NFSv4.1: protect destroying and nullifying bc_serv structure

Linux kernel mirror (for testing) git.kernel.org/pub/scm/linux/kernel/git/torvalds/linux.git

kernel os linux

When we are shutting down the client, we free the callback
server structure and then at a later pointer we free the
transport used by the client. Yet, it's possible that after
the callback server is freed, the transport receives a
backchannel request at which point we can dereferene freed
memory. Instead, do the freeing the bc server and nullying
bc_serv under the lock.

Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>

authored by

Olga Kornievskaia and committed by

Trond Myklebust 4 months ago 9e9fdd0a 6f8b26c9

+1 -1

1 changed file

expand all

nfs

callback.c

+1 -1

fs/nfs/callback.c

··· 270 270 if (cb_info->users == 0) { 271 271 svc_set_num_threads(serv, NULL, 0); 272 272 dprintk("nfs_callback_down: service destroyed\n"); 273 - svc_destroy(&cb_info->serv); 273 + xprt_svc_destroy_nullify_bc(xprt, &cb_info->serv); 274 274 } 275 275 mutex_unlock(&nfs_callback_mutex); 276 276 }