Patchwork [3.5.y.z,extended,stable] Patch "NFS: avoid NULL dereference in nfs_destroy_server" has been added to staging queue

mail settings
Submitter Herton Ronaldo Krzesinski
Date Jan. 7, 2013, 8:38 p.m.
Message ID <>
Download mbox | patch
Permalink /patch/210221/
State New
Headers show


Herton Ronaldo Krzesinski - Jan. 7, 2013, 8:38 p.m.
This is a note to let you know that I have just added a patch titled

    NFS: avoid NULL dereference in nfs_destroy_server

to the linux-3.5.y-queue branch of the 3.5.y.z extended stable tree 
which can be found at:;a=shortlog;h=refs/heads/linux-3.5.y-queue

If you, or anyone else, feels it should not be added to this tree, please 
reply to this email.

For more information about the 3.5.y.z tree, see



From 3cd610a5f45330272e6f0972bab7111367b42dc1 Mon Sep 17 00:00:00 2001
From: NeilBrown <>
Date: Thu, 13 Dec 2012 15:14:36 +1100
Subject: [PATCH] NFS: avoid NULL dereference in nfs_destroy_server

commit f259613a1e4b44a0cf85a5dafd931be96ee7c9e5 upstream.

In rare circumstances, nfs_clone_server() of a v2 or v3 server can get
an error between setting server->destory (to nfs_destroy_server), and
calling nfs_start_lockd (which will set server->nlm_host).

If this happens, nfs_clone_server will call nfs_free_server which
will call nfs_destroy_server and thence nlmclnt_done(NULL).  This
causes the NULL to be dereferenced.

So add a guard to only call nlmclnt_done() if ->nlm_host is not NULL.

The other guards there are irrelevant as nlm_host can only be non-NULL
if one of these flags are set - so remove those tests.  (Thanks to Trond
for this suggestion).

This is suitable for any stable kernel since 2.6.25.

Signed-off-by: NeilBrown <>
Signed-off-by: Trond Myklebust <>
Signed-off-by: Herton Ronaldo Krzesinski <>
 fs/nfs/client.c |    3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)



diff --git a/fs/nfs/client.c b/fs/nfs/client.c
index f005b5b..ede78be 100644
--- a/fs/nfs/client.c
+++ b/fs/nfs/client.c
@@ -689,8 +689,7 @@  static int nfs_create_rpc_client(struct nfs_client *clp,
 static void nfs_destroy_server(struct nfs_server *server)
-	if (!(server->flags & NFS_MOUNT_LOCAL_FLOCK) ||
-			!(server->flags & NFS_MOUNT_LOCAL_FCNTL))
+	if (server->nlm_host)