CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

author	Rick Macklem <rmacklem@FreeBSD.org>
	Fri, 11 Jun 2021 23:57:14 +0000 (16:57 -0700)
committer	Rick Macklem <rmacklem@FreeBSD.org>
	Sat, 26 Jun 2021 23:36:37 +0000 (16:36 -0700)
commit	6ae32cc8182f4a48f0606f4b561a98010e1946b8
tree	aec9199c75641eef691fa98434fd4cf2a1b9dc76	tree \| snapshot
parent	88878ea4e410d8ad8e5394cc83a019da29db8d79	commit \| diff

krpc: Acquire ref count of CLIENT for backchannel use

Michael Dexter <editor@callfortesting.org> reported
a crash in FreeNAS, where the first argument to
clnt_bck_svccall() was no longer valid.
This argument is a pointer to the callback CLIENT
structure, which is free'd when the associated
NFSv4 ClientID is free'd.

This appears to have occurred because a callback
reply was still in the socket receive queue when
the CLIENT structure was free'd.

This patch acquires a reference count on the CLIENT
that is not CLNT_RELEASE()'d until the socket structure
is destroyed. This should guarantee that the CLIENT
structure is still valid when clnt_bck_svccall() is called.
It also adds a check for closed or closing to
clnt_bck_svccall() so that it will not process the callback
RPC reply message after the ClientID is free'd.

(cherry picked from commit e1a907a25cfa422c0d1acaf9f91352ada04f4bca)

sys/fs/nfsserver/nfs_nfsdstate.c		diff \| blob \| history
sys/rpc/clnt_bck.c		diff \| blob \| history
sys/rpc/svc.h		diff \| blob \| history
sys/rpc/svc_vc.c		diff \| blob \| history