提交 60810e54 编写于 作者: K Kinglong Mee 提交者: J. Bruce Fields

NFSD: Fix a memory leak in nfsd4_create_session

If failed after calling alloc_session but before init_session, nfsd will call __free_session to
free se_slots in session. But, session->se_fchannel.maxreqs is not initialized (value is zero).
So that, the memory malloced for slots will be lost in free_session_slots for maxreqs is zero.

This path sets the information for channel in alloc_session after mallocing slots succeed,
instead in init_session.
Signed-off-by: NKinglong Mee <kinglongmee@gmail.com>
Signed-off-by: NJ. Bruce Fields <bfields@redhat.com>
上级 0fdc2678
...@@ -832,10 +832,11 @@ static void nfsd4_put_drc_mem(struct nfsd4_channel_attrs *ca) ...@@ -832,10 +832,11 @@ static void nfsd4_put_drc_mem(struct nfsd4_channel_attrs *ca)
spin_unlock(&nfsd_drc_lock); spin_unlock(&nfsd_drc_lock);
} }
static struct nfsd4_session *alloc_session(struct nfsd4_channel_attrs *attrs) static struct nfsd4_session *alloc_session(struct nfsd4_channel_attrs *fattrs,
struct nfsd4_channel_attrs *battrs)
{ {
int numslots = attrs->maxreqs; int numslots = fattrs->maxreqs;
int slotsize = slot_bytes(attrs); int slotsize = slot_bytes(fattrs);
struct nfsd4_session *new; struct nfsd4_session *new;
int mem, i; int mem, i;
...@@ -852,6 +853,10 @@ static struct nfsd4_session *alloc_session(struct nfsd4_channel_attrs *attrs) ...@@ -852,6 +853,10 @@ static struct nfsd4_session *alloc_session(struct nfsd4_channel_attrs *attrs)
if (!new->se_slots[i]) if (!new->se_slots[i])
goto out_free; goto out_free;
} }
memcpy(&new->se_fchannel, fattrs, sizeof(struct nfsd4_channel_attrs));
memcpy(&new->se_bchannel, battrs, sizeof(struct nfsd4_channel_attrs));
return new; return new;
out_free: out_free:
while (i--) while (i--)
...@@ -997,10 +1002,7 @@ static void init_session(struct svc_rqst *rqstp, struct nfsd4_session *new, stru ...@@ -997,10 +1002,7 @@ static void init_session(struct svc_rqst *rqstp, struct nfsd4_session *new, stru
list_add(&new->se_perclnt, &clp->cl_sessions); list_add(&new->se_perclnt, &clp->cl_sessions);
spin_unlock(&clp->cl_lock); spin_unlock(&clp->cl_lock);
spin_unlock(&nn->client_lock); spin_unlock(&nn->client_lock);
memcpy(&new->se_fchannel, &cses->fore_channel,
sizeof(struct nfsd4_channel_attrs));
memcpy(&new->se_bchannel, &cses->back_channel,
sizeof(struct nfsd4_channel_attrs));
if (cses->flags & SESSION4_BACK_CHAN) { if (cses->flags & SESSION4_BACK_CHAN) {
struct sockaddr *sa = svc_addr(rqstp); struct sockaddr *sa = svc_addr(rqstp);
/* /*
...@@ -1922,7 +1924,7 @@ nfsd4_create_session(struct svc_rqst *rqstp, ...@@ -1922,7 +1924,7 @@ nfsd4_create_session(struct svc_rqst *rqstp,
if (status) if (status)
goto out_release_drc_mem; goto out_release_drc_mem;
status = nfserr_jukebox; status = nfserr_jukebox;
new = alloc_session(&cr_ses->fore_channel); new = alloc_session(&cr_ses->fore_channel, &cr_ses->back_channel);
if (!new) if (!new)
goto out_release_drc_mem; goto out_release_drc_mem;
conn = alloc_conn_from_crses(rqstp, cr_ses); conn = alloc_conn_from_crses(rqstp, cr_ses);
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册