This is a note to let you know that I've just added the patch titled
svcrpc: fix list-corrupting race on nfsd shutdown
to the 2.6.33-longterm tree which can be found at:
http://www.kernel.org/git/?p=linux/kernel/git/longterm/longterm-queue-2.6.33.git;a=summary
The filename of the patch is:
svcrpc-fix-list-corrupting-race-on-nfsd-shutdown.patch
and it can be found in the queue-2.6.33 subdirectory.
If you, or anyone else, feels it should not be added to the 2.6.33 longterm
tree,
please let <[email protected]> know about it.
>From ebc63e531cc6a457595dd110b07ac530eae788c3 Mon Sep 17 00:00:00 2001
From: "J. Bruce Fields" <[email protected]>
Date: Wed, 29 Jun 2011 16:49:04 -0400
Subject: svcrpc: fix list-corrupting race on nfsd shutdown
From: "J. Bruce Fields" <[email protected]>
commit ebc63e531cc6a457595dd110b07ac530eae788c3 upstream.
After commit 3262c816a3d7fb1eaabce633caa317887ed549ae "[PATCH] knfsd:
split svc_serv into pools", svc_delete_xprt (then svc_delete_socket) no
longer removed its xpt_ready (then sk_ready) field from whatever list it
was on, noting that there was no point since the whole list was about to
be destroyed anyway.
That was mostly true, but forgot that a few svc_xprt_enqueue()'s might
still be hanging around playing with the about-to-be-destroyed list, and
could get themselves into trouble writing to freed memory if we left
this xprt on the list after freeing it.
(This is actually functionally identical to a patch made first by Ben
Greear, but with more comments.)
Cc: [email protected]
Reported-by: Ben Greear <[email protected]>
Tested-by: Ben Greear <[email protected]>
Signed-off-by: J. Bruce Fields <[email protected]>
Signed-off-by: Greg Kroah-Hartman <[email protected]>
---
net/sunrpc/svc_xprt.c | 11 ++++++-----
1 file changed, 6 insertions(+), 5 deletions(-)
--- a/net/sunrpc/svc_xprt.c
+++ b/net/sunrpc/svc_xprt.c
@@ -884,12 +884,13 @@ void svc_delete_xprt(struct svc_xprt *xp
if (!test_and_set_bit(XPT_DETACHED, &xprt->xpt_flags))
list_del_init(&xprt->xpt_list);
/*
- * We used to delete the transport from whichever list
- * it's sk_xprt.xpt_ready node was on, but we don't actually
- * need to. This is because the only time we're called
- * while still attached to a queue, the queue itself
- * is about to be destroyed (in svc_destroy).
+ * The only time we're called while xpt_ready is still on a list
+ * is while the list itself is about to be destroyed (in
+ * svc_destroy). BUT svc_xprt_enqueue could still be attempting
+ * to add new entries to the sp_sockets list, so we can't leave
+ * a freed xprt on it.
*/
+ list_del_init(&xprt->xpt_ready);
if (test_bit(XPT_TEMP, &xprt->xpt_flags))
serv->sv_tmpcnt--;
Patches currently in longterm-queue-2.6.33 which might be from
[email protected] are
/home/gregkh/linux/longterm/longterm-queue-2.6.33/queue-2.6.33/svcrpc-fix-list-corrupting-race-on-nfsd-shutdown.patch
_______________________________________________
stable mailing list
[email protected]
http://linux.kernel.org/mailman/listinfo/stable
