git: e1a907a25cfa - main - krpc: Acquire ref count of CLIENT for backchannel use

Fri, 11 Jun 2021 17:01:44 -0700 

The branch main has been updated by rmacklem:

URL: 
https://cgit.FreeBSD.org/src/commit/?id=e1a907a25cfa422c0d1acaf9f91352ada04f4bca

commit e1a907a25cfa422c0d1acaf9f91352ada04f4bca
Author:     Rick Macklem <rmack...@freebsd.org>
AuthorDate: 2021-06-11 23:57:14 +0000
Commit:     Rick Macklem <rmack...@freebsd.org>
CommitDate: 2021-06-11 23:57:14 +0000

    krpc: Acquire ref count of CLIENT for backchannel use
    
    Michael Dexter <edi...@callfortesting.org> reported
    a crash in FreeNAS, where the first argument to
    clnt_bck_svccall() was no longer valid.
    This argument is a pointer to the callback CLIENT
    structure, which is free'd when the associated
    NFSv4 ClientID is free'd.
    
    This appears to have occurred because a callback
    reply was still in the socket receive queue when
    the CLIENT structure was free'd.
    
    This patch acquires a reference count on the CLIENT
    that is not CLNT_RELEASE()'d until the socket structure
    is destroyed. This should guarantee that the CLIENT
    structure is still valid when clnt_bck_svccall() is called.
    It also adds a check for closed or closing to
    clnt_bck_svccall() so that it will not process the callback
    RPC reply message after the ClientID is free'd.
    
    Comments by:    mav
    MFC after:      2 weeks
    Differential Revision:  https://reviews.freebsd.org/D30153
---
 sys/fs/nfsserver/nfs_nfsdstate.c |  8 ++++----
 sys/rpc/clnt_bck.c               | 13 ++++++++++++-
 sys/rpc/svc.h                    |  5 +++++
 sys/rpc/svc_vc.c                 |  4 ++++
 4 files changed, 25 insertions(+), 5 deletions(-)

diff --git a/sys/fs/nfsserver/nfs_nfsdstate.c b/sys/fs/nfsserver/nfs_nfsdstate.c
index c16d5b8afdc8..98f5e26d49bb 100644
--- a/sys/fs/nfsserver/nfs_nfsdstate.c
+++ b/sys/fs/nfsserver/nfs_nfsdstate.c
@@ -721,8 +721,8 @@ nfsrv_getclient(nfsquad_t clientid, int opflags, struct 
nfsclient **clpp,
                                    cbprogram, NFSV4_CBVERS);
                            if (clp->lc_req.nr_client != NULL) {
                                SVC_ACQUIRE(nd->nd_xprt);
-                               nd->nd_xprt->xp_p2 =
-                                   clp->lc_req.nr_client->cl_private;
+                               CLNT_ACQUIRE(clp->lc_req.nr_client);
+                               nd->nd_xprt->xp_p2 = clp->lc_req.nr_client;
                                /* Disable idle timeout. */
                                nd->nd_xprt->xp_idletimeout = 0;
                                nsep->sess_cbsess.nfsess_xprt = nd->nd_xprt;
@@ -6464,8 +6464,8 @@ nfsrv_bindconnsess(struct nfsrv_descript *nd, uint8_t 
*sessionid, int *foreaftp)
                                    "backchannel\n");
                                savxprt = sep->sess_cbsess.nfsess_xprt;
                                SVC_ACQUIRE(nd->nd_xprt);
-                               nd->nd_xprt->xp_p2 =
-                                   clp->lc_req.nr_client->cl_private;
+                               CLNT_ACQUIRE(clp->lc_req.nr_client);
+                               nd->nd_xprt->xp_p2 = clp->lc_req.nr_client;
                                /* Disable idle timeout. */
                                nd->nd_xprt->xp_idletimeout = 0;
                                sep->sess_cbsess.nfsess_xprt = nd->nd_xprt;
diff --git a/sys/rpc/clnt_bck.c b/sys/rpc/clnt_bck.c
index 29109720bce0..2414171bad37 100644
--- a/sys/rpc/clnt_bck.c
+++ b/sys/rpc/clnt_bck.c
@@ -566,15 +566,26 @@ clnt_bck_destroy(CLIENT *cl)
 /*
  * This call is done by the svc code when a backchannel RPC reply is
  * received.
+ * For the server end, where callback RPCs to the client are performed,
+ * xp_p2 points to the "CLIENT" and not the associated "struct ct_data"
+ * so that svc_vc_destroy() can CLNT_RELEASE() the reference count on it.
  */
 void
 clnt_bck_svccall(void *arg, struct mbuf *mrep, uint32_t xid)
 {
-       struct ct_data *ct = (struct ct_data *)arg;
+       CLIENT *cl = (CLIENT *)arg;
+       struct ct_data *ct;
        struct ct_request *cr;
        int foundreq;
 
+       ct = (struct ct_data *)cl->cl_private;
        mtx_lock(&ct->ct_lock);
+       if (ct->ct_closing || ct->ct_closed) {
+               mtx_unlock(&ct->ct_lock);
+               m_freem(mrep);
+               return;
+       }
+
        ct->ct_upcallrefs++;
        /*
         * See if we can match this reply to a request.
diff --git a/sys/rpc/svc.h b/sys/rpc/svc.h
index dae654d4b08c..8a94d7058972 100644
--- a/sys/rpc/svc.h
+++ b/sys/rpc/svc.h
@@ -148,6 +148,11 @@ struct __rpc_svcthread;
  * reference count which tracks the number of currently assigned
  * worker threads plus one for the service pool's reference.
  * For NFSv4.1 sessions, a reference is also held for a backchannel.
+ * xp_p2 - Points to the CLIENT structure for the RPC server end
+ *         (the client end for callbacks).
+ *         Points to the private structure (cl_private) for the
+ *         CLIENT structure for the RPC client end (the server
+ *         end for callbacks).
  */
 typedef struct __rpc_svcxprt {
 #ifdef _KERNEL
diff --git a/sys/rpc/svc_vc.c b/sys/rpc/svc_vc.c
index 6cff3434364d..de1baa1417b1 100644
--- a/sys/rpc/svc_vc.c
+++ b/sys/rpc/svc_vc.c
@@ -500,6 +500,7 @@ static void
 svc_vc_destroy(SVCXPRT *xprt)
 {
        struct cf_conn *cd = (struct cf_conn *)xprt->xp_p1;
+       CLIENT *cl = (CLIENT *)xprt->xp_p2;
 
        SOCKBUF_LOCK(&xprt->xp_socket->so_rcv);
        if (xprt->xp_upcallset) {
@@ -509,6 +510,9 @@ svc_vc_destroy(SVCXPRT *xprt)
        }
        SOCKBUF_UNLOCK(&xprt->xp_socket->so_rcv);
 
+       if (cl != NULL)
+               CLNT_RELEASE(cl);
+
        svc_vc_destroy_common(xprt);
 
        if (cd->mreq)
_______________________________________________
dev-commits-src-main@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/dev-commits-src-main
To unsubscribe, send any mail to "dev-commits-src-main-unsubscr...@freebsd.org"

Reply via email to