From: Benny Halevy <bhalevy@panasas.com>
To: Boaz Harrosh <bharrosh@panasas.com>
Cc: Trond Myklebust <Trond.Myklebust@netapp.com>,
linux-nfs@vger.kernel.org, Andy Adamson <andros@netapp.com>,
Fred Isaman <iisaman@netapp.com>
Subject: Re: [PATCH V3] SQUASHME: pnfs: Fix NULL dereference and leak in the -ENOMEM path
Date: Wed, 25 May 2011 19:55:35 +0300 [thread overview]
Message-ID: <4DDD3487.5060300@panasas.com> (raw)
In-Reply-To: <4DDD30F8.5020304@panasas.com>
On 2011-05-25 19:40, Boaz Harrosh wrote:
>
> In _pnfs_return_layout:
>
> lrp pointer is checked for NULL after it was already accessed.
>
> The rational here is that in _pnfs_return_layout we want to
> de-ref and release the layout regardless of if we sent the
> return or not (forgetfull). An eventual recall can return -ENOMATCHING
> instead of -EDELAY.
>
> So to keep the reasoning above, copy the stateid twice.
>
> Benny if it is OK to not release the layout on -ENOMEM then the check
> could just be moved above the spin_lock(), and the put_layout_hdr removed.
>
> Also the error returns would leak the lrp so fix it.
>
> Signed-off-by: Boaz Harrosh <bharrosh@panasas.com>
> ---
> fs/nfs/pnfs.c | 15 +++++++++------
> 1 files changed, 9 insertions(+), 6 deletions(-)
>
> diff --git a/fs/nfs/pnfs.c b/fs/nfs/pnfs.c
> index a07b007..9b749f2 100644
> --- a/fs/nfs/pnfs.c
> +++ b/fs/nfs/pnfs.c
> @@ -627,22 +627,20 @@ _pnfs_return_layout(struct inode *ino)
> struct pnfs_layout_hdr *lo = NULL;
> struct nfs_inode *nfsi = NFS_I(ino);
> LIST_HEAD(tmp_list);
> - struct nfs4_layoutreturn *lrp;
> + struct nfs4_layoutreturn *lrp = NULL;
> + nfs4_stateid stateid;
> int status = 0;
>
> dprintk("--> %s\n", __func__);
>
> - lrp = kzalloc(sizeof(*lrp), GFP_KERNEL);
> -
> spin_lock(&ino->i_lock);
> lo = nfsi->layout;
> if (!lo || !mark_matching_lsegs_invalid(lo, &tmp_list, NULL)) {
> spin_unlock(&ino->i_lock);
> dprintk("%s: no layout segments to return\n", __func__);
> - kfree(lrp);
> goto out;
> }
> - lrp->args.stateid = nfsi->layout->plh_stateid;
> + stateid = nfsi->layout->plh_stateid;
> /* Reference matched in nfs4_layoutreturn_release */
> get_layout_hdr(lo);
> spin_unlock(&ino->i_lock);
> @@ -650,11 +648,14 @@ _pnfs_return_layout(struct inode *ino)
>
> WARN_ON(test_bit(NFS_INO_LAYOUTCOMMIT, &nfsi->flags));
>
> - if (lrp == NULL) {
I prefer to simply move this test up before the condition calling
mark_matching_lsegs_invalid
> + /* lrp is freed in nfs4_layoutreturn_release */
> + lrp = kzalloc(sizeof(*lrp), GFP_KERNEL);
> + if (unlikely(!lrp)) {
> put_layout_hdr(NFS_I(ino)->layout);
> status = -ENOMEM;
> goto out;
> }
> + lrp->args.stateid = stateid;
> lrp->args.reclaim = 0;
> lrp->args.layout_type = NFS_SERVER(ino)->pnfs_curr_ld->id;
> lrp->args.inode = ino;
> @@ -662,6 +663,8 @@ _pnfs_return_layout(struct inode *ino)
>
> status = nfs4_proc_layoutreturn(lrp);
> out:
> + if (unlikely(status))
> + kfree(lrp);
I wonder where this leak you're seeing is coming from.
rpc_release is supposed to be called even on task allocation error,
see rpc_new_task.
Benny
> dprintk("<-- %s status: %d\n", __func__, status);
> return status;
> }
next prev parent reply other threads:[~2011-05-25 16:55 UTC|newest]
Thread overview: 58+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-23 16:33 [PATCHSET v6 0/26] pnfs for 2.6.40 Benny Halevy
2011-05-23 16:34 ` [PATCH v6 01/26] NFSv4.1: use struct nfs_client to qualify deviceid Benny Halevy
2011-05-23 17:33 ` Benny Halevy
2011-05-23 16:34 ` [PATCH v6 02/26] pnfs: resolve header dependency in pnfs.h Benny Halevy
2011-05-23 16:34 ` [PATCH v6 03/26] NFSv4.1: make deviceid cache global Benny Halevy
2011-05-23 16:34 ` [PATCH v6 04/26] NFSv4.1: purge deviceid cache on nfs_free_client Benny Halevy
2011-05-23 17:21 ` Benny Halevy
2011-05-23 16:35 ` [PATCH v6 05/26] pnfs: CB_NOTIFY_DEVICEID Benny Halevy
2011-05-23 16:35 ` [PATCH v6 06/26] SUNRPC: introduce xdr_init_decode_pages Benny Halevy
2011-05-23 16:35 ` [PATCH v6 07/26] pnfs: Use byte-range for layoutget Benny Halevy
2011-05-23 16:35 ` [PATCH v6 08/26] pnfs: align layoutget requests on page boundaries Benny Halevy
2011-05-23 16:35 ` [PATCH v6 09/26] pnfs: Use byte-range for cb_layoutrecall Benny Halevy
2011-05-23 16:36 ` [PATCH v6 10/26] pnfs: client stats Benny Halevy
2011-05-23 16:36 ` [PATCH v6 11/26] pnfs-obj: objlayoutdriver module skeleton Benny Halevy
2011-05-23 16:36 ` [PATCH v6 12/26] pnfs-obj: pnfs_osd XDR definitions Benny Halevy
2011-05-23 16:36 ` [PATCH v6 13/26] pnfs-obj: pnfs_osd XDR client implementation Benny Halevy
2011-05-23 19:46 ` [PATCH] SQUASHME: pnf-obj xdr_cli: Wrong type in comments Boaz Harrosh
2011-05-23 16:37 ` [PATCH v6 14/26] pnfs-obj: decode layout, alloc/free lseg Benny Halevy
2011-05-23 19:45 ` [PATCH] SQUASHME: objio read/write patch: Bugs fixes Boaz Harrosh
2011-05-24 13:10 ` Benny Halevy
2011-05-24 14:37 ` Boaz Harrosh
2011-05-24 15:57 ` Benny Halevy
2011-05-24 16:04 ` Boaz Harrosh
2011-05-23 16:37 ` [PATCH v6 15/26] pnfs-obj: objio_osd device information retrieval and caching Benny Halevy
2011-05-23 16:37 ` [PATCH v6 16/26] NFSv4.1: use layout driver in global device cache Benny Halevy
2011-05-23 16:37 ` [PATCH v6 17/26] pnfs: alloc and free layout_hdr layoutdriver methods Benny Halevy
2011-05-23 16:37 ` [PATCH v6 18/26] pnfs-obj: define per-inode private structure Benny Halevy
2011-05-23 16:38 ` [PATCH v6 19/26] pnfs: support for non-rpc layout drivers Benny Halevy
2011-05-23 18:10 ` Boaz Harrosh
2011-05-23 19:22 ` Benny Halevy
2011-05-23 19:43 ` [PATCH] SQUASHME: into pnfs: pnfs: support for non-rpc layout drivers: de-ref not needed Boaz Harrosh
2011-05-23 16:38 ` [PATCH v6 20/26] pnfs-obj: osd raid engine read/write implementation Benny Halevy
2011-05-25 13:39 ` Boaz Harrosh
2011-05-25 13:41 ` [PATCH] SQUASHME: pnfs-obj: pg_test check for max_io_size Boaz Harrosh
2011-05-25 16:57 ` Benny Halevy
2011-05-23 16:38 ` [PATCH v6 21/26] pnfs: layoutreturn Benny Halevy
2011-05-25 16:07 ` [PATCH] SQUASHME: pnfs: Fix NULL dereference in the -ENOMEM path Boaz Harrosh
2011-05-25 16:12 ` Boaz Harrosh
2011-05-25 16:19 ` [PATCH V2] SQUASHME: pnfs: Fix NULL dereference and leak " Boaz Harrosh
2011-05-25 16:37 ` Boaz Harrosh
2011-05-25 16:47 ` Benny Halevy
2011-05-25 16:40 ` [PATCH V3] " Boaz Harrosh
2011-05-25 16:55 ` Benny Halevy [this message]
2011-05-23 16:38 ` [PATCH v6 22/26] pnfs: layoutret_on_setattr Benny Halevy
2011-05-23 16:38 ` [PATCH v6 23/26] pnfs: encode_layoutreturn Benny Halevy
2011-05-23 16:39 ` [PATCH v6 24/26] pnfs-obj: report errors and .encode_layoutreturn Implementation Benny Halevy
2011-05-23 16:39 ` [PATCH v6 25/26] pnfs: encode_layoutcommit Benny Halevy
2011-05-23 16:39 ` [PATCH v6 26/26] pnfs-obj: objlayout_encode_layoutcommit implementation Benny Halevy
2011-05-23 18:20 ` [PATCHSET v6 0/26] pnfs for 2.6.40 Boaz Harrosh
2011-05-23 18:50 ` Boaz Harrosh
2011-05-24 15:16 ` Benny Halevy
[not found] ` <2E1EB2CF9ED1CB4AA966F0EB76EAB443080D6E54@SACMVEXC2-PRD.hq.netapp.com>
2011-05-24 15:49 ` Benny Halevy
2011-05-24 17:07 ` Fred Isaman
2011-05-24 15:56 ` Boaz Harrosh
2011-05-24 16:21 ` Trond Myklebust
2011-05-24 16:58 ` Boaz Harrosh
2011-05-24 17:05 ` Trond Myklebust
2011-05-24 17:07 ` Boaz Harrosh
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4DDD3487.5060300@panasas.com \
--to=bhalevy@panasas.com \
--cc=Trond.Myklebust@netapp.com \
--cc=andros@netapp.com \
--cc=bharrosh@panasas.com \
--cc=iisaman@netapp.com \
--cc=linux-nfs@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).