• David Jeffery's avatar
    lockd: protect nlm_blocked access in nlmsvc_retry_blocked · 1c327d96
    David Jeffery authored
    In nlmsvc_retry_blocked, the check that the list is non-empty and acquiring
    the pointer of the first entry is unprotected by any lock.  This allows a rare
    race condition when there is only one entry on the list.  A function such as
    nlmsvc_grant_callback() can be called, which will temporarily remove the entry
    from the list.  Between the list_empty() and list_entry(),the list may become
    empty, causing an invalid pointer to be used as an nlm_block, leading to a
    possible crash.
    
    This patch adds the nlm_block_lock around these calls to prevent concurrent
    use of the nlm_blocked list.
    
    This was a regression introduced by
    f904be9c  "lockd: Mostly remove BKL from
    the server".
    
    Cc: Bryan Schumaker <bjschuma@netapp.com>
    Cc: stable@vger.kernel.org
    Signed-off-by: default avatarDavid Jeffery <djeffery@redhat.com>
    Signed-off-by: default avatarJ. Bruce Fields <bfields@redhat.com>
    1c327d96
svclock.c 25.6 KB