提交 b4946ffb 编写于 作者: T Trond Myklebust

NFS: Fix a refcount leakage in O_DIRECT

The current code is leaking a reference to dreq->kref when the calls to
nfs_direct_read_schedule() and nfs_direct_write_schedule() return an
error.
This patch moves the call to kref_put() from nfs_direct_wait() back into
nfs_direct_read() and nfs_direct_write() (which are the functions that
actually took the reference in the first place) fixing the leak.

Thanks to Denis V. Lunev for spotting the bug and proposing the original
fix.
Acked-by: NDenis V. Lunev <dlunev@gmail.com>
Acked-by: NChuck Lever <chuck.lever@oracle.com>
Signed-off-by: NTrond Myklebust <Trond.Myklebust@netapp.com>
上级 7a74fc49
...@@ -168,7 +168,7 @@ static inline struct nfs_direct_req *nfs_direct_req_alloc(void) ...@@ -168,7 +168,7 @@ static inline struct nfs_direct_req *nfs_direct_req_alloc(void)
return dreq; return dreq;
} }
static void nfs_direct_req_release(struct kref *kref) static void nfs_direct_req_free(struct kref *kref)
{ {
struct nfs_direct_req *dreq = container_of(kref, struct nfs_direct_req, kref); struct nfs_direct_req *dreq = container_of(kref, struct nfs_direct_req, kref);
...@@ -177,6 +177,11 @@ static void nfs_direct_req_release(struct kref *kref) ...@@ -177,6 +177,11 @@ static void nfs_direct_req_release(struct kref *kref)
kmem_cache_free(nfs_direct_cachep, dreq); kmem_cache_free(nfs_direct_cachep, dreq);
} }
static void nfs_direct_req_release(struct nfs_direct_req *dreq)
{
kref_put(&dreq->kref, nfs_direct_req_free);
}
/* /*
* Collects and returns the final error value/byte-count. * Collects and returns the final error value/byte-count.
*/ */
...@@ -196,7 +201,6 @@ static ssize_t nfs_direct_wait(struct nfs_direct_req *dreq) ...@@ -196,7 +201,6 @@ static ssize_t nfs_direct_wait(struct nfs_direct_req *dreq)
result = dreq->count; result = dreq->count;
out: out:
kref_put(&dreq->kref, nfs_direct_req_release);
return (ssize_t) result; return (ssize_t) result;
} }
...@@ -214,7 +218,7 @@ static void nfs_direct_complete(struct nfs_direct_req *dreq) ...@@ -214,7 +218,7 @@ static void nfs_direct_complete(struct nfs_direct_req *dreq)
} }
complete_all(&dreq->completion); complete_all(&dreq->completion);
kref_put(&dreq->kref, nfs_direct_req_release); nfs_direct_req_release(dreq);
} }
/* /*
...@@ -369,6 +373,7 @@ static ssize_t nfs_direct_read(struct kiocb *iocb, unsigned long user_addr, size ...@@ -369,6 +373,7 @@ static ssize_t nfs_direct_read(struct kiocb *iocb, unsigned long user_addr, size
if (!result) if (!result)
result = nfs_direct_wait(dreq); result = nfs_direct_wait(dreq);
rpc_clnt_sigunmask(clnt, &oldset); rpc_clnt_sigunmask(clnt, &oldset);
nfs_direct_req_release(dreq);
return result; return result;
} }
...@@ -716,6 +721,7 @@ static ssize_t nfs_direct_write(struct kiocb *iocb, unsigned long user_addr, siz ...@@ -716,6 +721,7 @@ static ssize_t nfs_direct_write(struct kiocb *iocb, unsigned long user_addr, siz
if (!result) if (!result)
result = nfs_direct_wait(dreq); result = nfs_direct_wait(dreq);
rpc_clnt_sigunmask(clnt, &oldset); rpc_clnt_sigunmask(clnt, &oldset);
nfs_direct_req_release(dreq);
return result; return result;
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册