Linux kernel mirror (for testing)
git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git
tjh.dev
kernel
os
linux
nfsd4: fix bad pointer on failure to find delegation
In case of a nonempty list, the return on error here is obviously bogus;
it ends up being a pointer to the list head instead of to any valid
delegation on the list.
In particular, if nfsd4_delegreturn() hits this case, and you're quite unlucky,
then renew_client may oops, and it may take an embarassingly long time to
figure out why. Facepalm.
BUG: unable to handle kernel NULL pointer dereference at 0000000000000090
IP: [<ffffffff81292965>] nfsd4_delegreturn+0x125/0x200
...
Cc: stable@kernel.org
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
+7
-6
fs/nfsd/nfs4state.c
+7
-6
fs/nfsd/nfs4state.c
···
2445
static struct nfs4_delegation *
2446
find_delegation_file(struct nfs4_file *fp, stateid_t *stid)
2447
{
2448
-
struct nfs4_delegation *dp = NULL;
2449
2450
spin_lock(&recall_lock);
2451
-
list_for_each_entry(dp, &fp->fi_delegations, dl_perfile) {
2452
-
if (dp->dl_stateid.si_stateownerid == stid->si_stateownerid)
2453
-
break;
2454
-
}
2455
spin_unlock(&recall_lock);
2456
-
return dp;
2457
}
2458
2459
int share_access_to_flags(u32 share_access)
···
2445
static struct nfs4_delegation *
2446
find_delegation_file(struct nfs4_file *fp, stateid_t *stid)
2447
{
2448
+
struct nfs4_delegation *dp;
2449
2450
spin_lock(&recall_lock);
2451
+
list_for_each_entry(dp, &fp->fi_delegations, dl_perfile)
2452
+
if (dp->dl_stateid.si_stateownerid == stid->si_stateownerid) {
2453
+
spin_unlock(&recall_lock);
2454
+
return dp;
2455
+
}
2456
spin_unlock(&recall_lock);
2457
+
return NULL;
2458
}
2459
2460
int share_access_to_flags(u32 share_access)