On Wed, Jul 10, 2013 at 01:19:50PM -0400, David Jeffery wrote: > In nlmsvc_retry_blocked, the check that the list is non-empty and acquiring > the pointer of the first entry is unprotected by any lock. This allows a rare > race condition when there is only one entry on the list. A function such as > nlmsvc_grant_callback() can be called, which will temporarily remove the entry > from the list. Between the list_empty() and list_entry(),the list may become > empty, causing an invalid pointer to be used as an nlm_block, leading to a > possible crash. > > This patch adds the nlm_block_lock around these calls to prevent concurrent > use of the nlm_blocked list. Thanks! Looks like this bug probably originated from f904be9cc77f361d37d71468b13ff3d1a1823dea "lockd: Mostly remove BKL from the server" ? Applying for 3.11. --b. > > Signed-off-by: David Jeffery <djeffery@xxxxxxxxxx> > > > --- a/fs/lockd/svclock.c > +++ b/fs/lockd/svclock.c > @@ -951,6 +951,7 @@ nlmsvc_retry_blocked(void) > unsigned long timeout = MAX_SCHEDULE_TIMEOUT; > struct nlm_block *block; > > + spin_lock(&nlm_blocked_lock); > while (!list_empty(&nlm_blocked) && !kthread_should_stop()) { > block = list_entry(nlm_blocked.next, struct nlm_block, b_list); > > @@ -960,6 +961,7 @@ nlmsvc_retry_blocked(void) > timeout = block->b_when - jiffies; > break; > } > + spin_unlock(&nlm_blocked_lock); > > dprintk("nlmsvc_retry_blocked(%p, when=%ld)\n", > block, block->b_when); > @@ -969,7 +971,9 @@ nlmsvc_retry_blocked(void) > retry_deferred_block(block); > } else > nlmsvc_grant_blocked(block); > + spin_lock(&nlm_blocked_lock); > } > + spin_unlock(&nlm_blocked_lock); > > return timeout; > } > -- > To unsubscribe from this list: send the line "unsubscribe linux-nfs" in > the body of a message to majordomo@xxxxxxxxxxxxxxx > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe linux-nfs" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html