| commit | d33df46a67e8da799a4323092d4f626b4522b1ac | |
| author | Matthew Dillon <dillon@apollo.backplane.com> | |
| Sun, 29 Jun 2014 18:08:05 +0000 (29 11:08 -0700) | ||
| committer | Matthew Dillon <dillon@apollo.backplane.com> | |
| Sun, 29 Jun 2014 18:08:05 +0000 (29 11:08 -0700) | ||
| tree | 57d7566295a30aa94b998d1946c6264f09e2f440 | treesnapshot (tar.gz zip) |
| parent | 56e2aaa4d1de560d06f713866ab834747982f839 | commitdiff |
kernel - Fix nfs server-side shutdown race
* Fix issues where slp->ns_so is being accessed during or after the socket
has been zapped. The zap code actually closes the fp and destroys the
socket so this race results in a use-after-free and can cause a panic
on the NFS server.
* Zapping now shuts the socket down but does not close/destroy it. The
socket will be destroyed when the last ref on slp (aka nfssvc_sock)
is dropped.
* Re-check SLP_VALID in a few more places after potentially blocking.
Other situations that might block are handled by the change in the
zap code.
* Fix issues where slp->ns_so is being accessed during or after the socket
has been zapped. The zap code actually closes the fp and destroys the
socket so this race results in a use-after-free and can cause a panic
on the NFS server.
* Zapping now shuts the socket down but does not close/destroy it. The
socket will be destroyed when the last ref on slp (aka nfssvc_sock)
is dropped.
* Re-check SLP_VALID in a few more places after potentially blocking.
Other situations that might block are handled by the change in the
zap code.
| sys/vfs/nfs/nfs_syscalls.c | diffblobblamehistory |