2007-05-04 15:59:32

by Frank Filz

[permalink] [raw]
Subject: [PATCH] Fix resource leak resulting in module refcount leak for rpcsec_gss_krb5.ko

I have been investigating a module reference count leak on the server
for rpcsec_gss_krb5.ko. It turns out the problem is a reference count
leak for the security context in net/sunrpc/auth_gss/svcauth_gss.c.

The problem is that gss_write_init_verf() calls gss_svc_searchbyctx()
which does a rsc_lookup() but never releases the reference to the
context. There is another issue that rpc.svcgssd sets an "end of time"
expiration for the context

By adding a cache_put() call in gss_svc_searchbyctx(), and setting an
expiration timeout in the downcall, cache_clean() does clean up the
context and the module reference count now goes to zero after unmount.

I also verified that if the context expires and then the client makes a
new request, a new context is established.

Here is the patch to fix the kernel, I will start a separate thread to
discuss what expiration time should be set by rpc.svcgssd.

Signed-off-by: Frank Filz <[email protected]>

diff --git a/net/sunrpc/auth_gss/svcauth_gss.c
b/net/sunrpc/auth_gss/svcauth_gss.c
index db298b5..eb16e30 100644
--- a/net/sunrpc/auth_gss/svcauth_gss.c
+++ b/net/sunrpc/auth_gss/svcauth_gss.c
@@ -924,6 +924,7 @@ static inline int
gss_write_init_verf(struct svc_rqst *rqstp, struct rsi *rsip)
{
struct rsc *rsci;
+ int rc;

if (rsip->major_status != GSS_S_COMPLETE)
return gss_write_null_verf(rqstp);
@@ -932,7 +933,9 @@ gss_write_init_verf(struct svc_rqst *rqstp, struct
rsi *rsip)
rsip->major_status = GSS_S_NO_CONTEXT;
return gss_write_null_verf(rqstp);
}
- return gss_write_verf(rqstp, rsci->mechctx, GSS_SEQ_WIN);
+ rc = gss_write_verf(rqstp, rsci->mechctx, GSS_SEQ_WIN);
+ cache_put(&rsci->h, &rsc_cache);
+ return rc;
}

/*




-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs


2007-05-04 17:25:14

by J. Bruce Fields

[permalink] [raw]
Subject: Re: [PATCH] Fix resource leak resulting in module refcount leak for rpcsec_gss_krb5.ko

On Fri, May 04, 2007 at 08:59:32AM -0700, Frank Filz wrote:
> I have been investigating a module reference count leak on the server
> for rpcsec_gss_krb5.ko. It turns out the problem is a reference count
> leak for the security context in net/sunrpc/auth_gss/svcauth_gss.c.
>
> The problem is that gss_write_init_verf() calls gss_svc_searchbyctx()
> which does a rsc_lookup() but never releases the reference to the
> context. There is another issue that rpc.svcgssd sets an "end of time"
> expiration for the context
>
> By adding a cache_put() call in gss_svc_searchbyctx(), and setting an
> expiration timeout in the downcall, cache_clean() does clean up the
> context and the module reference count now goes to zero after unmount.
>
> I also verified that if the context expires and then the client makes a
> new request, a new context is established.
>
> Here is the patch to fix the kernel, I will start a separate thread to
> discuss what expiration time should be set by rpc.svcgssd.
>
> Signed-off-by: Frank Filz <[email protected]>

Thanks!

Acked-by: "J. Bruce Fields" <[email protected]>

(And applied to my tree.) A nit:

> @@ -932,7 +933,9 @@ gss_write_init_verf(struct svc_rqst *rqstp, struct
> rsi *rsip)

That line got wrapped, so has to be fixed up by hand before the patch
will apply. Probably there's some setting in your mail client to fix
that for next time....

--b.

-------------------------------------------------------------------------
This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
http://sourceforge.net/powerbar/db2/
_______________________________________________
NFS maillist - [email protected]
https://lists.sourceforge.net/lists/listinfo/nfs