git: b06973a2f2a8 - stable/14 - nfsd: Fix slow leaks of NAMEI buffers
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Fri, 29 Aug 2025 03:23:08 UTC
The branch stable/14 has been updated by rmacklem:
URL: https://cgit.FreeBSD.org/src/commit/?id=b06973a2f2a8854b4803c9a4d00dc0482be8f268
commit b06973a2f2a8854b4803c9a4d00dc0482be8f268
Author: Rick Macklem <rmacklem@FreeBSD.org>
AuthorDate: 2025-08-15 19:11:08 +0000
Commit: Rick Macklem <rmacklem@FreeBSD.org>
CommitDate: 2025-08-29 03:20:15 +0000
nfsd: Fix slow leaks of NAMEI buffers
Commit 5b5b7e2ca2fa changed namei()s behaviour such that it
does not free the NAMEI buffer unless returning an error.
The nfsd was not fixed for this. Fortunately, the only
leak would be one NAMEI buffer each time mountd(8) reloads
the exports. (There were also leaks in the pNFS server
configuration, but almost no one uses it.)
This patch fixes the leaks by adding NDFREE_PNBUF() macros
in the appropriate places.
MFC after: 2 weeks
Discussed with: kib
Fixes: 5b5b7e2ca2fa ("vfs: always retain path buffer after lookup")
(cherry picked from commit 9cd3860c10b6afaaaeb118dafc166ab168bc9083)
---
sys/fs/nfsserver/nfs_nfsdport.c | 1 +
sys/fs/nfsserver/nfs_nfsdstate.c | 6 ++++++
2 files changed, 7 insertions(+)
diff --git a/sys/fs/nfsserver/nfs_nfsdport.c b/sys/fs/nfsserver/nfs_nfsdport.c
index a4a729613038..c22d06ef0aeb 100644
--- a/sys/fs/nfsserver/nfs_nfsdport.c
+++ b/sys/fs/nfsserver/nfs_nfsdport.c
@@ -3589,6 +3589,7 @@ nfsrv_v4rootexport(void *argp, struct ucred *cred, struct thread *p)
NDINIT(&nd, LOOKUP, FOLLOW, UIO_USERSPACE, nfsexargp->fspec);
if ((error = namei(&nd)) != 0)
goto out;
+ NDFREE_PNBUF(&nd);
error = nfsvno_getfh(nd.ni_vp, &fh, p);
vrele(nd.ni_vp);
if (!error) {
diff --git a/sys/fs/nfsserver/nfs_nfsdstate.c b/sys/fs/nfsserver/nfs_nfsdstate.c
index 0f556adb697b..cca977b31e8e 100644
--- a/sys/fs/nfsserver/nfs_nfsdstate.c
+++ b/sys/fs/nfsserver/nfs_nfsdstate.c
@@ -7724,6 +7724,7 @@ nfsrv_setdsserver(char *dspathp, char *mdspathp, NFSPROC_T *p,
NFSD_DEBUG(4, "lookup=%d\n", error);
if (error != 0)
return (error);
+ NDFREE_PNBUF(&nd);
if (nd.ni_vp->v_type != VDIR) {
vput(nd.ni_vp);
NFSD_DEBUG(4, "dspath not dir\n");
@@ -7760,6 +7761,7 @@ nfsrv_setdsserver(char *dspathp, char *mdspathp, NFSPROC_T *p,
NFSD_DEBUG(4, "dsdirpath=%s lookup=%d\n", dsdirpath, error);
if (error != 0)
break;
+ NDFREE_PNBUF(&nd);
if (nd.ni_vp->v_type != VDIR) {
vput(nd.ni_vp);
error = ENOTDIR;
@@ -7788,6 +7790,7 @@ nfsrv_setdsserver(char *dspathp, char *mdspathp, NFSPROC_T *p,
NFSD_DEBUG(4, "mds lookup=%d\n", error);
if (error != 0)
goto out;
+ NDFREE_PNBUF(&nd);
if (nd.ni_vp->v_type != VDIR) {
vput(nd.ni_vp);
error = ENOTDIR;
@@ -8647,6 +8650,7 @@ nfsrv_mdscopymr(char *mdspathp, char *dspathp, char *curdspathp, char *buf,
NFSD_DEBUG(4, "lookup=%d\n", error);
if (error != 0)
return (error);
+ NDFREE_PNBUF(&nd);
if (nd.ni_vp->v_type != VREG) {
vput(nd.ni_vp);
NFSD_DEBUG(4, "mdspath not reg\n");
@@ -8668,6 +8672,7 @@ nfsrv_mdscopymr(char *mdspathp, char *dspathp, char *curdspathp, char *buf,
vput(vp);
return (error);
}
+ NDFREE_PNBUF(&nd);
if (nd.ni_vp->v_type != VDIR) {
vput(nd.ni_vp);
vput(vp);
@@ -8710,6 +8715,7 @@ nfsrv_mdscopymr(char *mdspathp, char *dspathp, char *curdspathp, char *buf,
vput(curvp);
return (error);
}
+ NDFREE_PNBUF(&nd);
if (nd.ni_vp->v_type != VDIR || nd.ni_vp == curvp) {
vput(nd.ni_vp);
vput(vp);