diff options
author | J. Bruce Fields <bfields@redhat.com> | 2011-06-29 16:49:04 -0400 |
---|---|---|
committer | J. Bruce Fields <bfields@redhat.com> | 2011-07-15 18:58:46 -0400 |
commit | ebc63e531cc6a457595dd110b07ac530eae788c3 (patch) | |
tree | 36f0775d56a045f54389dc7559e0ce3b5295a5e5 /net | |
parent | 058c5c99999609e3de7e15b49049665f02d06577 (diff) |
svcrpc: fix list-corrupting race on nfsd shutdown
After commit 3262c816a3d7fb1eaabce633caa317887ed549ae "[PATCH] knfsd:
split svc_serv into pools", svc_delete_xprt (then svc_delete_socket) no
longer removed its xpt_ready (then sk_ready) field from whatever list it
was on, noting that there was no point since the whole list was about to
be destroyed anyway.
That was mostly true, but forgot that a few svc_xprt_enqueue()'s might
still be hanging around playing with the about-to-be-destroyed list, and
could get themselves into trouble writing to freed memory if we left
this xprt on the list after freeing it.
(This is actually functionally identical to a patch made first by Ben
Greear, but with more comments.)
Cc: stable@kernel.org
Cc: gnb@fmeh.org
Reported-by: Ben Greear <greearb@candelatech.com>
Tested-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Diffstat (limited to 'net')
-rw-r--r-- | net/sunrpc/svc_xprt.c | 11 |
1 files changed, 6 insertions, 5 deletions
diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c index ab86b7927f84..bd31208bbb61 100644 --- a/net/sunrpc/svc_xprt.c +++ b/net/sunrpc/svc_xprt.c | |||
@@ -902,12 +902,13 @@ void svc_delete_xprt(struct svc_xprt *xprt) | |||
902 | if (!test_and_set_bit(XPT_DETACHED, &xprt->xpt_flags)) | 902 | if (!test_and_set_bit(XPT_DETACHED, &xprt->xpt_flags)) |
903 | list_del_init(&xprt->xpt_list); | 903 | list_del_init(&xprt->xpt_list); |
904 | /* | 904 | /* |
905 | * We used to delete the transport from whichever list | 905 | * The only time we're called while xpt_ready is still on a list |
906 | * it's sk_xprt.xpt_ready node was on, but we don't actually | 906 | * is while the list itself is about to be destroyed (in |
907 | * need to. This is because the only time we're called | 907 | * svc_destroy). BUT svc_xprt_enqueue could still be attempting |
908 | * while still attached to a queue, the queue itself | 908 | * to add new entries to the sp_sockets list, so we can't leave |
909 | * is about to be destroyed (in svc_destroy). | 909 | * a freed xprt on it. |
910 | */ | 910 | */ |
911 | list_del_init(&xprt->xpt_ready); | ||
911 | if (test_bit(XPT_TEMP, &xprt->xpt_flags)) | 912 | if (test_bit(XPT_TEMP, &xprt->xpt_flags)) |
912 | serv->sv_tmpcnt--; | 913 | serv->sv_tmpcnt--; |
913 | spin_unlock_bh(&serv->sv_lock); | 914 | spin_unlock_bh(&serv->sv_lock); |