From: Greg Kroah-Hartman Date: Mon, 2 May 2016 23:56:22 +0000 (-0700) Subject: 3.14-stable patches X-Git-Tag: v3.14.68~7 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=3fc333f810f63db412f652fa494d153d4929e5ca;p=thirdparty%2Fkernel%2Fstable-queue.git 3.14-stable patches added patches: sunrpc-cache-drop-reference-when-sunrpc_cache_pipe_upcall-detects-a-race.patch --- diff --git a/queue-3.14/series b/queue-3.14/series index 52d041496f2..f1db51eb95e 100644 --- a/queue-3.14/series +++ b/queue-3.14/series @@ -34,3 +34,4 @@ arm-omap3-add-cpuidle-parameters-table-for-omap3430.patch bus-imx-weim-take-the-status-property-value-into-account.patch jme-do-not-enable-nic-wol-functions-on-s0.patch jme-fix-device-pm-wakeup-api-usage.patch +sunrpc-cache-drop-reference-when-sunrpc_cache_pipe_upcall-detects-a-race.patch diff --git a/queue-3.14/sunrpc-cache-drop-reference-when-sunrpc_cache_pipe_upcall-detects-a-race.patch b/queue-3.14/sunrpc-cache-drop-reference-when-sunrpc_cache_pipe_upcall-detects-a-race.patch new file mode 100644 index 00000000000..38209599974 --- /dev/null +++ b/queue-3.14/sunrpc-cache-drop-reference-when-sunrpc_cache_pipe_upcall-detects-a-race.patch @@ -0,0 +1,45 @@ +From a6ab1e8126d205238defbb55d23661a3a5c6a0d8 Mon Sep 17 00:00:00 2001 +From: NeilBrown +Date: Fri, 4 Mar 2016 17:20:13 +1100 +Subject: sunrpc/cache: drop reference when sunrpc_cache_pipe_upcall() detects a race + +From: NeilBrown + +commit a6ab1e8126d205238defbb55d23661a3a5c6a0d8 upstream. + +sunrpc_cache_pipe_upcall() can detect a race if CACHE_PENDING is no longer +set. In this case it aborts the queuing of the upcall. +However it has already taken a new counted reference on "h" and +doesn't "put" it, even though it frees the data structure holding the reference. + +So let's delay the "cache_get" until we know we need it. + +Fixes: f9e1aedc6c79 ("sunrpc/cache: remove races with queuing an upcall.") +Signed-off-by: NeilBrown +Signed-off-by: J. Bruce Fields +Signed-off-by: Greg Kroah-Hartman + +--- + net/sunrpc/cache.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +--- a/net/sunrpc/cache.c ++++ b/net/sunrpc/cache.c +@@ -1187,14 +1187,14 @@ int sunrpc_cache_pipe_upcall(struct cach + } + + crq->q.reader = 0; +- crq->item = cache_get(h); + crq->buf = buf; + crq->len = 0; + crq->readers = 0; + spin_lock(&queue_lock); +- if (test_bit(CACHE_PENDING, &h->flags)) ++ if (test_bit(CACHE_PENDING, &h->flags)) { ++ crq->item = cache_get(h); + list_add_tail(&crq->q.list, &detail->queue); +- else ++ } else + /* Lost a race, no longer PENDING, so don't enqueue */ + ret = -EAGAIN; + spin_unlock(&queue_lock);