Commit 9e9fdd0a authored Nov 04, 2025 by Olga Kornievskaia Committed by Trond Myklebust Nov 23, 2025

NFSv4.1: protect destroying and nullifying bc_serv structure



When we are shutting down the client, we free the callback
server structure and then at a later pointer we free the
transport used by the client. Yet, it's possible that after
the callback server is freed, the transport receives a
backchannel request at which point we can dereferene freed
memory. Instead, do the freeing the bc server and nullying
bc_serv under the lock.

Signed-off-by: Olga Kornievskaia <okorniev@redhat.com>
Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>

parent 6f8b26c9

fs/nfs/callback.c

+1 −1

Original line number	Diff line number	Diff line
		@@ -270,7 +270,7 @@ void nfs_callback_down(int minorversion, struct net net, struct rpc_xprt xprt)
		if (cb_info->users == 0) {
		svc_set_num_threads(serv, NULL, 0);
		dprintk("nfs_callback_down: service destroyed\n");
		svc_destroy(&cb_info->serv);
		xprt_svc_destroy_nullify_bc(xprt, &cb_info->serv);
		}
		mutex_unlock(&nfs_callback_mutex);
		}