diff options
author | Trond Myklebust <Trond.Myklebust@netapp.com> | 2006-08-24 01:03:05 -0400 |
---|---|---|
committer | Trond Myklebust <Trond.Myklebust@netapp.com> | 2006-09-22 23:24:54 -0400 |
commit | 5dd3177ae5012c1e2ad7a9ffdbd0e0d0de2f60e4 (patch) | |
tree | 2a8730d6443f6d33e8879cfc323396f9a570b97b /fs/nfs/client.c | |
parent | 275a082fe9308e710324e26ccb5363c53d8fd45f (diff) | |
download | kernel-crypto-5dd3177ae5012c1e2ad7a9ffdbd0e0d0de2f60e4.tar.gz kernel-crypto-5dd3177ae5012c1e2ad7a9ffdbd0e0d0de2f60e4.tar.xz kernel-crypto-5dd3177ae5012c1e2ad7a9ffdbd0e0d0de2f60e4.zip |
NFSv4: Fix a use-after-free issue with the nfs server.
Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>
Diffstat (limited to 'fs/nfs/client.c')
-rw-r--r-- | fs/nfs/client.c | 36 |
1 files changed, 21 insertions, 15 deletions
diff --git a/fs/nfs/client.c b/fs/nfs/client.c index 12941a8a6d7..f1ff2aec2ca 100644 --- a/fs/nfs/client.c +++ b/fs/nfs/client.c @@ -164,6 +164,26 @@ error_0: return NULL; } +static void nfs4_shutdown_client(struct nfs_client *clp) +{ +#ifdef CONFIG_NFS_V4 + if (__test_and_clear_bit(NFS_CS_RENEWD, &clp->cl_res_state)) + nfs4_kill_renewd(clp); + while (!list_empty(&clp->cl_unused)) { + struct nfs4_state_owner *sp; + + sp = list_entry(clp->cl_unused.next, + struct nfs4_state_owner, + so_list); + list_del(&sp->so_list); + kfree(sp); + } + BUG_ON(!list_empty(&clp->cl_state_owners)); + if (__test_and_clear_bit(NFS_CS_IDMAP, &clp->cl_res_state)) + nfs_idmap_delete(clp); +#endif +} + /* * Destroy a shared client record */ @@ -171,21 +191,7 @@ static void nfs_free_client(struct nfs_client *clp) { dprintk("--> nfs_free_client(%d)\n", clp->cl_nfsversion); -#ifdef CONFIG_NFS_V4 - if (__test_and_clear_bit(NFS_CS_IDMAP, &clp->cl_res_state)) { - while (!list_empty(&clp->cl_unused)) { - struct nfs4_state_owner *sp; - - sp = list_entry(clp->cl_unused.next, - struct nfs4_state_owner, - so_list); - list_del(&sp->so_list); - kfree(sp); - } - BUG_ON(!list_empty(&clp->cl_state_owners)); - nfs_idmap_delete(clp); - } -#endif + nfs4_shutdown_client(clp); /* -EIO all pending I/O */ if (!IS_ERR(clp->cl_rpcclient)) |