nlmclnt_proc() is neither releasing nlm_rqst nor dropping the ref on nlm_host.
Do the release work though I am not sure if it can really hit the situation.
Signed-off-by: Wengang Wang <[email protected]>
---
fs/lockd/clntproc.c | 4 +++-
1 files changed, 3 insertions(+), 1 deletions(-)
diff --git a/fs/lockd/clntproc.c b/fs/lockd/clntproc.c
index 332c54c..ec9f0f5 100644
--- a/fs/lockd/clntproc.c
+++ b/fs/lockd/clntproc.c
@@ -173,8 +173,10 @@ int nlmclnt_proc(struct nlm_host *host, int cmd, struct file_lock *fl)
status = nlmclnt_unlock(call, fl);
} else if (IS_GETLK(cmd))
status = nlmclnt_test(call, fl);
- else
+ else {
+ nlm_release_call(call);
status = -EINVAL;
+ }
fl->fl_ops->fl_release_private(fl);
fl->fl_ops = NULL;
--
1.7.2.3
Hi-
On Nov 22, 2010, at 7:40 AM, Wengang Wang wrote:
> nlmclnt_proc() is neither releasing nlm_rqst nor dropping the ref on nlm_host.
> Do the release work though I am not sure if it can really hit the situation.
Based on casual code review, the only case where this is a possibility is the "out_unlock" label in nlmclnt_lock(). Otherwise, this patch introduces a double release in other cases, doesn't it?
Is there a reproducer that can demonstrate a leak?
> Signed-off-by: Wengang Wang <[email protected]>
> ---
> fs/lockd/clntproc.c | 4 +++-
> 1 files changed, 3 insertions(+), 1 deletions(-)
>
> diff --git a/fs/lockd/clntproc.c b/fs/lockd/clntproc.c
> index 332c54c..ec9f0f5 100644
> --- a/fs/lockd/clntproc.c
> +++ b/fs/lockd/clntproc.c
> @@ -173,8 +173,10 @@ int nlmclnt_proc(struct nlm_host *host, int cmd, struct file_lock *fl)
> status = nlmclnt_unlock(call, fl);
> } else if (IS_GETLK(cmd))
> status = nlmclnt_test(call, fl);
> - else
> + else {
> + nlm_release_call(call);
> status = -EINVAL;
> + }
> fl->fl_ops->fl_release_private(fl);
> fl->fl_ops = NULL;
--
Chuck Lever
chuck[dot]lever[at]oracle[dot]com
On Mon, 2010-11-22 at 12:15 -0500, Chuck Lever wrote:
> Hi-
>
> On Nov 22, 2010, at 7:40 AM, Wengang Wang wrote:
>
> > nlmclnt_proc() is neither releasing nlm_rqst nor dropping the ref on nlm_host.
> > Do the release work though I am not sure if it can really hit the situation.
>
> Based on casual code review, the only case where this is a possibility is the "out_unlock" label in nlmclnt_lock(). Otherwise, this patch introduces a double release in other cases, doesn't it?
No. It only occurs if !IS_GETLK(cmd) && !IS_SETLK(cmd) && !
IS_SETLKW(cmd). The VFS should ensure this never happens, so I don't
think this is an exploitable bug.
The question therefore is: do we add this fix, or do we just remove the
-EINVAL error condition and replace it by a BUG()?
Cheers
Trond