From nobody@FreeBSD.org  Tue Apr 24 14:16:19 2012
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id BFC8E106566B
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 24 Apr 2012 14:16:19 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from red.freebsd.org (red.freebsd.org [IPv6:2001:4f8:fff6::22])
	by mx1.freebsd.org (Postfix) with ESMTP id 916108FC15
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 24 Apr 2012 14:16:19 +0000 (UTC)
Received: from red.freebsd.org (localhost [127.0.0.1])
	by red.freebsd.org (8.14.4/8.14.4) with ESMTP id q3OEGJYp010777
	for <freebsd-gnats-submit@FreeBSD.org>; Tue, 24 Apr 2012 14:16:19 GMT
	(envelope-from nobody@red.freebsd.org)
Received: (from nobody@localhost)
	by red.freebsd.org (8.14.4/8.14.4/Submit) id q3OEGI15010776;
	Tue, 24 Apr 2012 14:16:18 GMT
	(envelope-from nobody)
Message-Id: <201204241416.q3OEGI15010776@red.freebsd.org>
Date: Tue, 24 Apr 2012 14:16:18 GMT
From: Oliver Brandmueller <ob@e-Gitt.net>
To: freebsd-gnats-submit@FreeBSD.org
Subject: ZFS + new NFS export (sharenfs) leads to NAMEI leak
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         167266
>Category:       kern
>Synopsis:       [zfs] [nfs] ZFS + new NFS export (sharenfs) leads to NAMEI leak
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    freebsd-fs
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Tue Apr 24 14:20:13 UTC 2012
>Closed-Date:    Tue May 29 13:57:22 UTC 2012
>Last-Modified:  Tue May 29 13:57:22 UTC 2012
>Originator:     Oliver Brandmueller
>Release:        9-STABLE
>Organization:
>Environment:
FreeBSD silver 9.0-STABLE FreeBSD 9.0-STABLE #9: Sun Apr  8 13:11:22 CEST 2012     root@silver:/usr/obj/usr/src/sys/BLACK  amd64
>Description:
If you NFS export a ZFS, create/remove of a file or directory lead to the leak of a NAMEI path buffer on the NFS server.

This happens with new nfs (only NFSv3 tested) only, using the old NFS server does not trigger the NAMEI path buffer leak.

An exported UFS on the same machine/environment does not trigger the behaviour.
>How-To-Repeat:
rc.conf:
nfs_server_enable="YES"
nfs_server_flags="-u -t -n 64"
mountd_enable="YES"
mountd_flags="/etc/zfs/exports"
rpcbind_enable="YES"
lockd_enable="YES"

(mountd_flags not needed, if zfs_enable is set)


Assuming, you have a USB stick or similar as /dev/da0 (it will probably         
even work with an md device):                                                   
                                                                                
zpool create exptest /dev/da0                                                   
zfs sharenfs="-maproot=0 localhost" exptest                                     
# check with showmount -e exporting worked as expected                          
mount localhost:/exptest /mnt                                                   
cd /mnt                                                                         
vmstat -z | fgrep NAMEI                                                         
echo test > foo                                                                 
vmstat -z | fgrep NAMEI                                                         
rm foo                                                                          
vmstat -z | fgrep NAMEI                                                         

you may repeat the creation/removal of the file several time and you will notice the NAMEI count increasing by one on each delete operation, no matter if file or directory.
>Fix:
No fix known.
Workaround: using old NFS server.


>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-bugs->freebsd-fs 
Responsible-Changed-By: linimon 
Responsible-Changed-When: Wed Apr 25 05:01:00 UTC 2012 
Responsible-Changed-Why:  
Over to maintainer(s). 

http://www.freebsd.org/cgi/query-pr.cgi?pr=167266 

From: dfilter@FreeBSD.ORG (dfilter service)
To: bug-followup@FreeBSD.org
Cc:  
Subject: Re: kern/167266: commit references a PR
Date: Fri, 27 Apr 2012 20:23:35 +0000 (UTC)

 Author: rmacklem
 Date: Fri Apr 27 20:23:24 2012
 New Revision: 234740
 URL: http://svn.freebsd.org/changeset/base/234740
 
 Log:
   Fix a leak of namei lookup path buffers that occurs when a
   ZFS volume is exported via the new NFS server. The leak occurred
   because the new NFS server code didn't handle the case where
   a file system sets the SAVENAME flag in its VOP_LOOKUP() and
   ZFS does this for the DELETE case.
   
   Tested by:	Oliver Brandmueller (ob at gruft.de), hrs
   PR:		kern/167266
   MFC after:	1 month
 
 Modified:
   head/sys/fs/nfsserver/nfs_nfsdport.c
 
 Modified: head/sys/fs/nfsserver/nfs_nfsdport.c
 ==============================================================================
 --- head/sys/fs/nfsserver/nfs_nfsdport.c	Fri Apr 27 20:16:20 2012	(r234739)
 +++ head/sys/fs/nfsserver/nfs_nfsdport.c	Fri Apr 27 20:23:24 2012	(r234740)
 @@ -1047,6 +1047,8 @@ nfsvno_removesub(struct nameidata *ndp, 
  	else
  		vput(ndp->ni_dvp);
  	vput(vp);
 +	if ((ndp->ni_cnd.cn_flags & SAVENAME) != 0)
 +		nfsvno_relpathbuf(ndp);
  	NFSEXITCODE(error);
  	return (error);
  }
 @@ -1086,6 +1088,8 @@ out:
  	else
  		vput(ndp->ni_dvp);
  	vput(vp);
 +	if ((ndp->ni_cnd.cn_flags & SAVENAME) != 0)
 +		nfsvno_relpathbuf(ndp);
  	NFSEXITCODE(error);
  	return (error);
  }
 _______________________________________________
 svn-src-all@freebsd.org mailing list
 http://lists.freebsd.org/mailman/listinfo/svn-src-all
 To unsubscribe, send any mail to "svn-src-all-unsubscribe@freebsd.org"
 
State-Changed-From-To: open->closed 
State-Changed-By: rmacklem 
State-Changed-When: Tue May 29 13:55:17 UTC 2012 
State-Changed-Why:  

Fix is in head as r234740 and has been MFC'd to stable/9 
and stable/8 as r236134 and r236147 respectively. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=167266 
>Unformatted:
