e1a907a25c
Michael Dexter <editor@callfortesting.org> reported a crash in FreeNAS, where the first argument to clnt_bck_svccall() was no longer valid. This argument is a pointer to the callback CLIENT structure, which is free'd when the associated NFSv4 ClientID is free'd. This appears to have occurred because a callback reply was still in the socket receive queue when the CLIENT structure was free'd. This patch acquires a reference count on the CLIENT that is not CLNT_RELEASE()'d until the socket structure is destroyed. This should guarantee that the CLIENT structure is still valid when clnt_bck_svccall() is called. It also adds a check for closed or closing to clnt_bck_svccall() so that it will not process the callback RPC reply message after the ClientID is free'd. Comments by: mav MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D30153 |
||
|---|---|---|
| .. | ||
| nfs_fha_new.c | ||
| nfs_fha_new.h | ||
| nfs_nfsdcache.c | ||
| nfs_nfsdkrpc.c | ||
| nfs_nfsdport.c | ||
| nfs_nfsdserv.c | ||
| nfs_nfsdsocket.c | ||
| nfs_nfsdstate.c | ||
| nfs_nfsdsubs.c | ||