[stable] [36/50] svcrpc: fix list-corrupting race on nfsd shutdown

Fri, 05 Aug 2011 17:13:30 -0700 

2.6.33-longterm review patch.  If anyone has any objections, please let us know.

------------------

From: "J. Bruce Fields" <bfie...@redhat.com>

commit ebc63e531cc6a457595dd110b07ac530eae788c3 upstream.

After commit 3262c816a3d7fb1eaabce633caa317887ed549ae "[PATCH] knfsd:
split svc_serv into pools", svc_delete_xprt (then svc_delete_socket) no
longer removed its xpt_ready (then sk_ready) field from whatever list it
was on, noting that there was no point since the whole list was about to
be destroyed anyway.

That was mostly true, but forgot that a few svc_xprt_enqueue()'s might
still be hanging around playing with the about-to-be-destroyed list, and
could get themselves into trouble writing to freed memory if we left
this xprt on the list after freeing it.

(This is actually functionally identical to a patch made first by Ben
Greear, but with more comments.)

Cc: g...@fmeh.org
Reported-by: Ben Greear <gree...@candelatech.com>
Tested-by: Ben Greear <gree...@candelatech.com>
Signed-off-by: J. Bruce Fields <bfie...@redhat.com>
Signed-off-by: Greg Kroah-Hartman <gre...@suse.de>

---
 net/sunrpc/svc_xprt.c |   11 ++++++-----
 1 file changed, 6 insertions(+), 5 deletions(-)

--- a/net/sunrpc/svc_xprt.c
+++ b/net/sunrpc/svc_xprt.c
@@ -884,12 +884,13 @@ void svc_delete_xprt(struct svc_xprt *xp
        if (!test_and_set_bit(XPT_DETACHED, &xprt->xpt_flags))
                list_del_init(&xprt->xpt_list);
        /*
-        * We used to delete the transport from whichever list
-        * it's sk_xprt.xpt_ready node was on, but we don't actually
-        * need to.  This is because the only time we're called
-        * while still attached to a queue, the queue itself
-        * is about to be destroyed (in svc_destroy).
+        * The only time we're called while xpt_ready is still on a list
+        * is while the list itself is about to be destroyed (in
+        * svc_destroy).  BUT svc_xprt_enqueue could still be attempting
+        * to add new entries to the sp_sockets list, so we can't leave
+        * a freed xprt on it.
         */
+       list_del_init(&xprt->xpt_ready);
        if (test_bit(XPT_TEMP, &xprt->xpt_flags))
                serv->sv_tmpcnt--;
 


_______________________________________________
stable mailing list
stable@linux.kernel.org
http://linux.kernel.org/mailman/listinfo/stable

Reply via email to