<div><div class="gmail_quote">On Tue, Jul 17, 2012 at 12:10 AM, Junxiao Bi <span dir="ltr">&lt;<a href="mailto:junxiao.bi@oracle.com" target="_blank">junxiao.bi@oracle.com</a>&gt;</span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
In the target node of the dlm lock migration, the logic to find<br>
the local dlm lock is wrong, it shouldn&#39;t change the loop variable<br>
&quot;lock&quot; in the list_for_each_entry loop. This will cause a NULL-pointer<br>
accessing crash.<br>
<br>
Signed-off-by: Junxiao Bi &lt;<a href="mailto:junxiao.bi@oracle.com">junxiao.bi@oracle.com</a>&gt;<br>
Cc: <a href="mailto:stable@vger.kernel.org">stable@vger.kernel.org</a><br>
---<br>
 fs/ocfs2/dlm/dlmrecovery.c |   12 +++++++-----<br>
 1 file changed, 7 insertions(+), 5 deletions(-)<br>
<br>
diff --git a/fs/ocfs2/dlm/dlmrecovery.c b/fs/ocfs2/dlm/dlmrecovery.c<br>
index 01ebfd0..0b9cc88 100644<br>
--- a/fs/ocfs2/dlm/dlmrecovery.c<br>
+++ b/fs/ocfs2/dlm/dlmrecovery.c<br>
@@ -1762,6 +1762,7 @@ static int dlm_process_recovery_data(struct dlm_ctxt *dlm,<br>
        u8 from = O2NM_MAX_NODES;<br>
        unsigned int added = 0;<br>
        __be64 c;<br>
+       int found;<br>
<br>
        mlog(0, &quot;running %d locks for this lockres\n&quot;, mres-&gt;num_locks);<br>
        for (i=0; i&lt;mres-&gt;num_locks; i++) {<br>
@@ -1793,22 +1794,23 @@ static int dlm_process_recovery_data(struct dlm_ctxt *dlm,<br>
                        /* MIGRATION ONLY! */<br>
                        BUG_ON(!(mres-&gt;flags &amp; DLM_MRES_MIGRATION));<br>
<br>
+                       found = 0;<br>
                        spin_lock(&amp;res-&gt;spinlock);<br>
                        for (j = DLM_GRANTED_LIST; j &lt;= DLM_BLOCKED_LIST; j++) {<br>
                                tmpq = dlm_list_idx_to_ptr(res, j);<br>
                                list_for_each_entry(lock, tmpq, list) {<br>
-                                       if (lock-&gt;ml.cookie != ml-&gt;cookie)<br>
-                                               lock = NULL;<br>
-                                       else<br>
+                                       if (lock-&gt;ml.cookie == ml-&gt;cookie) {<br>
+                                               found = 1;<br>
                                                break;<br>
+                                       }<br>
                                }<br>
-                               if (lock)<br>
+                               if (found)<br>
                                        break;<br>
                        }<br>
<br>
                        /* lock is always created locally first, and<br>
                         * destroyed locally last.  it must be on the list */<br>
-                       if (!lock) {<br>
+                       if (!found) {<br>
                                c = ml-&gt;cookie;<br>
                                mlog(ML_ERROR, &quot;Could not find local lock &quot;<br>
                                               &quot;with cookie %u:%llu, node %u, &quot;<br></blockquote><div><br></div><div><br></div><a href="https://oss.oracle.com/git/?p=smushran/linux-2.6.git;a=blobdiff;f=fs/ocfs2/dlm/dlmrecovery.c;h=c881be6043a8c27c26ee44d217fb8ecf1eb37e02;hp=01ebfd0bdad72264b99345378f0c6febe246503d;hb=13279667cc8bbaf901591dee96f762d4aab8b307;hpb=a5ae0116eb56ec7c128e84fe15646a5cb9a8cb47">https://oss.oracle.com/git/?p=smushran/linux-2.6.git;a=blobdiff;f=fs/ocfs2/dlm/dlmrecovery.c;h=c881be6043a8c27c26ee44d217fb8ecf1eb37e02;hp=01ebfd0bdad72264b99345378f0c6febe246503d;hb=13279667cc8bbaf901591dee96f762d4aab8b307;hpb=a5ae0116eb56ec7c128e84fe15646a5cb9a8cb47</a><div>
<br></div><div>We had decided to go back to list_for_each().</div></div></div>