From owner-freebsd-bugs@FreeBSD.ORG Wed Nov 25 02:30:02 2009 Return-Path: Delivered-To: freebsd-bugs@hub.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id BA874106568D for ; Wed, 25 Nov 2009 02:30:02 +0000 (UTC) (envelope-from gnats@FreeBSD.org) Received: from freefall.freebsd.org (freefall.freebsd.org [IPv6:2001:4f8:fff6::28]) by mx1.freebsd.org (Postfix) with ESMTP id 7D4538FC1D for ; Wed, 25 Nov 2009 02:30:02 +0000 (UTC) Received: from freefall.freebsd.org (localhost [127.0.0.1]) by freefall.freebsd.org (8.14.3/8.14.3) with ESMTP id nAP2U2lR090246 for ; Wed, 25 Nov 2009 02:30:02 GMT (envelope-from gnats@freefall.freebsd.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.14.3/8.14.3/Submit) id nAP2U2ZP090243; Wed, 25 Nov 2009 02:30:02 GMT (envelope-from gnats) Resent-Date: Wed, 25 Nov 2009 02:30:02 GMT Resent-Message-Id: <200911250230.nAP2U2ZP090243@freefall.freebsd.org> Resent-From: FreeBSD-gnats-submit@FreeBSD.org (GNATS Filer) Resent-To: freebsd-bugs@FreeBSD.org Resent-Reply-To: FreeBSD-gnats-submit@FreeBSD.org, Ted Faber , jhickey@isi.edu, mikeryan@isi.edu Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 03C9C1065696 for ; Wed, 25 Nov 2009 02:29:42 +0000 (UTC) (envelope-from faber@zod.isi.edu) Received: from zod.isi.edu (zod.isi.edu [128.9.168.221]) by mx1.freebsd.org (Postfix) with ESMTP id E1D5F8FC1A for ; Wed, 25 Nov 2009 02:29:41 +0000 (UTC) Received: from zod.isi.edu (localhost [127.0.0.1]) by zod.isi.edu (8.14.3/8.14.3) with ESMTP id nAP251Qg087285; Tue, 24 Nov 2009 18:05:01 -0800 (PST) (envelope-from faber@zod.isi.edu) Received: (from faber@localhost) by zod.isi.edu (8.14.3/8.14.3/Submit) id nAP251e3087284; Tue, 24 Nov 2009 18:05:01 -0800 (PST) (envelope-from faber) Message-Id: <200911250205.nAP251e3087284@zod.isi.edu> Date: Tue, 24 Nov 2009 18:05:01 -0800 (PST) From: Ted Faber To: FreeBSD-gnats-submit@FreeBSD.org X-Send-Pr-Version: 3.113 Cc: mikeryan@isi.edu, jhickey@isi.edu Subject: kern/140853: NFSv2 remove calls fail to send error replies (memory leak!) X-BeenThere: freebsd-bugs@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list Reply-To: Ted Faber , jhickey@isi.edu, mikeryan@isi.edu List-Id: Bug reports List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 25 Nov 2009 02:30:03 -0000 >Number: 140853 >Category: kern >Synopsis: NFSv2 remove calls fail to send error replies (memory leak!) >Confidential: no >Severity: serious >Priority: medium >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Nov 25 02:30:02 UTC 2009 >Closed-Date: >Last-Modified: >Originator: Ted Faber >Release: FreeBSD 7.2-STABLE i386 >Organization: USC/ISI >Environment: System: FreeBSD zod.isi.edu 7.2-STABLE FreeBSD 7.2-STABLE #9: Fri Oct 16 13:39:11 PDT 2009 root@zod.isi.edu:/usr/obj/usr/src/sys/GENERIC i386 As far as I can see this code (/sys/nfsserver/nfs_serv.c) is unchanged through current (CVS 1.195.2.3.2.1), so it should be patched accross FreeBSD 7 through 9. >Description: NFS remove operations that encounter errors do not generate replies. The replies remain in memory and gradually run the machine out of kernel memory. The because no error reply is sent failing requests continue to be resent, making memory exhaustion more likely. The low level problem is that the error variable is not cleared in nfsrv_remove as it is in other routines. It's one line to fix. >How-To-Repeat: Starting a directory delete and rebooting the server should exhibit the problem. We sent captured NFS packets to the server, and these are available on request. An incorrectly handled remove operation will increment both the Server Ret-Failed and Server Faults lines in nfsstats on the server. umastats can directly show the leak. >Fix: patch against nfs_serv.c follows: --- nfs_serv.c.orig 2009-07-27 08:39:10.000000000 -0700 +++ nfs_serv.c 2009-11-24 17:45:28.000000000 -0800 @@ -2221,8 +2221,8 @@ nfsm_reply(NFSX_WCCDATA(v3)); if (v3) { nfsm_srvwcc_data(dirfor_ret, &dirfor, diraft_ret, &diraft); - error = 0; } + error = 0; nfsmout: NDFREE(&nd, NDF_ONLY_PNBUF); if (nd.ni_dvp) { >Release-Note: >Audit-Trail: >Unformatted: