aboutsummaryrefslogtreecommitdiffstats
path: root/net
diff options
context:
space:
mode:
authorJ. Bruce Fields <bfields@redhat.com>2011-06-29 16:49:04 -0400
committerJ. Bruce Fields <bfields@redhat.com>2011-07-15 18:58:46 -0400
commitebc63e531cc6a457595dd110b07ac530eae788c3 (patch)
tree36f0775d56a045f54389dc7559e0ce3b5295a5e5 /net
parent058c5c99999609e3de7e15b49049665f02d06577 (diff)
svcrpc: fix list-corrupting race on nfsd shutdown
After commit 3262c816a3d7fb1eaabce633caa317887ed549ae "[PATCH] knfsd: split svc_serv into pools", svc_delete_xprt (then svc_delete_socket) no longer removed its xpt_ready (then sk_ready) field from whatever list it was on, noting that there was no point since the whole list was about to be destroyed anyway. That was mostly true, but forgot that a few svc_xprt_enqueue()'s might still be hanging around playing with the about-to-be-destroyed list, and could get themselves into trouble writing to freed memory if we left this xprt on the list after freeing it. (This is actually functionally identical to a patch made first by Ben Greear, but with more comments.) Cc: stable@kernel.org Cc: gnb@fmeh.org Reported-by: Ben Greear <greearb@candelatech.com> Tested-by: Ben Greear <greearb@candelatech.com> Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Diffstat (limited to 'net')
-rw-r--r--net/sunrpc/svc_xprt.c11
1 files changed, 6 insertions, 5 deletions
diff --git a/net/sunrpc/svc_xprt.c b/net/sunrpc/svc_xprt.c
index ab86b7927f84..bd31208bbb61 100644
--- a/net/sunrpc/svc_xprt.c
+++ b/net/sunrpc/svc_xprt.c
@@ -902,12 +902,13 @@ void svc_delete_xprt(struct svc_xprt *xprt)
902 if (!test_and_set_bit(XPT_DETACHED, &xprt->xpt_flags)) 902 if (!test_and_set_bit(XPT_DETACHED, &xprt->xpt_flags))
903 list_del_init(&xprt->xpt_list); 903 list_del_init(&xprt->xpt_list);
904 /* 904 /*
905 * We used to delete the transport from whichever list 905 * The only time we're called while xpt_ready is still on a list
906 * it's sk_xprt.xpt_ready node was on, but we don't actually 906 * is while the list itself is about to be destroyed (in
907 * need to. This is because the only time we're called 907 * svc_destroy). BUT svc_xprt_enqueue could still be attempting
908 * while still attached to a queue, the queue itself 908 * to add new entries to the sp_sockets list, so we can't leave
909 * is about to be destroyed (in svc_destroy). 909 * a freed xprt on it.
910 */ 910 */
911 list_del_init(&xprt->xpt_ready);
911 if (test_bit(XPT_TEMP, &xprt->xpt_flags)) 912 if (test_bit(XPT_TEMP, &xprt->xpt_flags))
912 serv->sv_tmpcnt--; 913 serv->sv_tmpcnt--;
913 spin_unlock_bh(&serv->sv_lock); 914 spin_unlock_bh(&serv->sv_lock);