autofs4 patch: autofs4_wait can leak memory
Jeff Moyer
There is a memory in the autofs4_wait function, if multiple processes are
waiting on the same queue:
name = kmalloc(NAME_MAX + 1, GFP_KERNEL);
if (!name)
return -ENOMEM;
...
if ( !wq ) {
/* Create a new wait queue */
wq = kmalloc(sizeof(struct autofs_wait_queue), GFP_KERNEL);
if ( !wq ) {
kfree(name);
up(&sbi->wq_sem);
return -ENOMEM;
}
...
wq->name = name;
...
} else {
atomic_inc(&wq->wait_ctr);
up(&sbi->wq_sem);
...
}
In the else clause, we forget to free the name we kmalloc'd above. This is
pretty easy to trigger with the following reproducer:
setup an automount map as follows:
for n in `seq 1 48`; do echo "$n server:/export/$n" >> /etc/auto.test; done
setup a master map entry to point at this:
echo "/test /etc/auto.test --timeout=1" >> /etc/auto.master
Now, assuming the nfs server was setup to export said directories, run the
following shell script in two xterms:
#!/bin/sh
while true; do
for n in `seq 1 48`; do
ls /test/$n
done
sleep 2
done
and watch the size-256 slab cache grow
Within 4 minutes, I had the size-256 cache grow to 384k. On a kernel with
the below patch applied, the size-256 remained constant during an over-night
run.
The patch is against linux-2.6.9, but it applies to 2.6.11, as well.
-Jeff
Signed-off-by: Jeff Moyer <jmo...@redhat.com>
ra...@themaw.net
> Hi,
>
> There is a memory in the autofs4_wait function, if multiple processes are
> waiting on the same queue:
>
Well done Jeff.
I'll update my retrospective patch set.
Ian
-
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majo...@vger.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/