Fix a crash during unmount of an NFSv4.1 mount.

Larry Rosenman reported a crash on freebsd-current@ which was caused by a premature release of the krpc backchannel socket structure. I believe this was caused by a race between the SVC_RELEASE() in clnt_vc.c and the xprt_unregister() in the higher layer (clnt_rc.c), which tried to lock the mutex in the xprt structure and crashed. This patch fixes this by removing the xprt_unregister() in the clnt_vc layer and allowing this to always be done by the clnt_rc (higher reconnect layer). Reported by: ler@lerctr.org Tested by: ler@letctr.org MFC after: 2 weeks
2017-04-10 22:47:18 +00:00 · 2017-04-10 22:47:18 +00:00 · 34f1fddb1e
commit 34f1fddb1e
parent fb55679151
2 changed files with 1 additions and 6 deletions
--- a/sys/rpc/clnt_rc.c
+++ b/sys/rpc/clnt_rc.c
@ -450,7 +450,6 @@ clnt_reconnect_control(CLIENT *cl, u_int request, void *info)

 	case CLSET_BACKCHANNEL:
 		xprt = (SVCXPRT *)info;
-		SVC_ACQUIRE(xprt);
 		xprt_register(xprt);
 		rc->rc_backchannel = info;
 		break;
--- a/sys/rpc/clnt_vc.c
+++ b/sys/rpc/clnt_vc.c
@ -790,7 +790,7 @@ clnt_vc_destroy(CLIENT *cl)
 		sx_xlock(&xprt->xp_lock);
 		mtx_lock(&ct->ct_lock);
 		xprt->xp_p2 = NULL;
-		xprt_unregister(xprt);
+		sx_xunlock(&xprt->xp_lock);
 	}

 	if (ct->ct_socket) {
@ -800,10 +800,6 @@ clnt_vc_destroy(CLIENT *cl)
 	}

 	mtx_unlock(&ct->ct_lock);
-	if (xprt != NULL) {
-		sx_xunlock(&xprt->xp_lock);
-		SVC_RELEASE(xprt);
-	}

 	mtx_destroy(&ct->ct_lock);
 	if (so) {