This is a note to let you know that I've just added the patch titled svcrpc: fix list-corrupting race on nfsd shutdown
to the 3.0-stable tree which can be found at: http://www.kernel.org/git/?p=linux/kernel/git/stable/stable-queue.git;a=summary The filename of the patch is: svcrpc-fix-list-corrupting-race-on-nfsd-shutdown.patch and it can be found in the queue-3.0 subdirectory. If you, or anyone else, feels it should not be added to the stable tree, please let <sta...@kernel.org> know about it. >From ebc63e531cc6a457595dd110b07ac530eae788c3 Mon Sep 17 00:00:00 2001 From: "J. Bruce Fields" <bfie...@redhat.com> Date: Wed, 29 Jun 2011 16:49:04 -0400 Subject: svcrpc: fix list-corrupting race on nfsd shutdown From: "J. Bruce Fields" <bfie...@redhat.com> commit ebc63e531cc6a457595dd110b07ac530eae788c3 upstream. After commit 3262c816a3d7fb1eaabce633caa317887ed549ae "[PATCH] knfsd: split svc_serv into pools", svc_delete_xprt (then svc_delete_socket) no longer removed its xpt_ready (then sk_ready) field from whatever list it was on, noting that there was no point since the whole list was about to be destroyed anyway. That was mostly true, but forgot that a few svc_xprt_enqueue()'s might still be hanging around playing with the about-to-be-destroyed list, and could get themselves into trouble writing to freed memory if we left this xprt on the list after freeing it. (This is actually functionally identical to a patch made first by Ben Greear, but with more comments.) Cc: g...@fmeh.org Reported-by: Ben Greear <gree...@candelatech.com> Tested-by: Ben Greear <gree...@candelatech.com> Signed-off-by: J. Bruce Fields <bfie...@redhat.com> Signed-off-by: Greg Kroah-Hartman <gre...@suse.de> --- net/sunrpc/svc_xprt.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) --- a/net/sunrpc/svc_xprt.c +++ b/net/sunrpc/svc_xprt.c @@ -902,12 +902,13 @@ void svc_delete_xprt(struct svc_xprt *xp if (!test_and_set_bit(XPT_DETACHED, &xprt->xpt_flags)) list_del_init(&xprt->xpt_list); /* - * We used to delete the transport from whichever list - * it's sk_xprt.xpt_ready node was on, but we don't actually - * need to. This is because the only time we're called - * while still attached to a queue, the queue itself - * is about to be destroyed (in svc_destroy). + * The only time we're called while xpt_ready is still on a list + * is while the list itself is about to be destroyed (in + * svc_destroy). BUT svc_xprt_enqueue could still be attempting + * to add new entries to the sp_sockets list, so we can't leave + * a freed xprt on it. */ + list_del_init(&xprt->xpt_ready); if (test_bit(XPT_TEMP, &xprt->xpt_flags)) serv->sv_tmpcnt--; spin_unlock_bh(&serv->sv_lock); Patches currently in stable-queue which might be from bfie...@redhat.com are queue-3.0/svcrpc-fix-list-corrupting-race-on-nfsd-shutdown.patch queue-3.0/nfsd4-remember-to-put-rw-access-on-stateid-destruction.patch queue-3.0/nfsd-don-t-break-lease-on-claim_delegate_cur.patch queue-3.0/nfsd4-fix-file-leak-on-open_downgrade.patch _______________________________________________ stable mailing list stable@linux.kernel.org http://linux.kernel.org/mailman/listinfo/stable