On Fri, Mar 04, 2016 at 05:20:13PM +1100, NeilBrown wrote:
>
> sunrpc_cache_pipe_upcall() can detect a race if CACHE_PENDING is no longer
> set. In this case it aborts the queuing of the upcall.
> However it has already taken a new counted reference on "h" and
> doesn't "put" it, even though it frees the data structure holding the reference.
>
> So let's delay the "cache_get" until we know we need it.
>
> Fixes: f9e1aedc6c79 ("sunrpc/cache: remove races with queuing an upcall.")
> Signed-off-by: NeilBrown <neilb@xxxxxxxx>
> ---
> net/sunrpc/cache.c | 6 +++---
> 1 file changed, 3 insertions(+), 3 deletions(-)
>
> I found this when I was looking for something else. Testing hasn't
> shown a bug, and nor has it shown that this is bug-free. But it looks
> right.
Sorry for the delay. I agree, it seems simple enough; applying for
4.6....
--b.
>
> NeilBrown
>
>
> diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
> index 273bc3a35425..008c25d1b9f9 100644
> --- a/net/sunrpc/cache.c
> +++ b/net/sunrpc/cache.c
> @@ -1182,14 +1182,14 @@ int sunrpc_cache_pipe_upcall(struct cache_detail *detail, struct cache_head *h)
> }
>
> crq->q.reader = 0;
> - crq->item = cache_get(h);
> crq->buf = buf;
> crq->len = 0;
> crq->readers = 0;
> spin_lock(&queue_lock);
> - if (test_bit(CACHE_PENDING, &h->flags))
> + if (test_bit(CACHE_PENDING, &h->flags)) {
> + crq->item = cache_get(h);
> list_add_tail(&crq->q.list, &detail->queue);
> - else
> + } else
> /* Lost a race, no longer PENDING, so don't enqueue */
> ret = -EAGAIN;
> spin_unlock(&queue_lock);
> --
> 2.7.0
>
--
To unsubscribe from this list: send the line "unsubscribe linux-nfs" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
