NFSv4: It is not safe to dereference lsp->ls_state in release_lockowner
It is quite possible for the release_lockowner RPC call to race with the
close RPC call, in which case, we cannot dereference lsp->ls_state in
order to find the nfs_server.
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 5e0961a..d41d97f 100644
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -4760,13 +4760,14 @@
struct nfs_release_lockowner_data {
struct nfs4_lock_state *lsp;
+ struct nfs_server *server;
struct nfs_release_lockowner_args args;
};
static void nfs4_release_lockowner_release(void *calldata)
{
struct nfs_release_lockowner_data *data = calldata;
- nfs4_free_lock_state(data->lsp);
+ nfs4_free_lock_state(data->server, data->lsp);
kfree(calldata);
}
@@ -4788,6 +4789,7 @@
if (!data)
return -ENOMEM;
data->lsp = lsp;
+ data->server = server;
data->args.lock_owner.clientid = server->nfs_client->cl_clientid;
data->args.lock_owner.id = lsp->ls_seqid.owner_id;
data->args.lock_owner.s_dev = server->s_dev;