summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTrond Myklebust <Trond.Myklebust@netapp.com>2005-10-19 10:19:39 +0400
committerTrond Myklebust <Trond.Myklebust@netapp.com>2005-10-19 10:19:39 +0400
commit7f709a48fa798cfa0f2f777c8752e12995054f78 (patch)
treefde5f4b4918205ba4c547ecaac95acbc8a37caa0
parentcb1f7be73b6f708d4f4ce225a3bbc02908b729e4 (diff)
downloadlinux-7f709a48fa798cfa0f2f777c8752e12995054f78.tar.xz
NFSv4: Fix an oopsable condition in nfs_free_seqid
Storing a pointer to the struct rpc_task in the nfs_seqid is broken since the nfs_seqid may be freed well after the task has been destroyed. Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
-rw-r--r--fs/nfs/nfs4_fs.h1
-rw-r--r--fs/nfs/nfs4state.c9
2 files changed, 1 insertions, 9 deletions
diff --git a/fs/nfs/nfs4_fs.h b/fs/nfs/nfs4_fs.h
index 8a3788199052..45bff1d1a513 100644
--- a/fs/nfs/nfs4_fs.h
+++ b/fs/nfs/nfs4_fs.h
@@ -112,7 +112,6 @@ struct nfs_seqid_counter {
struct nfs_seqid {
struct list_head list;
struct nfs_seqid_counter *sequence;
- struct rpc_task *task;
};
static inline void nfs_confirm_seqid(struct nfs_seqid_counter *seqid, int status)
diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c
index 23834c8fb740..da0861db57fb 100644
--- a/fs/nfs/nfs4state.c
+++ b/fs/nfs/nfs4state.c
@@ -676,7 +676,6 @@ struct nfs_seqid *nfs_alloc_seqid(struct nfs_seqid_counter *counter)
new = kmalloc(sizeof(*new), GFP_KERNEL);
if (new != NULL) {
new->sequence = counter;
- new->task = NULL;
spin_lock(&sequence->lock);
list_add_tail(&new->list, &sequence->list);
spin_unlock(&sequence->lock);
@@ -687,15 +686,10 @@ struct nfs_seqid *nfs_alloc_seqid(struct nfs_seqid_counter *counter)
void nfs_free_seqid(struct nfs_seqid *seqid)
{
struct rpc_sequence *sequence = seqid->sequence->sequence;
- struct rpc_task *next = NULL;
spin_lock(&sequence->lock);
list_del(&seqid->list);
- if (!list_empty(&sequence->list)) {
- next = list_entry(sequence->list.next, struct nfs_seqid, list)->task;
- if (next)
- rpc_wake_up_task(next);
- }
+ rpc_wake_up(&sequence->wait);
spin_unlock(&sequence->lock);
kfree(seqid);
}
@@ -754,7 +748,6 @@ int nfs_wait_on_sequence(struct nfs_seqid *seqid, struct rpc_task *task)
spin_lock(&sequence->lock);
if (sequence->list.next != &seqid->list) {
- seqid->task = task;
rpc_sleep_on(&sequence->wait, task, NULL, NULL);
status = -EAGAIN;
}