SUNRPC: prevent task_cleanup running on freed xprt

We saw a report of a NULL dereference in xprt_autoclose: https://bugzilla.redhat.com/show_bug.cgi?id=611938 This appears to be the result of an xprt's task_cleanup running after the xprt is destroyed. Nothing in the current code appears to prevent that. Signed-off-by: N J. Bruce Fields <bfields@redhat.com> Signed-off-by: N Trond Myklebust <Trond.Myklebust@netapp.com>

SUNRPC: prevent task_cleanup running on freed xprt
We saw a report of a NULL dereference in xprt_autoclose: https://bugzilla.redhat.com/show_bug.cgi?id=611938 This appears to be the result of an xprt's task_cleanup running after the xprt is destroyed. Nothing in the current code appears to prevent that. Signed-off-by: N J. Bruce Fields <bfields@redhat.com> Signed-off-by: N Trond Myklebust <Trond.Myklebust@netapp.com>
c3ae62ae · J. Bruce Fields · Trond Myklebust · d6a1ed08 · c3ae62ae
隐藏空白更改
内联并排

Showing with 1 addition and 0 deletion

net/sunrpc/xprt.c net/sunrpc/xprt.c +1 -0

未找到文件。
--- a/net/sunrpc/xprt.c
+++ b/net/sunrpc/xprt.c
@@ -1131,6 +1131,7 @@ static void xprt_destroy(struct kref *kref)
 	rpc_destroy_wait_queue(&xprt->sending);
 	rpc_destroy_wait_queue(&xprt->resend);
 	rpc_destroy_wait_queue(&xprt->backlog);
+	cancel_work_sync(&xprt->task_cleanup);
 	/*
 	 * Tear down transport state and free the rpc_xprt
 	 */