kern/140853: NFSv2 remove calls fail to send error replies (memory leak!)

Ted Faber faber at isi.edu
Wed Nov 25 02:30:03 UTC 2009 

>Number:         140853
>Category:       kern
>Synopsis:       NFSv2 remove calls fail to send error replies (memory leak!)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-bugs
>State:          open
>Quarter:        
>Keywords:       
>Date-Required:
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Nov 25 02:30:02 UTC 2009
>Closed-Date:
>Last-Modified:
>Originator:     Ted Faber
>Release:        FreeBSD 7.2-STABLE i386
>Organization:
USC/ISI
>Environment:
System: FreeBSD zod.isi.edu 7.2-STABLE FreeBSD 7.2-STABLE #9: Fri Oct 16 13:39:11 PDT 2009 root at zod.isi.edu:/usr/obj/usr/src/sys/GENERIC i386

As far as I can see this code (/sys/nfsserver/nfs_serv.c) is unchanged through
current (CVS 1.195.2.3.2.1), so it should be patched accross FreeBSD 7 through
9.


>Description:
	NFS remove operations that encounter errors do not generate replies.
	The replies remain in memory and gradually run the machine out of
	kernel memory.  The because no error reply is sent failing requests
	continue to be resent, making memory exhaustion more likely.

	The low level problem is that the error variable is not cleared in
	nfsrv_remove as it is in other routines.  It's one line to fix.


>How-To-Repeat:

	Starting a directory delete and rebooting the server should exhibit the
	problem.  We sent captured NFS packets to the server, and these are
	available on request.  An incorrectly handled remove operation will
	increment both the Server Ret-Failed and Server Faults lines in
	nfsstats on the server.  umastats can directly show the leak.

>Fix:

patch against nfs_serv.c follows:


--- nfs_serv.c.orig	2009-07-27 08:39:10.000000000 -0700
+++ nfs_serv.c	2009-11-24 17:45:28.000000000 -0800
@@ -2221,8 +2221,8 @@
 	nfsm_reply(NFSX_WCCDATA(v3));
 	if (v3) {
 		nfsm_srvwcc_data(dirfor_ret, &dirfor, diraft_ret, &diraft);
-		error = 0;
 	}
+	error = 0;
 nfsmout:
 	NDFREE(&nd, NDF_ONLY_PNBUF);
 	if (nd.ni_dvp) {

>Release-Note:
>Audit-Trail:
>Unformatted:

More information about the freebsd-bugs mailing list