From: NeilBrown <neilb@cse.unsw.edu.au>

We oops in list_for_each_entry(), because release_stateowner frees something
on the list we're traversing.

Signed-off-by: Andy Adamson <andros@citi.umich.edu>
Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
Signed-off-by: Neil Brown <neilb@cse.unsw.edu.au>
Signed-off-by: Andrew Morton <akpm@osdl.org>
---

 fs/nfsd/nfs4state.c |    7 ++++++-
 1 files changed, 6 insertions(+), 1 deletion(-)

diff -puN fs/nfsd/nfs4state.c~nfsd4-fix-release_lockowner fs/nfsd/nfs4state.c
--- 25/fs/nfsd/nfs4state.c~nfsd4-fix-release_lockowner	Wed Jul  6 13:08:23 2005
+++ 25-akpm/fs/nfsd/nfs4state.c	Wed Jul  6 13:08:23 2005
@@ -3084,7 +3084,12 @@ nfsd4_release_lockowner(struct svc_rqst 
 	 * of the lockowner state released; so don't release any until all
 	 * have been checked. */
 	status = nfs_ok;
-	list_for_each_entry(sop, &matches, so_perclient) {
+	while (!list_empty(&matches)) {
+		sop = list_entry(matches.next, struct nfs4_stateowner,
+								so_perclient);
+		/* unhash_stateowner deletes so_perclient only
+		 * for openowners. */
+		list_del(&sop->so_perclient);
 		release_stateowner(sop);
 	}
 out:
_