From owner-dev-commits-src-main@freebsd.org Sat Jun 12 00:01:34 2021 Return-Path: Delivered-To: dev-commits-src-main@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 91F41666C79; Sat, 12 Jun 2021 00:01:34 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 4G1yYV3dyjz4vnJ; Sat, 12 Jun 2021 00:01:34 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 642372C398; Sat, 12 Jun 2021 00:01:34 +0000 (UTC) (envelope-from git@FreeBSD.org) Received: from gitrepo.freebsd.org ([127.0.1.44]) by gitrepo.freebsd.org (8.16.1/8.16.1) with ESMTP id 15C01YGT007208; Sat, 12 Jun 2021 00:01:34 GMT (envelope-from git@gitrepo.freebsd.org) Received: (from git@localhost) by gitrepo.freebsd.org (8.16.1/8.16.1/Submit) id 15C01Yb6007207; Sat, 12 Jun 2021 00:01:34 GMT (envelope-from git) Date: Sat, 12 Jun 2021 00:01:34 GMT Message-Id: <202106120001.15C01Yb6007207@gitrepo.freebsd.org> To: src-committers@FreeBSD.org, dev-commits-src-all@FreeBSD.org, dev-commits-src-main@FreeBSD.org From: Rick Macklem Subject: git: e1a907a25cfa - main - krpc: Acquire ref count of CLIENT for backchannel use MIME-Version: 1.0 Content-Type: text/plain; charset=utf-8 Content-Transfer-Encoding: 8bit X-Git-Committer: rmacklem X-Git-Repository: src X-Git-Refname: refs/heads/main X-Git-Reftype: branch X-Git-Commit: e1a907a25cfa422c0d1acaf9f91352ada04f4bca Auto-Submitted: auto-generated X-BeenThere: dev-commits-src-main@freebsd.org X-Mailman-Version: 2.1.34 Precedence: list List-Id: Commit messages for the main branch of the src repository List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 12 Jun 2021 00:01:34 -0000 The branch main has been updated by rmacklem: URL: https://cgit.FreeBSD.org/src/commit/?id=e1a907a25cfa422c0d1acaf9f91352ada04f4bca commit e1a907a25cfa422c0d1acaf9f91352ada04f4bca Author: Rick Macklem AuthorDate: 2021-06-11 23:57:14 +0000 Commit: Rick Macklem CommitDate: 2021-06-11 23:57:14 +0000 krpc: Acquire ref count of CLIENT for backchannel use Michael Dexter reported a crash in FreeNAS, where the first argument to clnt_bck_svccall() was no longer valid. This argument is a pointer to the callback CLIENT structure, which is free'd when the associated NFSv4 ClientID is free'd. This appears to have occurred because a callback reply was still in the socket receive queue when the CLIENT structure was free'd. This patch acquires a reference count on the CLIENT that is not CLNT_RELEASE()'d until the socket structure is destroyed. This should guarantee that the CLIENT structure is still valid when clnt_bck_svccall() is called. It also adds a check for closed or closing to clnt_bck_svccall() so that it will not process the callback RPC reply message after the ClientID is free'd. Comments by: mav MFC after: 2 weeks Differential Revision: https://reviews.freebsd.org/D30153 --- sys/fs/nfsserver/nfs_nfsdstate.c | 8 ++++---- sys/rpc/clnt_bck.c | 13 ++++++++++++- sys/rpc/svc.h | 5 +++++ sys/rpc/svc_vc.c | 4 ++++ 4 files changed, 25 insertions(+), 5 deletions(-) diff --git a/sys/fs/nfsserver/nfs_nfsdstate.c b/sys/fs/nfsserver/nfs_nfsdstate.c index c16d5b8afdc8..98f5e26d49bb 100644 --- a/sys/fs/nfsserver/nfs_nfsdstate.c +++ b/sys/fs/nfsserver/nfs_nfsdstate.c @@ -721,8 +721,8 @@ nfsrv_getclient(nfsquad_t clientid, int opflags, struct nfsclient **clpp, cbprogram, NFSV4_CBVERS); if (clp->lc_req.nr_client != NULL) { SVC_ACQUIRE(nd->nd_xprt); - nd->nd_xprt->xp_p2 = - clp->lc_req.nr_client->cl_private; + CLNT_ACQUIRE(clp->lc_req.nr_client); + nd->nd_xprt->xp_p2 = clp->lc_req.nr_client; /* Disable idle timeout. */ nd->nd_xprt->xp_idletimeout = 0; nsep->sess_cbsess.nfsess_xprt = nd->nd_xprt; @@ -6464,8 +6464,8 @@ nfsrv_bindconnsess(struct nfsrv_descript *nd, uint8_t *sessionid, int *foreaftp) "backchannel\n"); savxprt = sep->sess_cbsess.nfsess_xprt; SVC_ACQUIRE(nd->nd_xprt); - nd->nd_xprt->xp_p2 = - clp->lc_req.nr_client->cl_private; + CLNT_ACQUIRE(clp->lc_req.nr_client); + nd->nd_xprt->xp_p2 = clp->lc_req.nr_client; /* Disable idle timeout. */ nd->nd_xprt->xp_idletimeout = 0; sep->sess_cbsess.nfsess_xprt = nd->nd_xprt; diff --git a/sys/rpc/clnt_bck.c b/sys/rpc/clnt_bck.c index 29109720bce0..2414171bad37 100644 --- a/sys/rpc/clnt_bck.c +++ b/sys/rpc/clnt_bck.c @@ -566,15 +566,26 @@ clnt_bck_destroy(CLIENT *cl) /* * This call is done by the svc code when a backchannel RPC reply is * received. + * For the server end, where callback RPCs to the client are performed, + * xp_p2 points to the "CLIENT" and not the associated "struct ct_data" + * so that svc_vc_destroy() can CLNT_RELEASE() the reference count on it. */ void clnt_bck_svccall(void *arg, struct mbuf *mrep, uint32_t xid) { - struct ct_data *ct = (struct ct_data *)arg; + CLIENT *cl = (CLIENT *)arg; + struct ct_data *ct; struct ct_request *cr; int foundreq; + ct = (struct ct_data *)cl->cl_private; mtx_lock(&ct->ct_lock); + if (ct->ct_closing || ct->ct_closed) { + mtx_unlock(&ct->ct_lock); + m_freem(mrep); + return; + } + ct->ct_upcallrefs++; /* * See if we can match this reply to a request. diff --git a/sys/rpc/svc.h b/sys/rpc/svc.h index dae654d4b08c..8a94d7058972 100644 --- a/sys/rpc/svc.h +++ b/sys/rpc/svc.h @@ -148,6 +148,11 @@ struct __rpc_svcthread; * reference count which tracks the number of currently assigned * worker threads plus one for the service pool's reference. * For NFSv4.1 sessions, a reference is also held for a backchannel. + * xp_p2 - Points to the CLIENT structure for the RPC server end + * (the client end for callbacks). + * Points to the private structure (cl_private) for the + * CLIENT structure for the RPC client end (the server + * end for callbacks). */ typedef struct __rpc_svcxprt { #ifdef _KERNEL diff --git a/sys/rpc/svc_vc.c b/sys/rpc/svc_vc.c index 6cff3434364d..de1baa1417b1 100644 --- a/sys/rpc/svc_vc.c +++ b/sys/rpc/svc_vc.c @@ -500,6 +500,7 @@ static void svc_vc_destroy(SVCXPRT *xprt) { struct cf_conn *cd = (struct cf_conn *)xprt->xp_p1; + CLIENT *cl = (CLIENT *)xprt->xp_p2; SOCKBUF_LOCK(&xprt->xp_socket->so_rcv); if (xprt->xp_upcallset) { @@ -509,6 +510,9 @@ svc_vc_destroy(SVCXPRT *xprt) } SOCKBUF_UNLOCK(&xprt->xp_socket->so_rcv); + if (cl != NULL) + CLNT_RELEASE(cl); + svc_vc_destroy_common(xprt); if (cd->mreq)