Commit c18c821f authored Jun 29, 2010 by Boaz Harrosh Committed by J. Bruce Fields Aug 06, 2010

nfsd41: Fix a crash when a callback is retried



If a callback is retried at nfsd4_cb_recall_done() due to
some error, the returned rpc reply crashes here:

@@ -514,6 +514,7 @@ decode_cb_sequence(struct xdr_stream *xdr, struct nfsd4_cb_sequence *res,
 	u32 dummy;
 	__be32 *p;

 +	BUG_ON(!res);
 	if (res->cbs_minorversion == 0)
 		return 0;

[BUG_ON added for demonstration]

This is because the nfsd4_cb_done_sequence() has NULLed out
the task->tk_msg.rpc_resp pointer.

Also eventually the rpc would use the new slot without making
sure it is free by calling nfsd41_cb_setup_sequence().

This problem was introduced by a 4.1 protocol addition patch:
	[0421b5c5] nfsd41: Backchannel: Implement cb_recall over NFSv4.1

Which was overlooking the possibility of an RPC callback retries.
For not-4.1 case redoing the _prepare is harmless.

Signed-off-by: Boaz Harrosh <bharrosh@panasas.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>

parent 774f8bbd

fs/nfsd/nfs4callback.c

+1 −1

Original line number	Original line	Diff line number	Diff line
	@@ -697,7 +697,7 @@ static void nfsd4_cb_recall_done(struct rpc_task task, void calldata)
	if (dp->dl_retries--) {		if (dp->dl_retries--) {
	rpc_delay(task, 2*HZ);		rpc_delay(task, 2*HZ);
	task->tk_status = 0;		task->tk_status = 0;
	rpc_restart_call(task);		rpc_restart_call_prepare(task);
	return;		return;
	} else {		} else {
	atomic_set(&clp->cl_cb_set, 0);		atomic_set(&clp->cl_cb_set, 0);