nfsd4: fix delegation recall race use-after-free

When the rarely-used callback-connection-changing setclientid occurs simultaneously with a delegation recall, we rerun the recall by requeueing it on a workqueue. But we also need to take a reference on the delegation in that case, since the delegation held by the rpc itself will be released by the rpc_release callback. Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>
mariux64 · Jun 24, 2010 · cba9ba4 · cba9ba4
1 parent ac94bf5
commit cba9ba4
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c
@@ -689,6 +689,7 @@ static void nfsd4_cb_recall_done(struct rpc_task *task, void *calldata)
 		warn_no_callback_path(clp, task->tk_status);
 		if (current_rpc_client != task->tk_client) {
 			/* queue a callback on the new connection: */
+			atomic_inc(&dp->dl_count);
 			nfsd4_cb_recall(dp);
 			return;
 		}