nfsd4: fix use-after-free of 4.1 client on connection loss

Once we drop the lock here there's nothing keeping the client around: the only lock still held is the xpt_lock on this socket, but this socket no longer has any connection with the client so there's no way for other code to know we're still using the client. The solution is simple: all nfsd4_probe_callback does is set a few variables and queue some work, so there's no reason we can't just keep it under the lock. Signed-off-by: J. Bruce Fields <bfields@redhat.com>
git-mirror · Apr 3, 2013 · 2e4b723 · 2e4b723
1 parent b0a9d3a
commit 2e4b723
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
@@ -761,8 +761,8 @@ static void nfsd4_conn_lost(struct svc_xpt_user *u)
 		list_del(&c->cn_persession);
 		free_conn(c);
 	}
-	spin_unlock(&clp->cl_lock);
 	nfsd4_probe_callback(clp);
+	spin_unlock(&clp->cl_lock);
 }
 
 static struct nfsd4_conn *alloc_conn(struct svc_rqst *rqstp, u32 flags)