From: Trond Myklebust Date: Wed, 19 Oct 2005 06:19:39 +0000 (-0700) Subject: NFSv4: Fix an oopsable condition in nfs_free_seqid X-Git-Tag: v2.6.15-rc1~733^2~54^2~16 X-Git-Url: https://err.no/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=7f709a48fa798cfa0f2f777c8752e12995054f78;p=linux-2.6 NFSv4: Fix an oopsable condition in nfs_free_seqid Storing a pointer to the struct rpc_task in the nfs_seqid is broken since the nfs_seqid may be freed well after the task has been destroyed. Signed-off-by: Trond Myklebust --- diff --git a/fs/nfs/nfs4_fs.h b/fs/nfs/nfs4_fs.h index 8a37881990..45bff1d1a5 100644 --- a/fs/nfs/nfs4_fs.h +++ b/fs/nfs/nfs4_fs.h @@ -112,7 +112,6 @@ struct nfs_seqid_counter { struct nfs_seqid { struct list_head list; struct nfs_seqid_counter *sequence; - struct rpc_task *task; }; static inline void nfs_confirm_seqid(struct nfs_seqid_counter *seqid, int status) diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c index 23834c8fb7..da0861db57 100644 --- a/fs/nfs/nfs4state.c +++ b/fs/nfs/nfs4state.c @@ -676,7 +676,6 @@ struct nfs_seqid *nfs_alloc_seqid(struct nfs_seqid_counter *counter) new = kmalloc(sizeof(*new), GFP_KERNEL); if (new != NULL) { new->sequence = counter; - new->task = NULL; spin_lock(&sequence->lock); list_add_tail(&new->list, &sequence->list); spin_unlock(&sequence->lock); @@ -687,15 +686,10 @@ struct nfs_seqid *nfs_alloc_seqid(struct nfs_seqid_counter *counter) void nfs_free_seqid(struct nfs_seqid *seqid) { struct rpc_sequence *sequence = seqid->sequence->sequence; - struct rpc_task *next = NULL; spin_lock(&sequence->lock); list_del(&seqid->list); - if (!list_empty(&sequence->list)) { - next = list_entry(sequence->list.next, struct nfs_seqid, list)->task; - if (next) - rpc_wake_up_task(next); - } + rpc_wake_up(&sequence->wait); spin_unlock(&sequence->lock); kfree(seqid); } @@ -754,7 +748,6 @@ int nfs_wait_on_sequence(struct nfs_seqid *seqid, struct rpc_task *task) spin_lock(&sequence->lock); if (sequence->list.next != &seqid->list) { - seqid->task = task; rpc_sleep_on(&sequence->wait, task, NULL, NULL); status = -EAGAIN; }