lrp->args.reclaim = 0;
lrp->args.layout_type = NFS_SERVER(ino)->pnfs_curr_ld->id;
lrp->args.inode = ino;
@@ -662,6 +664,8 @@ _pnfs_return_layout(struct inode *ino)
status = nfs4_proc_layoutreturn(lrp);
out:
+ if (unlikely(status))
+ kfree(lrp);
dprintk("<-- %s status: %d\n", __func__, status);
return status;
}
--
1.7.2.3
next prev parent reply other threads:[~2011-05-25 16:19 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-23 16:33 [PATCHSET v6 0/26] pnfs for 2.6.40 Benny Halevy
2011-05-23 16:34 ` [PATCH v6 01/26] NFSv4.1: use struct nfs_client to qualify deviceid Benny Halevy
2011-05-23 17:33 ` Benny Halevy
2011-05-23 16:34 ` [PATCH v6 02/26] pnfs: resolve header dependency in pnfs.h Benny Halevy
2011-05-23 16:34 ` [PATCH v6 03/26] NFSv4.1: make deviceid cache global Benny Halevy
2011-05-23 16:34 ` [PATCH v6 04/26] NFSv4.1: purge deviceid cache on nfs_free_client Benny Halevy
2011-05-23 17:21 ` Benny Halevy
2011-05-23 16:35 ` [PATCH v6 05/26] pnfs: CB_NOTIFY_DEVICEID Benny Halevy
2011-05-23 16:35 ` [PATCH v6 06/26] SUNRPC: introduce xdr_init_decode_pages Benny Halevy
2011-05-23 16:35 ` [PATCH v6 07/26] pnfs: Use byte-range for layoutget Benny Halevy
2011-05-23 16:35 ` [PATCH v6 08/26] pnfs: align layoutget requests on page boundaries Benny Halevy
2011-05-23 16:35 ` [PATCH v6 09/26] pnfs: Use byte-range for cb_layoutrecall Benny Halevy
2011-05-23 16:36 ` [PATCH v6 10/26] pnfs: client stats Benny Halevy
2011-05-23 16:36 ` [PATCH v6 11/26] pnfs-obj: objlayoutdriver module skeleton Benny Halevy
2011-05-23 16:36 ` [PATCH v6 12/26] pnfs-obj: pnfs_osd XDR definitions Benny Halevy
2011-05-23 16:36 ` [PATCH v6 13/26] pnfs-obj: pnfs_osd XDR client implementation Benny Halevy
2011-05-23 19:46 ` [PATCH] SQUASHME: pnf-obj xdr_cli: Wrong type in comments Boaz Harrosh
2011-05-23 16:37 ` [PATCH v6 14/26] pnfs-obj: decode layout, alloc/free lseg Benny Halevy
2011-05-23 19:45 ` [PATCH] SQUASHME: objio read/write patch: Bugs fixes Boaz Harrosh
2011-05-24 13:10 ` Benny Halevy
2011-05-24 14:37 ` Boaz Harrosh
2011-05-24 15:57 ` Benny Halevy
2011-05-24 16:04 ` Boaz Harrosh
2011-05-23 16:37 ` [PATCH v6 15/26] pnfs-obj: objio_osd device information retrieval and caching Benny Halevy
2011-05-23 16:37 ` [PATCH v6 16/26] NFSv4.1: use layout driver in global device cache Benny Halevy
2011-05-23 16:37 ` [PATCH v6 17/26] pnfs: alloc and free layout_hdr layoutdriver methods Benny Halevy
2011-05-23 16:37 ` [PATCH v6 18/26] pnfs-obj: define per-inode private structure Benny Halevy
2011-05-23 16:38 ` [PATCH v6 19/26] pnfs: support for non-rpc layout drivers Benny Halevy
2011-05-23 18:10 ` Boaz Harrosh
2011-05-23 19:22 ` Benny Halevy
2011-05-23 19:43 ` [PATCH] SQUASHME: into pnfs: pnfs: support for non-rpc layout drivers: de-ref not needed Boaz Harrosh
2011-05-23 16:38 ` [PATCH v6 20/26] pnfs-obj: osd raid engine read/write implementation Benny Halevy
2011-05-25 13:39 ` Boaz Harrosh
2011-05-25 13:41 ` [PATCH] SQUASHME: pnfs-obj: pg_test check for max_io_size Boaz Harrosh
2011-05-25 16:57 ` Benny Halevy
2011-05-23 16:38 ` [PATCH v6 21/26] pnfs: layoutreturn Benny Halevy
2011-05-25 16:07 ` [PATCH] SQUASHME: pnfs: Fix NULL dereference in the -ENOMEM path Boaz Harrosh
2011-05-25 16:12 ` Boaz Harrosh
2011-05-25 16:19 ` Boaz Harrosh [this message]
2011-05-25 16:37 ` [PATCH V2] SQUASHME: pnfs: Fix NULL dereference and leak " Boaz Harrosh
2011-05-25 16:47 ` Benny Halevy
2011-05-25 16:40 ` [PATCH V3] " Boaz Harrosh
2011-05-25 16:55 ` Benny Halevy
2011-05-23 16:38 ` [PATCH v6 22/26] pnfs: layoutret_on_setattr Benny Halevy
2011-05-23 16:38 ` [PATCH v6 23/26] pnfs: encode_layoutreturn Benny Halevy
2011-05-23 16:39 ` [PATCH v6 24/26] pnfs-obj: report errors and .encode_layoutreturn Implementation Benny Halevy
2011-05-23 16:39 ` [PATCH v6 25/26] pnfs: encode_layoutcommit Benny Halevy
2011-05-23 16:39 ` [PATCH v6 26/26] pnfs-obj: objlayout_encode_layoutcommit implementation Benny Halevy
2011-05-23 18:20 ` [PATCHSET v6 0/26] pnfs for 2.6.40 Boaz Harrosh
2011-05-23 18:50 ` Boaz Harrosh
2011-05-24 15:16 ` Benny Halevy
[not found] ` <2E1EB2CF9ED1CB4AA966F0EB76EAB443080D6E54@SACMVEXC2-PRD.hq.netapp.com>
2011-05-24 15:49 ` Benny Halevy
2011-05-24 17:07 ` Fred Isaman
2011-05-24 15:56 ` Boaz Harrosh
2011-05-24 16:21 ` Trond Myklebust
2011-05-24 16:58 ` Boaz Harrosh
2011-05-24 17:05 ` Trond Myklebust
2011-05-24 17:07 ` Boaz Harrosh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4DDD2C2A.1070102@panasas.com \
--to=bharrosh@panasas.com \
--cc=Trond.Myklebust@netapp.com \
--cc=andros@netapp.com \
--cc=bhalevy@panasas.com \
--cc=iisaman@netapp.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).