diff options
| author | Jeff Layton | 2014-07-10 20:07:33 +0200 |
|---|---|---|
| committer | J. Bruce Fields | 2014-07-11 17:06:17 +0200 |
| commit | 7214e8600eee146b6ea79eb6b7b01b343856a7c6 (patch) | |
| tree | e29f323c9dbc9c5c0450339f3ad90e13dc5f335c /fs/nfsd/state.h | |
| parent | nfsd: clean up reset_union_bmap_deny (diff) | |
| download | kernel-qcow2-linux-7214e8600eee146b6ea79eb6b7b01b343856a7c6.tar.gz kernel-qcow2-linux-7214e8600eee146b6ea79eb6b7b01b343856a7c6.tar.xz kernel-qcow2-linux-7214e8600eee146b6ea79eb6b7b01b343856a7c6.zip | |
nfsd: always hold the fi_lock when bumping fi_access refcounts
Once we remove the client_mutex, there's an unlikely but possible race
that could occur. It will be possible for nfs4_file_put_access to race
with nfs4_file_get_access. The refcount will go to zero (briefly) and
then bumped back to one. If that happens we set ourselves up for a
use-after-free and the potential for a lock to race onto the i_flock
list as a filp is being torn down.
Ensure that we can safely bump the refcount on the file by holding the
fi_lock whenever that's done. The only place it currently isn't is in
get_lock_access.
In order to ensure atomicity with finding the file, use the
find_*_file_locked variants and then call get_lock_access to get new
access references on the nfs4_file under the same lock.
Signed-off-by: Jeff Layton <jlayton@primarydata.com>
Reviewed-by: Christoph Hellwig <hch@lst.de>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>
Diffstat (limited to 'fs/nfsd/state.h')
0 files changed, 0 insertions, 0 deletions