diff options
author | Trond Myklebust <Trond.Myklebust@netapp.com> | 2005-10-19 02:19:39 -0400 |
---|---|---|
committer | Trond Myklebust <Trond.Myklebust@netapp.com> | 2005-10-19 02:19:39 -0400 |
commit | 7f709a48fa798cfa0f2f777c8752e12995054f78 (patch) | |
tree | fde5f4b4918205ba4c547ecaac95acbc8a37caa0 | |
parent | cb1f7be73b6f708d4f4ce225a3bbc02908b729e4 (diff) |
NFSv4: Fix an oopsable condition in nfs_free_seqid
Storing a pointer to the struct rpc_task in the nfs_seqid is broken
since the nfs_seqid may be freed well after the task has been destroyed.
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
-rw-r--r-- | fs/nfs/nfs4_fs.h | 1 | ||||
-rw-r--r-- | fs/nfs/nfs4state.c | 9 |
2 files changed, 1 insertions, 9 deletions
diff --git a/fs/nfs/nfs4_fs.h b/fs/nfs/nfs4_fs.h index 8a3788199052..45bff1d1a513 100644 --- a/fs/nfs/nfs4_fs.h +++ b/fs/nfs/nfs4_fs.h | |||
@@ -112,7 +112,6 @@ struct nfs_seqid_counter { | |||
112 | struct nfs_seqid { | 112 | struct nfs_seqid { |
113 | struct list_head list; | 113 | struct list_head list; |
114 | struct nfs_seqid_counter *sequence; | 114 | struct nfs_seqid_counter *sequence; |
115 | struct rpc_task *task; | ||
116 | }; | 115 | }; |
117 | 116 | ||
118 | static inline void nfs_confirm_seqid(struct nfs_seqid_counter *seqid, int status) | 117 | static inline void nfs_confirm_seqid(struct nfs_seqid_counter *seqid, int status) |
diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c index 23834c8fb740..da0861db57fb 100644 --- a/fs/nfs/nfs4state.c +++ b/fs/nfs/nfs4state.c | |||
@@ -676,7 +676,6 @@ struct nfs_seqid *nfs_alloc_seqid(struct nfs_seqid_counter *counter) | |||
676 | new = kmalloc(sizeof(*new), GFP_KERNEL); | 676 | new = kmalloc(sizeof(*new), GFP_KERNEL); |
677 | if (new != NULL) { | 677 | if (new != NULL) { |
678 | new->sequence = counter; | 678 | new->sequence = counter; |
679 | new->task = NULL; | ||
680 | spin_lock(&sequence->lock); | 679 | spin_lock(&sequence->lock); |
681 | list_add_tail(&new->list, &sequence->list); | 680 | list_add_tail(&new->list, &sequence->list); |
682 | spin_unlock(&sequence->lock); | 681 | spin_unlock(&sequence->lock); |
@@ -687,15 +686,10 @@ struct nfs_seqid *nfs_alloc_seqid(struct nfs_seqid_counter *counter) | |||
687 | void nfs_free_seqid(struct nfs_seqid *seqid) | 686 | void nfs_free_seqid(struct nfs_seqid *seqid) |
688 | { | 687 | { |
689 | struct rpc_sequence *sequence = seqid->sequence->sequence; | 688 | struct rpc_sequence *sequence = seqid->sequence->sequence; |
690 | struct rpc_task *next = NULL; | ||
691 | 689 | ||
692 | spin_lock(&sequence->lock); | 690 | spin_lock(&sequence->lock); |
693 | list_del(&seqid->list); | 691 | list_del(&seqid->list); |
694 | if (!list_empty(&sequence->list)) { | 692 | rpc_wake_up(&sequence->wait); |
695 | next = list_entry(sequence->list.next, struct nfs_seqid, list)->task; | ||
696 | if (next) | ||
697 | rpc_wake_up_task(next); | ||
698 | } | ||
699 | spin_unlock(&sequence->lock); | 693 | spin_unlock(&sequence->lock); |
700 | kfree(seqid); | 694 | kfree(seqid); |
701 | } | 695 | } |
@@ -754,7 +748,6 @@ int nfs_wait_on_sequence(struct nfs_seqid *seqid, struct rpc_task *task) | |||
754 | 748 | ||
755 | spin_lock(&sequence->lock); | 749 | spin_lock(&sequence->lock); |
756 | if (sequence->list.next != &seqid->list) { | 750 | if (sequence->list.next != &seqid->list) { |
757 | seqid->task = task; | ||
758 | rpc_sleep_on(&sequence->wait, task, NULL, NULL); | 751 | rpc_sleep_on(&sequence->wait, task, NULL, NULL); |
759 | status = -EAGAIN; | 752 | status = -EAGAIN; |
760 | } | 753 | } |