Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Commit 7f709a48 authored by Trond Myklebust's avatar Trond Myklebust
Browse files

NFSv4: Fix an oopsable condition in nfs_free_seqid 



 Storing a pointer to the struct rpc_task in the nfs_seqid is broken
 since the nfs_seqid may be freed well after the task has been destroyed.

 Signed-off-by: default avatarTrond Myklebust <Trond.Myklebust@netapp.com>
parent cb1f7be7

fs/nfs/nfs4_fs.h

+0 −1
Original line number Diff line number Diff line
@@ -112,7 +112,6 @@ struct nfs_seqid_counter { 
struct nfs_seqid {

	struct list_head list;

	struct nfs_seqid_counter *sequence;

	struct rpc_task *task;

};



static inline void nfs_confirm_seqid(struct nfs_seqid_counter *seqid, int status)

fs/nfs/nfs4state.c

+1 −8
Original line number Diff line number Diff line
@@ -676,7 +676,6 @@ struct nfs_seqid *nfs_alloc_seqid(struct nfs_seqid_counter *counter) 
	new = kmalloc(sizeof(*new), GFP_KERNEL);

	if (new != NULL) {

		new->sequence = counter;

		new->task = NULL;

		spin_lock(&sequence->lock);

		list_add_tail(&new->list, &sequence->list);

		spin_unlock(&sequence->lock);
@@ -687,15 +686,10 @@ struct nfs_seqid *nfs_alloc_seqid(struct nfs_seqid_counter *counter) 
void nfs_free_seqid(struct nfs_seqid *seqid)

{

	struct rpc_sequence *sequence = seqid->sequence->sequence;

	struct rpc_task *next = NULL;



	spin_lock(&sequence->lock);

	list_del(&seqid->list);

	if (!list_empty(&sequence->list)) {

		next = list_entry(sequence->list.next, struct nfs_seqid, list)->task;

		if (next)

			rpc_wake_up_task(next);

	}

	rpc_wake_up(&sequence->wait);

	spin_unlock(&sequence->lock);

	kfree(seqid);

}
@@ -754,7 +748,6 @@ int nfs_wait_on_sequence(struct nfs_seqid *seqid, struct rpc_task *task) 


	spin_lock(&sequence->lock);

	if (sequence->list.next != &seqid->list) {

		seqid->task = task;

		rpc_sleep_on(&sequence->wait, task, NULL, NULL);

		status = -EAGAIN;

	}