SUNRPC: Fix a bug in call_decode()

call_verify() can, under certain circumstances, free the RPC slot. In that
case, our cached pointer 'req = task->tk_rqstp' is invalid. Bug was
introduced in commit 220bcc2afd7011b3e0569fc178331fa983c92c1b (SUNRPC:
Don't call xprt_release in call refresh).

Signed-off-by: Trond Myklebust <Trond.Myklebust@netapp.com>

diff --git a/net/sunrpc/clnt.c b/net/sunrpc/clnt.c
index ea14314..522b068 100644 (file)
--- a/net/sunrpc/clnt.c
+++ b/net/sunrpc/clnt.c
@@ -1240,10 +1240,13 @@ call_decode(struct rpc_task *task)
                        task->tk_status);
        return;
 out_retry:
-       req->rq_received = req->rq_private_buf.len = 0;
        task->tk_status = 0;
-       if (task->tk_client->cl_discrtry)
-               xprt_force_disconnect(task->tk_xprt);
+       /* Note: call_verify() may have freed the RPC slot */
+       if (task->tk_rqstp == req) {
+               req->rq_received = req->rq_private_buf.len = 0;
+               if (task->tk_client->cl_discrtry)
+                       xprt_force_disconnect(task->tk_xprt);
+       }
 }
 
 /*