Revision 88956eabfdea7d01d550535af120d4ef265b1d02 authored by NeilBrown on 12 September 2023, 01:25:00 UTC, committed by Chuck Lever on 12 September 2023, 13:39:35 UTC
If /proc/fs/nfsd/pool_stats is open when the last nfsd thread exits, then
when the file is closed a NULL pointer is dereferenced.
This is because nfsd_pool_stats_release() assumes that the
pointer to the svc_serv cannot become NULL while a reference is held.
This used to be the case but a recent patch split nfsd_last_thread() out
from nfsd_put(), and clearing the pointer is done in nfsd_last_thread().
This is easily reproduced by running
rpc.nfsd 8 ; ( rpc.nfsd 0;true) < /proc/fs/nfsd/pool_stats
Fortunately nfsd_pool_stats_release() has easy access to the svc_serv
pointer, and so can call svc_put() on it directly.
Fixes: 9f28a971ee9f ("nfsd: separate nfsd_last_thread() from nfsd_put()")
Signed-off-by: NeilBrown <neilb@suse.de>
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
1 parent fdd2630
uncompress.c
// SPDX-License-Identifier: GPL-2.0
/*
* uncompress.c
*
* (C) Copyright 1999 Linus Torvalds
*
* cramfs interfaces to the uncompression library. There's really just
* three entrypoints:
*
* - cramfs_uncompress_init() - called to initialize the thing.
* - cramfs_uncompress_exit() - tell me when you're done
* - cramfs_uncompress_block() - uncompress a block.
*
* NOTE NOTE NOTE! The uncompression is entirely single-threaded. We
* only have one stream, and we'll initialize it only once even if it
* then is used by multiple filesystems.
*/
#define pr_fmt(fmt) KBUILD_MODNAME ": " fmt
#include <linux/kernel.h>
#include <linux/errno.h>
#include <linux/vmalloc.h>
#include <linux/zlib.h>
#include "internal.h"
static z_stream stream;
static int initialized;
/* Returns length of decompressed data. */
int cramfs_uncompress_block(void *dst, int dstlen, void *src, int srclen)
{
int err;
stream.next_in = src;
stream.avail_in = srclen;
stream.next_out = dst;
stream.avail_out = dstlen;
err = zlib_inflateReset(&stream);
if (err != Z_OK) {
pr_err("zlib_inflateReset error %d\n", err);
zlib_inflateEnd(&stream);
zlib_inflateInit(&stream);
}
err = zlib_inflate(&stream, Z_FINISH);
if (err != Z_STREAM_END)
goto err;
return stream.total_out;
err:
pr_err("Error %d while decompressing!\n", err);
pr_err("%p(%d)->%p(%d)\n", src, srclen, dst, dstlen);
return -EIO;
}
int cramfs_uncompress_init(void)
{
if (!initialized++) {
stream.workspace = vmalloc(zlib_inflate_workspacesize());
if (!stream.workspace) {
initialized = 0;
return -ENOMEM;
}
stream.next_in = NULL;
stream.avail_in = 0;
zlib_inflateInit(&stream);
}
return 0;
}
void cramfs_uncompress_exit(void)
{
if (!--initialized) {
zlib_inflateEnd(&stream);
vfree(stream.workspace);
}
}
Computing file changes ...
