diff options
author | J. Bruce Fields <bfields@citi.umich.edu> | 2010-06-01 11:21:40 -0400 |
---|---|---|
committer | J. Bruce Fields <bfields@citi.umich.edu> | 2010-06-24 12:24:55 -0400 |
commit | cba9ba4b902270c22f8b9c5149a284216b633fc1 (patch) | |
tree | 8d51f4f169e25113a319e794afe130de53db4ca2 /fs | |
parent | ac94bf582529343bb7f354d0eef6dc4e566bbbd5 (diff) | |
download | kernel_samsung_tuna-cba9ba4b902270c22f8b9c5149a284216b633fc1.zip kernel_samsung_tuna-cba9ba4b902270c22f8b9c5149a284216b633fc1.tar.gz kernel_samsung_tuna-cba9ba4b902270c22f8b9c5149a284216b633fc1.tar.bz2 |
nfsd4: fix delegation recall race use-after-free
When the rarely-used callback-connection-changing setclientid occurs
simultaneously with a delegation recall, we rerun the recall by
requeueing it on a workqueue. But we also need to take a reference on
the delegation in that case, since the delegation held by the rpc itself
will be released by the rpc_release callback.
Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
Diffstat (limited to 'fs')
-rw-r--r-- | fs/nfsd/nfs4callback.c | 1 |
1 files changed, 1 insertions, 0 deletions
diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c index a468632..1e6497e 100644 --- a/fs/nfsd/nfs4callback.c +++ b/fs/nfsd/nfs4callback.c @@ -689,6 +689,7 @@ static void nfsd4_cb_recall_done(struct rpc_task *task, void *calldata) warn_no_callback_path(clp, task->tk_status); if (current_rpc_client != task->tk_client) { /* queue a callback on the new connection: */ + atomic_inc(&dp->dl_count); nfsd4_cb_recall(dp); return; } |