Skip to content

Commit

Permalink
NFSv4: Fix a use-after-free issue with the nfs server.
Browse files Browse the repository at this point in the history
Signed-off-by: Trond Myklebust <[email protected]>
  • Loading branch information
Trond Myklebust authored and Trond Myklebust committed Sep 23, 2006
1 parent 275a082 commit 5dd3177
Show file tree
Hide file tree
Showing 4 changed files with 28 additions and 18 deletions.
36 changes: 21 additions & 15 deletions fs/nfs/client.c
Original file line number Diff line number Diff line change
Expand Up @@ -164,28 +164,34 @@ static struct nfs_client *nfs_alloc_client(const char *hostname,
return NULL;
}

static void nfs4_shutdown_client(struct nfs_client *clp)
{
#ifdef CONFIG_NFS_V4
if (__test_and_clear_bit(NFS_CS_RENEWD, &clp->cl_res_state))
nfs4_kill_renewd(clp);
while (!list_empty(&clp->cl_unused)) {
struct nfs4_state_owner *sp;

sp = list_entry(clp->cl_unused.next,
struct nfs4_state_owner,
so_list);
list_del(&sp->so_list);
kfree(sp);
}
BUG_ON(!list_empty(&clp->cl_state_owners));
if (__test_and_clear_bit(NFS_CS_IDMAP, &clp->cl_res_state))
nfs_idmap_delete(clp);
#endif
}

/*
* Destroy a shared client record
*/
static void nfs_free_client(struct nfs_client *clp)
{
dprintk("--> nfs_free_client(%d)\n", clp->cl_nfsversion);

#ifdef CONFIG_NFS_V4
if (__test_and_clear_bit(NFS_CS_IDMAP, &clp->cl_res_state)) {
while (!list_empty(&clp->cl_unused)) {
struct nfs4_state_owner *sp;

sp = list_entry(clp->cl_unused.next,
struct nfs4_state_owner,
so_list);
list_del(&sp->so_list);
kfree(sp);
}
BUG_ON(!list_empty(&clp->cl_state_owners));
nfs_idmap_delete(clp);
}
#endif
nfs4_shutdown_client(clp);

/* -EIO all pending I/O */
if (!IS_ERR(clp->cl_rpcclient))
Expand Down
1 change: 1 addition & 0 deletions fs/nfs/nfs4renewd.c
Original file line number Diff line number Diff line change
Expand Up @@ -121,6 +121,7 @@ nfs4_schedule_state_renewal(struct nfs_client *clp)
__FUNCTION__, (timeout + HZ - 1) / HZ);
cancel_delayed_work(&clp->cl_renewd);
schedule_delayed_work(&clp->cl_renewd, timeout);
set_bit(NFS_CS_RENEWD, &clp->cl_res_state);
spin_unlock(&clp->cl_lock);
}

Expand Down
8 changes: 5 additions & 3 deletions fs/nfs/super.c
Original file line number Diff line number Diff line change
Expand Up @@ -883,13 +883,15 @@ static int nfs4_get_sb(struct file_system_type *fs_type,
goto out_free;
}

if (s->s_fs_info != server) {
nfs_free_server(server);
server = NULL;
}

if (!s->s_root) {
/* initial superblock/root creation */
s->s_flags = flags;

nfs4_fill_super(s);
} else {
nfs_free_server(server);
}

mntroot = nfs4_get_root(s, &mntfh);
Expand Down
1 change: 1 addition & 0 deletions include/linux/nfs_fs_sb.h
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ struct nfs_client {
#define NFS_CS_RPCIOD 0 /* - rpciod started */
#define NFS_CS_CALLBACK 1 /* - callback started */
#define NFS_CS_IDMAP 2 /* - idmap started */
#define NFS_CS_RENEWD 3 /* - renewd started */
struct sockaddr_in cl_addr; /* server identifier */
char * cl_hostname; /* hostname of server */
struct list_head cl_share_link; /* link in global client list */
Expand Down

0 comments on commit 5dd3177

Please sign in to comment.