nfsd: validate the nfsd_serv pointer before calling svc_wake_up

nfsd_file_dispose_list_delayed can be called from the filecache
laundrette, which is shut down after the nfsd threads are shut down and
the nfsd_serv pointer is cleared. If nn->nfsd_serv is NULL then there
are no threads to wake.

Ensure that the nn->nfsd_serv pointer is non-NULL before calling
svc_wake_up in nfsd_file_dispose_list_delayed. This is safe since the
svc_serv is not freed until after the filecache laundrette is cancelled.

Reported-by: Salvatore Bonaccorso <carnil@debian.org>
Closes: https://bugs.debian.org/1093734
Fixes: ffb402596147 ("nfsd: Don't leave work of closing files to a work queue")
Cc: stable@vger.kernel.org
Signed-off-by: Jeff Layton <jlayton@kernel.org>
Reviewed-by: NeilBrown <neilb@suse.de>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

diff --git a/fs/nfsd/filecache.c b/fs/nfsd/filecache.c
index a1cdba42c4fad4f127ab13b2eb82640349d93fe4..78f4b5573b909f5ccddb9b1ae36fcffe35a9ac53 100644 (file)
--- a/fs/nfsd/filecache.c
+++ b/fs/nfsd/filecache.c
@@ -445,11 +445,20 @@ nfsd_file_dispose_list_delayed(struct list_head *dispose)
                                                struct nfsd_file, nf_gc);
                struct nfsd_net *nn = net_generic(nf->nf_net, nfsd_net_id);
                struct nfsd_fcache_disposal *l = nn->fcache_disposal;
+               struct svc_serv *serv;
 
                spin_lock(&l->lock);
                list_move_tail(&nf->nf_gc, &l->freeme);
                spin_unlock(&l->lock);
-               svc_wake_up(nn->nfsd_serv);
+
+               /*
+                * The filecache laundrette is shut down after the
+                * nn->nfsd_serv pointer is cleared, but before the
+                * svc_serv is freed.
+                */
+               serv = nn->nfsd_serv;
+               if (serv)
+                       svc_wake_up(serv);
        }
 }