Commit b9382e29 authored Jan 25, 2025 by Jeff Layton Committed by Chuck Lever Feb 02, 2025

nfsd: validate the nfsd_serv pointer before calling svc_wake_up



nfsd_file_dispose_list_delayed can be called from the filecache
laundrette, which is shut down after the nfsd threads are shut down and
the nfsd_serv pointer is cleared. If nn->nfsd_serv is NULL then there
are no threads to wake.

Ensure that the nn->nfsd_serv pointer is non-NULL before calling
svc_wake_up in nfsd_file_dispose_list_delayed. This is safe since the
svc_serv is not freed until after the filecache laundrette is cancelled.

Reported-by: Salvatore Bonaccorso <carnil@debian.org>
Closes: https://bugs.debian.org/1093734


Fixes: ffb40259 ("nfsd: Don't leave work of closing files to a work queue")
Cc: stable@vger.kernel.org
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Reviewed-by: NeilBrown <neilb@suse.de>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

parent 7faf14a7

fs/nfsd/filecache.c

+10 −1

Original line number	Diff line number	Diff line
		@@ -445,11 +445,20 @@ nfsd_file_dispose_list_delayed(struct list_head *dispose)
		struct nfsd_file, nf_gc);
		struct nfsd_net *nn = net_generic(nf->nf_net, nfsd_net_id);
		struct nfsd_fcache_disposal *l = nn->fcache_disposal;
		struct svc_serv *serv;

		spin_lock(&l->lock);
		list_move_tail(&nf->nf_gc, &l->freeme);
		spin_unlock(&l->lock);
		svc_wake_up(nn->nfsd_serv);

		/*
		* The filecache laundrette is shut down after the
		* nn->nfsd_serv pointer is cleared, but before the
		* svc_serv is freed.
		*/
		serv = nn->nfsd_serv;
		if (serv)
		svc_wake_up(serv);
		}
		}