From faber@zod.isi.edu  Wed Nov 25 02:29:42 2009
Return-Path: <faber@zod.isi.edu>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 03C9C1065696
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 25 Nov 2009 02:29:42 +0000 (UTC)
	(envelope-from faber@zod.isi.edu)
Received: from zod.isi.edu (zod.isi.edu [128.9.168.221])
	by mx1.freebsd.org (Postfix) with ESMTP id E1D5F8FC1A
	for <FreeBSD-gnats-submit@freebsd.org>; Wed, 25 Nov 2009 02:29:41 +0000 (UTC)
Received: from zod.isi.edu (localhost [127.0.0.1])
	by zod.isi.edu (8.14.3/8.14.3) with ESMTP id nAP251Qg087285;
	Tue, 24 Nov 2009 18:05:01 -0800 (PST)
	(envelope-from faber@zod.isi.edu)
Received: (from faber@localhost)
	by zod.isi.edu (8.14.3/8.14.3/Submit) id nAP251e3087284;
	Tue, 24 Nov 2009 18:05:01 -0800 (PST)
	(envelope-from faber)
Message-Id: <200911250205.nAP251e3087284@zod.isi.edu>
Date: Tue, 24 Nov 2009 18:05:01 -0800 (PST)
From: Ted Faber <faber@isi.edu>
Reply-To: Ted Faber <faber@isi.edu>, jhickey@isi.edu, mikeryan@isi.edu
To: FreeBSD-gnats-submit@freebsd.org
Cc: jhickey@isi.edu, mikeryan@isi.edu
Subject: NFSv2 remove calls fail to send error replies (memory leak!)
X-Send-Pr-Version: 3.113
X-GNATS-Notify:

>Number:         140853
>Category:       kern
>Synopsis:       [nfs] [patch] NFSv2 remove calls fail to send error replies (memory leak!)
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-fs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Wed Nov 25 02:30:02 UTC 2009
>Closed-Date:    Fri Dec 18 19:58:06 UTC 2009
>Last-Modified:  Fri Dec 18 19:58:06 UTC 2009
>Originator:     Ted Faber
>Release:        FreeBSD 7.2-STABLE i386
>Organization:
USC/ISI
>Environment:
System: FreeBSD zod.isi.edu 7.2-STABLE FreeBSD 7.2-STABLE #9: Fri Oct 16 13:39:11 PDT 2009 root@zod.isi.edu:/usr/obj/usr/src/sys/GENERIC i386

As far as I can see this code (/sys/nfsserver/nfs_serv.c) is unchanged through
current (CVS 1.195.2.3.2.1), so it should be patched accross FreeBSD 7 through
9.


>Description:
	NFS remove operations that encounter errors do not generate replies.
	The replies remain in memory and gradually run the machine out of
	kernel memory.  The because no error reply is sent failing requests
	continue to be resent, making memory exhaustion more likely.

	The low level problem is that the error variable is not cleared in
	nfsrv_remove as it is in other routines.  It's one line to fix.


>How-To-Repeat:

	Starting a directory delete and rebooting the server should exhibit the
	problem.  We sent captured NFS packets to the server, and these are
	available on request.  An incorrectly handled remove operation will
	increment both the Server Ret-Failed and Server Faults lines in
	nfsstats on the server.  umastats can directly show the leak.

>Fix:

patch against nfs_serv.c follows:


--- nfs_serv.c.orig	2009-07-27 08:39:10.000000000 -0700
+++ nfs_serv.c	2009-11-24 17:45:28.000000000 -0800
@@ -2221,8 +2221,8 @@
 	nfsm_reply(NFSX_WCCDATA(v3));
 	if (v3) {
 		nfsm_srvwcc_data(dirfor_ret, &dirfor, diraft_ret, &diraft);
-		error = 0;
 	}
+	error = 0;
 nfsmout:
 	NDFREE(&nd, NDF_ONLY_PNBUF);
 	if (nd.ni_dvp) {

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-fs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Wed Nov 25 03:39:42 UTC 2009 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=140853 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/140853: commit references a PR
Date: Thu,  3 Dec 2009 20:59:36 +0000 (UTC)

 Author: jhb
 Date: Thu Dec  3 20:59:28 2009
 New Revision: 200084
 URL: http://svn.freebsd.org/changeset/base/200084
 
 Log:
   Properly return an error reply if an NFS remove or link operation fails.
   Previously the failing operation would allocate an mbuf and construct an
   error reply, but because the function did not return 0, the NFS server
   assumed it had failed to generate a reply and would leak the reply mbuf as
   well as not sending the reply to the NFS client.
   
   PR:		kern/140853
   Submitted by:	Ted Faber  faber at isi edu (remove)
   Reviewed by:	rmacklem (remove)
   MFC after:	1 week
 
 Modified:
   head/sys/nfsserver/nfs_serv.c
 
 Modified: head/sys/nfsserver/nfs_serv.c
 ==============================================================================
 --- head/sys/nfsserver/nfs_serv.c	Thu Dec  3 20:55:09 2009	(r200083)
 +++ head/sys/nfsserver/nfs_serv.c	Thu Dec  3 20:59:28 2009	(r200084)
 @@ -1810,10 +1810,9 @@ out:
  	}
  ereply:
  	nfsm_reply(NFSX_WCCDATA(v3));
 -	if (v3) {
 +	if (v3)
  		nfsm_srvwcc_data(dirfor_ret, &dirfor, diraft_ret, &diraft);
 -		error = 0;
 -	}
 +	error = 0;
  nfsmout:
  	NDFREE(&nd, NDF_ONLY_PNBUF);
  	if (nd.ni_dvp) {
 @@ -2187,8 +2186,8 @@ ereply:
  	if (v3) {
  		nfsm_srvpostop_attr(getret, &at);
  		nfsm_srvwcc_data(dirfor_ret, &dirfor, diraft_ret, &diraft);
 -		error = 0;
  	}
 +	error = 0;
  	/* fall through */
  
  nfsmout:
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->closed 
State-Changed-By: jhb 
State-Changed-When: Fri Dec 18 19:57:23 UTC 2009 
State-Changed-Why:  
Fix applied to 6.x and later, thanks! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=140853 
>Unformatted:
