NFSv4.1: protect destroying and nullifying bc_serv structure

Olga Kornievskaia · Trond Myklebust · commit 9e9fdd0ad0fb · 2025-11-23T15:30:12.000-05:00
When we are shutting down the client, we free the callback
server structure and then at a later pointer we free the
transport used by the client. Yet, it's possible that after
the callback server is freed, the transport receives a
backchannel request at which point we can dereferene freed
memory. Instead, do the freeing the bc server and nullying
bc_serv under the lock.

Signed-off-by: Olga Kornievskaia &lt;okorniev@redhat.com&gt;
Signed-off-by: Trond Myklebust &lt;trond.myklebust@hammerspace.com&gt;
diff --git a/fs/nfs/callback.c b/fs/nfs/callback.c
@@ -270,7 +270,7 @@ void nfs_callback_down(int minorversion, struct net *net, struct rpc_xprt *xprt)
 	if (cb_info->users == 0) {
 		svc_set_num_threads(serv, NULL, 0);
 		dprintk("nfs_callback_down: service destroyed\n");
-		svc_destroy(&cb_info->serv);
+		xprt_svc_destroy_nullify_bc(xprt, &cb_info->serv);
 	}
 	mutex_unlock(&nfs_callback_mutex);
 }

Original file line number	Diff line number	Diff line change
`@@ -270,7 +270,7 @@ void nfs_callback_down(int minorversion, struct net net, struct rpc_xprt xprt)`
`270`	`270`	`if (cb_info->users == 0) {`
`271`	`271`	`svc_set_num_threads(serv, NULL, 0);`
`272`	`272`	`dprintk("nfs_callback_down: service destroyed\n");`
`273`		`- svc_destroy(&cb_info->serv);`
	`273`	`+ xprt_svc_destroy_nullify_bc(xprt, &cb_info->serv);`
`274`	`274`	`}`
`275`	`275`	`mutex_unlock(&nfs_callback_mutex);`
`276`	`276`	`}`