diff options
author | Trond Myklebust <Trond.Myklebust@netapp.com> | 2005-10-18 23:19:39 -0700 |
---|---|---|
committer | Trond Myklebust <Trond.Myklebust@netapp.com> | 2005-10-18 23:19:39 -0700 |
commit | 7f709a48fa798cfa0f2f777c8752e12995054f78 (patch) | |
tree | fde5f4b4918205ba4c547ecaac95acbc8a37caa0 | |
parent | cb1f7be73b6f708d4f4ce225a3bbc02908b729e4 (diff) | |
download | op-kernel-dev-7f709a48fa798cfa0f2f777c8752e12995054f78.zip op-kernel-dev-7f709a48fa798cfa0f2f777c8752e12995054f78.tar.gz |
NFSv4: Fix an oopsable condition in nfs_free_seqid
Storing a pointer to the struct rpc_task in the nfs_seqid is broken
since the nfs_seqid may be freed well after the task has been destroyed.
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
-rw-r--r-- | fs/nfs/nfs4_fs.h | 1 | ||||
-rw-r--r-- | fs/nfs/nfs4state.c | 9 |
2 files changed, 1 insertions, 9 deletions
diff --git a/fs/nfs/nfs4_fs.h b/fs/nfs/nfs4_fs.h index 8a37881..45bff1d 100644 --- a/fs/nfs/nfs4_fs.h +++ b/fs/nfs/nfs4_fs.h @@ -112,7 +112,6 @@ struct nfs_seqid_counter { struct nfs_seqid { struct list_head list; struct nfs_seqid_counter *sequence; - struct rpc_task *task; }; static inline void nfs_confirm_seqid(struct nfs_seqid_counter *seqid, int status) diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c index 23834c8..da0861d 100644 --- a/fs/nfs/nfs4state.c +++ b/fs/nfs/nfs4state.c @@ -676,7 +676,6 @@ struct nfs_seqid *nfs_alloc_seqid(struct nfs_seqid_counter *counter) new = kmalloc(sizeof(*new), GFP_KERNEL); if (new != NULL) { new->sequence = counter; - new->task = NULL; spin_lock(&sequence->lock); list_add_tail(&new->list, &sequence->list); spin_unlock(&sequence->lock); @@ -687,15 +686,10 @@ struct nfs_seqid *nfs_alloc_seqid(struct nfs_seqid_counter *counter) void nfs_free_seqid(struct nfs_seqid *seqid) { struct rpc_sequence *sequence = seqid->sequence->sequence; - struct rpc_task *next = NULL; spin_lock(&sequence->lock); list_del(&seqid->list); - if (!list_empty(&sequence->list)) { - next = list_entry(sequence->list.next, struct nfs_seqid, list)->task; - if (next) - rpc_wake_up_task(next); - } + rpc_wake_up(&sequence->wait); spin_unlock(&sequence->lock); kfree(seqid); } @@ -754,7 +748,6 @@ int nfs_wait_on_sequence(struct nfs_seqid *seqid, struct rpc_task *task) spin_lock(&sequence->lock); if (sequence->list.next != &seqid->list) { - seqid->task = task; rpc_sleep_on(&sequence->wait, task, NULL, NULL); status = -EAGAIN; } |