CyberLeo.Net >> Repos - FreeBSD/FreeBSD.git/commit

author	Rick Macklem <rmacklem@FreeBSD.org>
	Fri, 11 Jun 2021 23:57:14 +0000 (16:57 -0700)
committer	Rick Macklem <rmacklem@FreeBSD.org>
	Sat, 26 Jun 2021 23:03:41 +0000 (16:03 -0700)
commit	841006678745a63f7c9f298f0a48cbbb1712f8a0
tree	350b033f66968a058e0e2d18bba64c234f27c825	tree \| snapshot
parent	6c5dae287ee722036240bde5bc0b3a8d5a000836	commit \| diff

krpc: Acquire ref count of CLIENT for backchannel use

Michael Dexter <editor@callfortesting.org> reported
a crash in FreeNAS, where the first argument to
clnt_bck_svccall() was no longer valid.
This argument is a pointer to the callback CLIENT
structure, which is free'd when the associated
NFSv4 ClientID is free'd.

This appears to have occurred because a callback
reply was still in the socket receive queue when
the CLIENT structure was free'd.

This patch acquires a reference count on the CLIENT
that is not CLNT_RELEASE()'d until the socket structure
is destroyed. This should guarantee that the CLIENT
structure is still valid when clnt_bck_svccall() is called.
It also adds a check for closed or closing to
clnt_bck_svccall() so that it will not process the callback
RPC reply message after the ClientID is free'd.

(cherry picked from commit e1a907a25cfa422c0d1acaf9f91352ada04f4bca)

sys/fs/nfsserver/nfs_nfsdstate.c		diff \| blob \| history
sys/rpc/clnt_bck.c		diff \| blob \| history
sys/rpc/svc.h		diff \| blob \| history
sys/rpc/svc_vc.c		diff \| blob \| history