diff options
author | J. Bruce Fields <bfields@redhat.com> | 2011-03-06 19:11:03 -0500 |
---|---|---|
committer | J. Bruce Fields <bfields@redhat.com> | 2011-03-07 11:44:53 -0500 |
commit | 32b007b4e19b50ff4d27ea8b69cd6d744cfec86b (patch) | |
tree | ada73d6c52a6e9b37cbdc95d086485fdf338561a /fs | |
parent | 2c9c8f36c34e1defcaa7e4c298651998b47f5282 (diff) |
nfsd4: fix bad pointer on failure to find delegation
In case of a nonempty list, the return on error here is obviously bogus;
it ends up being a pointer to the list head instead of to any valid
delegation on the list.
In particular, if nfsd4_delegreturn() hits this case, and you're quite unlucky,
then renew_client may oops, and it may take an embarassingly long time to
figure out why. Facepalm.
BUG: unable to handle kernel NULL pointer dereference at 0000000000000090
IP: [<ffffffff81292965>] nfsd4_delegreturn+0x125/0x200
...
Cc: stable@kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/nfsd/nfs4state.c | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c index 54b60bfceb8d..7b566ec14e18 100644 --- a/fs/nfsd/nfs4state.c +++ b/fs/nfsd/nfs4state.c | |||
@@ -2445,15 +2445,16 @@ nfs4_check_delegmode(struct nfs4_delegation *dp, int flags) | |||
2445 | static struct nfs4_delegation * | 2445 | static struct nfs4_delegation * |
2446 | find_delegation_file(struct nfs4_file *fp, stateid_t *stid) | 2446 | find_delegation_file(struct nfs4_file *fp, stateid_t *stid) |
2447 | { | 2447 | { |
2448 | struct nfs4_delegation *dp = NULL; | 2448 | struct nfs4_delegation *dp; |
2449 | 2449 | ||
2450 | spin_lock(&recall_lock); | 2450 | spin_lock(&recall_lock); |
2451 | list_for_each_entry(dp, &fp->fi_delegations, dl_perfile) { | 2451 | list_for_each_entry(dp, &fp->fi_delegations, dl_perfile) |
2452 | if (dp->dl_stateid.si_stateownerid == stid->si_stateownerid) | 2452 | if (dp->dl_stateid.si_stateownerid == stid->si_stateownerid) { |
2453 | break; | 2453 | spin_unlock(&recall_lock); |
2454 | } | 2454 | return dp; |
2455 | } | ||
2455 | spin_unlock(&recall_lock); | 2456 | spin_unlock(&recall_lock); |
2456 | return dp; | 2457 | return NULL; |
2457 | } | 2458 | } |
2458 | 2459 | ||
2459 | int share_access_to_flags(u32 share_access) | 2460 | int share_access_to_flags(u32 share_access) |