Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / msm-4.9 / 5ae67c4fee869c9b3c87b727a9ea511b6326b834^! / . / fs / nfs / nfs4proc.c
commit5ae67c4fee869c9b3c87b727a9ea511b6326b834[log] [tgz]
authorTrond Myklebust <Trond.Myklebust@netapp.com>Mon Mar 19 16:17:18 2012 -0400
committerTrond Myklebust <Trond.Myklebust@netapp.com>Tue Mar 20 13:08:25 2012 -0400
tree68fe22b71462c6e13eff3a6d637b79371c77441e
parentc4f1b62a4b50a01e8d820717906b674807ef9ca3 [diff] [blame]
NFSv4: It is not safe to dereference lsp->ls_state in release_lockowner

It is quite possible for the release_lockowner RPC call to race with the
close RPC call, in which case, we cannot dereference lsp->ls_state in
order to find the nfs_server.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>

diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 5e0961a..d41d97f 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c

@@ -4760,13 +4760,14 @@
 
 struct nfs_release_lockowner_data {
 	struct nfs4_lock_state *lsp;
+	struct nfs_server *server;
 	struct nfs_release_lockowner_args args;
 };
 
 static void nfs4_release_lockowner_release(void *calldata)
 {
 	struct nfs_release_lockowner_data *data = calldata;
-	nfs4_free_lock_state(data->lsp);
+	nfs4_free_lock_state(data->server, data->lsp);
 	kfree(calldata);
 }
 
@@ -4788,6 +4789,7 @@
 	if (!data)
 		return -ENOMEM;
 	data->lsp = lsp;
+	data->server = server;
 	data->args.lock_owner.clientid = server->nfs_client->cl_clientid;
 	data->args.lock_owner.id = lsp->ls_seqid.owner_id;
 	data->args.lock_owner.s_dev = server->s_dev;