From aaf68cfbf2241d24d46583423f6bff5c47e088b3 Mon Sep 17 00:00:00 2001
From: NeilBrown <neilb@suse.de>
Date: Thu, 8 Feb 2007 14:20:30 -0800
Subject: [PATCH] knfsd: fix a race in closing NFSd connections

If you lose this race, it can iput a socket inode twice and you get a BUG
in fs/inode.c

When I added the option for user-space to close a socket, I added some
cruft to svc_delete_socket so that I could call that function when closing
a socket per user-space request.

This was the wrong thing to do.  I should have just set SK_CLOSE and let
normal mechanisms do the work.

Not only wrong, but buggy.  The locking is all wrong and it openned up a
race where-by a socket could be closed twice.

So this patch:
  Introduces svc_close_socket which sets SK_CLOSE then either leave
  the close up to a thread, or calls svc_delete_socket if it can
  get SK_BUSY.

  Adds a bias to sk_busy which is removed when SK_DEAD is set,
  This avoid races around shutting down the socket.

  Changes several 'spin_lock' to 'spin_lock_bh' where the _bh
  was missing.

Bugzilla-url: http://bugzilla.kernel.org/show_bug.cgi?id=7916

Signed-off-by: Neil Brown <neilb@suse.de>
Cc: <stable@kernel.org>
Signed-off-by: Andrew Morton <akpm@linux-foundation.org>
Signed-off-by: Linus Torvalds <torvalds@linux-foundation.org>
---
 net/sunrpc/svc.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

(limited to 'net/sunrpc/svc.c')

diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
index 4c1611211119..c1f878131ac6 100644
--- a/net/sunrpc/svc.c
+++ b/net/sunrpc/svc.c
@@ -386,7 +386,7 @@ svc_destroy(struct svc_serv *serv)
 		svsk = list_entry(serv->sv_tempsocks.next,
 				  struct svc_sock,
 				  sk_list);
-		svc_delete_socket(svsk);
+		svc_close_socket(svsk);
 	}
 	if (serv->sv_shutdown)
 		serv->sv_shutdown(serv);
@@ -395,7 +395,7 @@ svc_destroy(struct svc_serv *serv)
 		svsk = list_entry(serv->sv_permsocks.next,
 				  struct svc_sock,
 				  sk_list);
-		svc_delete_socket(svsk);
+		svc_close_socket(svsk);
 	}
 	
 	cache_clean_deferred(serv);
-- 
cgit v1.2.3


From cca5172a7ec10dfdb0b787cd8e9d5b0b8f179793 Mon Sep 17 00:00:00 2001
From: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Date: Fri, 9 Feb 2007 15:38:13 -0800
Subject: [NET] SUNRPC: Fix whitespace errors.

Signed-off-by: YOSHIFUJI Hideaki <yoshfuji@linux-ipv6.org>
Signed-off-by: David S. Miller <davem@davemloft.net>
---
 net/sunrpc/svc.c | 24 ++++++++++++------------
 1 file changed, 12 insertions(+), 12 deletions(-)

(limited to 'net/sunrpc/svc.c')

diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
index c1f878131ac6..b00511d39b65 100644
--- a/net/sunrpc/svc.c
+++ b/net/sunrpc/svc.c
@@ -397,7 +397,7 @@ svc_destroy(struct svc_serv *serv)
 				  sk_list);
 		svc_close_socket(svsk);
 	}
-	
+
 	cache_clean_deferred(serv);
 
 	/* Unregister service with the portmapper */
@@ -415,7 +415,7 @@ svc_init_buffer(struct svc_rqst *rqstp, unsigned int size)
 {
 	int pages;
 	int arghi;
-	
+
 	pages = size / PAGE_SIZE + 1; /* extra page as we hold both request and reply.
 				       * We assume one is at most one page
 				       */
@@ -514,7 +514,7 @@ choose_pool(struct svc_serv *serv, struct svc_pool *pool, unsigned int *state)
 	if (pool != NULL)
 		return pool;
 
- 	return &serv->sv_pools[(*state)++ % serv->sv_nrpools];
+	return &serv->sv_pools[(*state)++ % serv->sv_nrpools];
 }
 
 /*
@@ -530,13 +530,13 @@ choose_victim(struct svc_serv *serv, struct svc_pool *pool, unsigned int *state)
 		spin_lock_bh(&pool->sp_lock);
 	} else {
 		/* choose a pool in round-robin fashion */
- 		for (i = 0; i < serv->sv_nrpools; i++) {
- 			pool = &serv->sv_pools[--(*state) % serv->sv_nrpools];
+		for (i = 0; i < serv->sv_nrpools; i++) {
+			pool = &serv->sv_pools[--(*state) % serv->sv_nrpools];
 			spin_lock_bh(&pool->sp_lock);
- 			if (!list_empty(&pool->sp_all_threads))
- 				goto found_pool;
+			if (!list_empty(&pool->sp_all_threads))
+				goto found_pool;
 			spin_unlock_bh(&pool->sp_lock);
- 		}
+		}
 		return NULL;
 	}
 
@@ -551,7 +551,7 @@ found_pool:
 		rqstp = list_entry(pool->sp_all_threads.next, struct svc_rqst, rq_all);
 		list_del_init(&rqstp->rq_all);
 		task = rqstp->rq_task;
-    	}
+	}
 	spin_unlock_bh(&pool->sp_lock);
 
 	return task;
@@ -636,7 +636,7 @@ svc_exit_thread(struct svc_rqst *rqstp)
 
 /*
  * Register an RPC service with the local portmapper.
- * To unregister a service, call this routine with 
+ * To unregister a service, call this routine with
  * proto and port == 0.
  */
 int
@@ -709,7 +709,7 @@ svc_process(struct svc_rqst *rqstp)
 		goto err_short_len;
 
 	/* setup response xdr_buf.
-	 * Initially it has just one page 
+	 * Initially it has just one page
 	 */
 	rqstp->rq_resused = 1;
 	resv->iov_base = page_address(rqstp->rq_respages[0]);
@@ -811,7 +811,7 @@ svc_process(struct svc_rqst *rqstp)
 	memset(rqstp->rq_argp, 0, procp->pc_argsize);
 	memset(rqstp->rq_resp, 0, procp->pc_ressize);
 
-	/* un-reserve some of the out-queue now that we have a 
+	/* un-reserve some of the out-queue now that we have a
 	 * better idea of reply size
 	 */
 	if (procp->pc_xdrressize)
-- 
cgit v1.2.3