From: J. Bruce Fields <bfields@citi.umich.edu>
Date: Tue, 1 Jun 2010 15:21:40 +0000 (-0400)
Subject: nfsd4: fix delegation recall race use-after-free
X-Git-Tag: firefly_0821_release~9833^2~601^2~30
X-Git-Url: http://demsky.eecs.uci.edu/git/?a=commitdiff_plain;h=cba9ba4b902270c22f8b9c5149a284216b633fc1;p=firefly-linux-kernel-4.4.55.git

nfsd4: fix delegation recall race use-after-free

When the rarely-used callback-connection-changing setclientid occurs
simultaneously with a delegation recall, we rerun the recall by
requeueing it on a workqueue.  But we also need to take a reference on
the delegation in that case, since the delegation held by the rpc itself
will be released by the rpc_release callback.

Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
---

diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c
index a4686326b5ae..1e6497ed3e12 100644
--- a/fs/nfsd/nfs4callback.c
+++ b/fs/nfsd/nfs4callback.c
@@ -689,6 +689,7 @@ static void nfsd4_cb_recall_done(struct rpc_task *task, void *calldata)
 		warn_no_callback_path(clp, task->tk_status);
 		if (current_rpc_client != task->tk_client) {
 			/* queue a callback on the new connection: */
+			atomic_inc(&dp->dl_count);
 			nfsd4_cb_recall(dp);
 			return;
 		}