Project

General

Profile

Bug #2986

nfs: exi refcounter leak at rfs3_lookup

Added by Vitaliy Gusev over 8 years ago. Updated over 7 years ago.

Status:
Resolved
Priority:
Normal
Assignee:
Category:
nfs - NFS server and client
Start date:
2012-07-10
Due date:
% Done:

100%

Estimated time:
Difficulty:
Medium
Tags:
needs-triage
Gerrit CR:

Description

rfs3_lookup can exit without call exi_rele() for public exi:

     if (sec.sec_flags & SEC_QUERY) {
        error = makefh3_ol(&resp->resok.object, exi, sec.sec_index);
    } else {
        error = makefh3(&resp->resok.object, vp, exi);
        if (!error && publicfh_flag && !chk_clnt_sec(exi, req))
            auth_weak = TRUE;
    }

    if (error) {
        VN_RELE(vp);
        goto out;
    }

    /*
     * If publicfh_flag is true then we have called rfs_publicfh_mclookup
     * and have obtained a new exportinfo in exi which needs to be
     * released. Note the the original exportinfo pointed to by exi
     * will be released by the caller, common_dispatch.
     */
    if (publicfh_flag)
        exi_rele(exi);

Related issues

Related to illumos gate - Bug #3435: nfssrv causes bad mutex crashClosedMarcel Telka2012-12-31

Actions
Related to illumos gate - Bug #3449: System panics after zfs rollbackClosedMarcel Telka2013-01-04

Actions
#1

Updated by Vitaliy Gusev over 8 years ago

    if (sec.sec_flags & SEC_QUERY) {

     ....

    if (error) {
        VN_RELE(vp);
        goto out;
    }

   ^^^^^^^^^
   here is leak, because there is no "exi_rele" at "out" 

#2

Updated by Albert Lee about 8 years ago

  • Status changed from New to Resolved
  • % Done changed from 0 to 100

Fixed in:
user: Vitaliy Gusev <>
date: Wed Aug 22 13:03:31 2012 +0000
files: usr/src/uts/common/fs/nfs/nfs3_srv.c usr/src/uts/common/fs/nfs/nfs_server.c usr/src/uts/common/fs/nfs/nfs_srv.c
description:
2986 nfs: exi refcounter leak at rfs3_lookup
Reviewed by: Albert Lee <>
Reviewed by: Gordon Ross <>
Approved by: Albert Lee <>

#3

Updated by Marcel Telka over 7 years ago

  • Category set to nfs - NFS server and client
#4

Updated by Marcel Telka over 7 years ago

  • Assignee changed from Vitaliy Gusev to Marcel Telka

The original fix for this bug was backed out:

  Branch: refs/heads/master
  Home:   https://github.com/illumos/illumos-gate
  Commit: 596bc2391087577f88d3665a6fb36aba8f1f2003
      https://github.com/illumos/illumos-gate/commit/596bc2391087577f88d3665a6fb36aba8f1f2003
  Author: Marcel Telka <marcel.telka@nexenta.com>
  Date:   2013-03-14 (Thu, 14 Mar 2013)

  Changed paths:
    M usr/src/uts/common/fs/nfs/nfs3_srv.c
    M usr/src/uts/common/fs/nfs/nfs_server.c
    M usr/src/uts/common/fs/nfs/nfs_srv.c

  Log Message:
  -----------
  Back out hg changeset 829c00a55a37, bug 2986  --  introduces vulnerability
Reviewed by: Richard Lowe <richlowe@richlowe.net>
Reviewed by: Christopher Siden <christopher.siden@delphix.com>
Approved by: Dan McDonald <danmcd@nexenta.com>

and new fix was integrated:

  Branch: refs/heads/master
  Home:   https://github.com/illumos/illumos-gate
  Commit: fd9d0a82261102319cc3b862d8f2609c68e0fd23
      https://github.com/illumos/illumos-gate/commit/fd9d0a82261102319cc3b862d8f2609c68e0fd23
  Author: Marcel Telka <marcel.telka@nexenta.com>
  Date:   2013-03-14 (Thu, 14 Mar 2013)

  Changed paths:
    M usr/src/uts/common/fs/nfs/nfs3_srv.c

  Log Message:
  -----------
  2986 nfs: exi refcounter leak at rfs3_lookup
Reviewed by: Christopher Siden <christopher.siden@delphix.com>
Reviewed by: Garrett D'Amore <garrett@damore.org>
Approved by: Dan McDonald <danmcd@nexenta.com>

Also available in: Atom PDF