NFSv4: It is not safe to dereference lsp->ls_state in release_lockowner

It is quite possible for the release_lockowner RPC call to race with the
close RPC call, in which case, we cannot dereference lsp->ls_state in
order to find the nfs_server.

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>

diff --git a/fs/nfs/nfs4_fs.h b/fs/nfs/nfs4_fs.h
index b47bdb9c1612f893140dabe86e233707b36723a3..97ecc863dd76b46900e23758d4cbdda2f28f63d0 100644 (file)
--- a/fs/nfs/nfs4_fs.h
+++ b/fs/nfs/nfs4_fs.h
@@ -340,7 +340,7 @@ extern void nfs_increment_lock_seqid(int status, struct nfs_seqid *seqid);
 extern void nfs_release_seqid(struct nfs_seqid *seqid);
 extern void nfs_free_seqid(struct nfs_seqid *seqid);
 
-extern void nfs4_free_lock_state(struct nfs4_lock_state *lsp);
+extern void nfs4_free_lock_state(struct nfs_server *server, struct nfs4_lock_state *lsp);
 
 extern const nfs4_stateid zero_stateid;
 

diff --git a/fs/nfs/nfs4proc.c b/fs/nfs/nfs4proc.c
index 5e0961acfef4b340d360540f8e1dca9e92467b12..d41d97fb4cb9463be09261cef624c973ae3bd7bd 100644 (file)
--- a/fs/nfs/nfs4proc.c
+++ b/fs/nfs/nfs4proc.c
@@ -4760,13 +4760,14 @@ out:
 
 struct nfs_release_lockowner_data {
        struct nfs4_lock_state *lsp;
+       struct nfs_server *server;
        struct nfs_release_lockowner_args args;
 };
 
 static void nfs4_release_lockowner_release(void *calldata)
 {
        struct nfs_release_lockowner_data *data = calldata;
-       nfs4_free_lock_state(data->lsp);
+       nfs4_free_lock_state(data->server, data->lsp);
        kfree(calldata);
 }
 
@@ -4788,6 +4789,7 @@ int nfs4_release_lockowner(struct nfs4_lock_state *lsp)
        if (!data)
                return -ENOMEM;
        data->lsp = lsp;
+       data->server = server;
        data->args.lock_owner.clientid = server->nfs_client->cl_clientid;
        data->args.lock_owner.id = lsp->ls_seqid.owner_id;
        data->args.lock_owner.s_dev = server->s_dev;

diff --git a/fs/nfs/nfs4state.c b/fs/nfs/nfs4state.c
index 12b068f2ec91a2d95d8b47dce9438b02a652bd3a..0f43414eb25a141be336c34bef78cc126cd9039f 100644 (file)
--- a/fs/nfs/nfs4state.c
+++ b/fs/nfs/nfs4state.c
@@ -791,10 +791,8 @@ out_free:
        return NULL;
 }
 
-void nfs4_free_lock_state(struct nfs4_lock_state *lsp)
+void nfs4_free_lock_state(struct nfs_server *server, struct nfs4_lock_state *lsp)
 {
-       struct nfs_server *server = lsp->ls_state->owner->so_server;
-
        ida_simple_remove(&server->lockowner_id, lsp->ls_seqid.owner_id);
        nfs4_destroy_seqid_counter(&lsp->ls_seqid);
        kfree(lsp);
@@ -828,7 +826,7 @@ static struct nfs4_lock_state *nfs4_get_lock_state(struct nfs4_state *state, fl_
        }
        spin_unlock(&state->state_lock);
        if (new != NULL)
-               nfs4_free_lock_state(new);
+               nfs4_free_lock_state(state->owner->so_server, new);
        return lsp;
 }
 
@@ -853,7 +851,7 @@ void nfs4_put_lock_state(struct nfs4_lock_state *lsp)
                if (nfs4_release_lockowner(lsp) == 0)
                        return;
        }
-       nfs4_free_lock_state(lsp);
+       nfs4_free_lock_state(lsp->ls_state->owner->so_server, lsp);
 }
 
 static void nfs4_fl_copy_lock(struct file_lock *dst, struct file_lock *src)