Re: SUNRPC: Fix a memory leak in rpc_create()

From: Stefan Lippers-Hollmann
Date: Thu Apr 17 2008 - 17:26:00 EST


Hi

On Donnerstag, 17. April 2008, you wrote:
> -stable review patch. If anyone has any objections, please let us know.
> ---------------------
>
> From: Chuck Lever <chuck.lever@xxxxxxxxxx>
>
> upstream commit: ed13c27e546667fb0967ae30f5070cd7f6455f90
>
> Commit 510deb0d was supposed to move the xprt_create_transport() call in
> rpc_create(), but neglected to remove the old call site. This resulted in
> a transport leak after every rpc_create() call.
>
> This leak is present in 2.6.24 and 2.6.25.
>
> Signed-off-by: Chuck Lever <chuck.lever@xxxxxxxxxx>
> Signed-off-by: Trond Myklebust <Trond.Myklebust@xxxxxxxxxx>
> Signed-off-by: Chris Wright <chrisw@xxxxxxxxxxxx>
> ---
>
> net/sunrpc/clnt.c | 4 ----
> 1 file changed, 4 deletions(-)
>
> --- a/net/sunrpc/clnt.c
> +++ b/net/sunrpc/clnt.c
> @@ -249,10 +249,6 @@ struct rpc_clnt *rpc_create(struct rpc_c
> };
> char servername[20];
>
> - xprt = xprt_create_transport(&xprtargs);
> - if (IS_ERR(xprt))
> - return (struct rpc_clnt *)xprt;
> -
> /*
> * If the caller chooses not to specify a hostname, whip
> * up a string representation of the passed-in address.
>

This patch might introduce a regression:

kjournald starting. Commit interval 5 seconds
EXT3 FS on sda1, internal journal
EXT3-fs: mounted filesystem with ordered data mode.
NET: Registered protocol family 17
NET: Registered protocol family 10
lo: Disabled Privacy Extensions
Bridge firewalling registered
br0: Dropping NETIF_F_UFO since no NETIF_F_HW_CSUM feature.
device eth0 entered promiscuous mode
audit(1208454819.533:2): dev=eth0 prom=256 old_prom=0 auid=4294967295
br0: port 1(eth0) entering learning state
br0: no IPv6 routers present
eth0: no IPv6 routers present
br0: topology change detected, propagating
br0: port 1(eth0) entering forwarding state
lp0: using parport0 (interrupt-driven).
lp0: console ready
ppdev: user-space parallel port driver
RPC: Registered udp transport module.
RPC: Registered tcp transport module.
Installing knfsd (copyright (C) 1996 okir@xxxxxxxxxxxx).
BUG: unable to handle kernel NULL pointer dereference at virtual address 000001c2
printing eip: f9043e90 *pde = 00000000
Oops: 0000 [#1] PREEMPT SMP
Modules linked in: nfsd lockd nfs_acl auth_rpcgss sunrpc exportfs ppdev lp ac battery bridge ipv6 af_packet nls_iso8859_1 nls_cp437 vfat fat fuse dm_crypt vboxdrv powernow_k8 freq_table snd_ens1371 gameport snd_hda_intel snd_ac97_codec ac97_bus snd_pcm_oss snd_pcm snd_mixer_oss snd_seq_dummy snd_seq_oss snd_seq_midi snd_rawmidi snd_seq_midi_event snd_seq snd_timer snd_seq_device snd soundcore button i2c_nforce2 snd_page_alloc parport_pc parport k8temp i2c_core psmouse evdev serio_raw pcspkr ext3 jbd dm_mirror dm_snapshot dm_mod sd_mod usb_storage sg sr_mod cdrom usbhid ff_memless sata_nv pata_acpi libusual ata_generic ohci1394 pata_amd forcedeth ieee1394 libata ehci_hcd ohci_hcd usbcore ssb pcmcia pcmcia_core thermal processor fan

Pid: 2874, comm: rpc.nfsd Not tainted (2.6.24-2.6.24.4.slh.6-sidux-686 #1)
EIP: 0060:[<f9043e90>] EFLAGS: 00010282 CPU: 1
EIP is at rpc_create+0x20/0x400 [sunrpc]
EAX: f90575bf EBX: 0000000a ECX: f90575bf EDX: 00000002
ESI: f76d1e20 EDI: f76d1d40 EBP: f76d1d18 ESP: f76d1cb0
DS: 007b ES: 007b FS: 00d8 GS: 0033 SS: 0068
Process rpc.nfsd (pid: 2874, ti=f76d0000 task=df8b3080 task.ti=f76d0000)
Stack: 00000000 00000000 00000000 00000000 00000000 00000000 00000000 00000000
00000202 bae43b63 c0265a43 f76d1d3c f76d1d40 f76d1d44 f76d1d48 f76d1d4c
7d7aeed1 c39f2ca7 00000014 0000000a f76d1e20 f76d1d40 f76d1d18 f9050dda
Call Trace:
[<c0265a43>] __add_entropy_words+0x63/0x1f0
[<f9050dda>] rpcb_create+0xaa/0xb0 [sunrpc]
[<f905113d>] rpcb_register+0xfd/0x1d0 [sunrpc]
[<f904b290>] svc_register+0xa0/0x170 [sunrpc]
[<f904bb89>] __svc_create+0x179/0x1d0 [sunrpc]
[<f90ad3e0>] write_ports+0x0/0x190 [nfsd]
[<f904bc2f>] svc_create_pooled+0x4f/0x170 [sunrpc]
[<f90ac6f0>] nfsd_last_thread+0x0/0x80 [nfsd]
[<f90ac6f0>] nfsd_last_thread+0x0/0x80 [nfsd]
[<f90ad3e0>] write_ports+0x0/0x190 [nfsd]
[<f90ac543>] nfsd_create_serv+0x63/0xd0 [nfsd]
[<f90ac770>] nfsd+0x0/0x2c0 [nfsd]
[<f90ad3e0>] write_ports+0x0/0x190 [nfsd]
[<f90ad472>] write_ports+0x92/0x190 [nfsd]
[<f90ad3e0>] write_ports+0x0/0x190 [nfsd]
[<f90acf65>] nfsctl_transaction_write+0x55/0x80 [nfsd]
[<f90acf10>] nfsctl_transaction_write+0x0/0x80 [nfsd]
[<c01888e5>] vfs_write+0xb5/0x140
[<c0188f81>] sys_write+0x41/0x70
[<c010445a>] syscall_call+0x7/0xb
=======================
Code: 00 00 00 00 8d bc 27 00 00 00 00 83 ec 5c 89 6c 24 58 89 c5 89 5c 24 4c 89 74 24 50 89 7c 24 54 8b 40 14 85 c0 0f 84 37 03 00 00 <0f> b6 83 b8 01 00 00 83 c8 02 88 83 b8 01 00 00 f6 45 24 08 74
EIP: [<f9043e90>] rpc_create+0x20/0x400 [sunrpc] SS:ESP 0068:f76d1cb0
---[ end trace 602ea69c0564d8ad ]---

The kernel has been compiled with gcc 4.2.3 (current debian/ unstable) and
eth0 is part of a bridge using tun/ tap for virtualbox-ose. Neither
2.6.24.4, nor 2.6.24.5-rc1 with this patch reverted trigger this Oops.

Responses might be a little delayed, as I am relaying this report for a
user (and cannot confirm it myself), I'll ask him to test 2.6.25 tomorrow.

Regards
Stefan Lippers-Hollmann

Attachment: signature.asc
Description: This is a digitally signed message part.