the layout state may be shared by a number of layout segments, each held by struct nfs4_layout and we may be destroying just one of them e.g. on layoutreturn. Signed-off-by: Benny Halevy <bhalevy@xxxxxxxxxx> --- fs/nfsd/nfs4pnfsd.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/fs/nfsd/nfs4pnfsd.c b/fs/nfsd/nfs4pnfsd.c index fe3f693..c62af3d 100644 --- a/fs/nfsd/nfs4pnfsd.c +++ b/fs/nfsd/nfs4pnfsd.c @@ -345,7 +345,6 @@ static void update_layout_roc(struct nfs4_layout_state *ls, bool roc) __func__, lp, clp, fp, fp->fi_inode); kmem_cache_free(pnfs_layout_slab, lp); - list_del_init(&ls->ls_perfile); /* release references taken by init_layout */ put_layout_state(ls); put_nfs4_file(fp); @@ -1249,6 +1248,7 @@ void pnfsd_roc(struct nfs4_client *clp, struct nfs4_file *fp) memset(&lr, 0, sizeof(lr)); lr.args.lr_return_type = RETURN_FILE; lr.args.lr_seg = lo->lo_seg; + list_del_init(&lo->lo_state->ls_perfile); /* just to be on the safe side */ dequeue_layout(lo); destroy_layout(lo); /* do not access lp after this */ @@ -1301,6 +1301,7 @@ void pnfs_expire_client(struct nfs4_client *clp) lr.args.lr_seg = lp->lo_seg; empty = list_empty(&lp->lo_file->fi_layouts); BUG_ON(lp->lo_client != clp); + list_del_init(&lp->lo_state->ls_perfile); /* just to be on the safe side */ dequeue_layout(lp); destroy_layout(lp); /* do not access lp after this */ } -- 1.7.11.7 -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
