NFSv4: It is not safe to dereference lsp->ls_state in release_lockowner
It is quite possible for the release_lockowner RPC call to race with the close RPC call, in which case, we cannot dereference lsp->ls_state in order to find the nfs_server. Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
This commit is contained in:
Trond Myklebust
@@ -340,7 +340,7 @@ extern void nfs_increment_lock_seqid(int status, struct nfs_seqid *seqid);
|
|||||||
extern void nfs_release_seqid(struct nfs_seqid *seqid);
|
extern void nfs_release_seqid(struct nfs_seqid *seqid);
|
||||||
extern void nfs_free_seqid(struct nfs_seqid *seqid);
|
extern void nfs_free_seqid(struct nfs_seqid *seqid);
|
||||||
|
|
||||||
extern void nfs4_free_lock_state(struct nfs4_lock_state *lsp);
|
extern void nfs4_free_lock_state(struct nfs_server *server, struct nfs4_lock_state *lsp);
|
||||||
|
|
||||||
extern const nfs4_stateid zero_stateid;
|
extern const nfs4_stateid zero_stateid;
|
||||||
|
|
||||||
|
|||||||
@@ -4760,13 +4760,14 @@ out:
|
|||||||
|
|
||||||
struct nfs_release_lockowner_data {
|
struct nfs_release_lockowner_data {
|
||||||
struct nfs4_lock_state *lsp;
|
struct nfs4_lock_state *lsp;
|
||||||
|
struct nfs_server *server;
|
||||||
struct nfs_release_lockowner_args args;
|
struct nfs_release_lockowner_args args;
|
||||||
};
|
};
|
||||||
|
|
||||||
static void nfs4_release_lockowner_release(void *calldata)
|
static void nfs4_release_lockowner_release(void *calldata)
|
||||||
{
|
{
|
||||||
struct nfs_release_lockowner_data *data = calldata;
|
struct nfs_release_lockowner_data *data = calldata;
|
||||||
nfs4_free_lock_state(data->lsp);
|
nfs4_free_lock_state(data->server, data->lsp);
|
||||||
kfree(calldata);
|
kfree(calldata);
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -4788,6 +4789,7 @@ int nfs4_release_lockowner(struct nfs4_lock_state *lsp)
|
|||||||
if (!data)
|
if (!data)
|
||||||
return -ENOMEM;
|
return -ENOMEM;
|
||||||
data->lsp = lsp;
|
data->lsp = lsp;
|
||||||
|
data->server = server;
|
||||||
data->args.lock_owner.clientid = server->nfs_client->cl_clientid;
|
data->args.lock_owner.clientid = server->nfs_client->cl_clientid;
|
||||||
data->args.lock_owner.id = lsp->ls_seqid.owner_id;
|
data->args.lock_owner.id = lsp->ls_seqid.owner_id;
|
||||||
data->args.lock_owner.s_dev = server->s_dev;
|
data->args.lock_owner.s_dev = server->s_dev;
|
||||||
|
|||||||
@@ -791,10 +791,8 @@ out_free:
|
|||||||
return NULL;
|
return NULL;
|
||||||
}
|
}
|
||||||
|
|
||||||
void nfs4_free_lock_state(struct nfs4_lock_state *lsp)
|
void nfs4_free_lock_state(struct nfs_server *server, struct nfs4_lock_state *lsp)
|
||||||
{
|
{
|
||||||
struct nfs_server *server = lsp->ls_state->owner->so_server;
|
|
||||||
|
|
||||||
ida_simple_remove(&server->lockowner_id, lsp->ls_seqid.owner_id);
|
ida_simple_remove(&server->lockowner_id, lsp->ls_seqid.owner_id);
|
||||||
nfs4_destroy_seqid_counter(&lsp->ls_seqid);
|
nfs4_destroy_seqid_counter(&lsp->ls_seqid);
|
||||||
kfree(lsp);
|
kfree(lsp);
|
||||||
@@ -828,7 +826,7 @@ static struct nfs4_lock_state *nfs4_get_lock_state(struct nfs4_state *state, fl_
|
|||||||
}
|
}
|
||||||
spin_unlock(&state->state_lock);
|
spin_unlock(&state->state_lock);
|
||||||
if (new != NULL)
|
if (new != NULL)
|
||||||
nfs4_free_lock_state(new);
|
nfs4_free_lock_state(state->owner->so_server, new);
|
||||||
return lsp;
|
return lsp;
|
||||||
}
|
}
|
||||||
|
|
||||||
@@ -853,7 +851,7 @@ void nfs4_put_lock_state(struct nfs4_lock_state *lsp)
|
|||||||
if (nfs4_release_lockowner(lsp) == 0)
|
if (nfs4_release_lockowner(lsp) == 0)
|
||||||
return;
|
return;
|
||||||
}
|
}
|
||||||
nfs4_free_lock_state(lsp);
|
nfs4_free_lock_state(lsp->ls_state->owner->so_server, lsp);
|
||||||
}
|
}
|
||||||
|
|
||||||
static void nfs4_fl_copy_lock(struct file_lock *dst, struct file_lock *src)
|
static void nfs4_fl_copy_lock(struct file_lock *dst, struct file_lock *src)
|
||||||
|
|||||||
Reference in New Issue
Block a user