NFSv4.1: protect destroying and nullifying bc_serv structure

When we are shutting down the client, we free the callback server structure and then at a later pointer we free the transport used by the client. Yet, it's possible that after the callback server is freed, the transport receives a backchannel request at which point we can dereferene freed memory. Instead, do the freeing the bc server and nullying bc_serv under the lock. Signed-off-by: Olga Kornievskaia <okorniev@redhat.com> Signed-off-by: Trond Myklebust <trond.myklebust@hammerspace.com>
author: Olga Kornievskaia <okorniev@redhat.com> 2025-11-04 17:29:27 -0500
committer: Trond Myklebust <trond.myklebust@hammerspace.com> 2025-11-23 15:30:12 -0500
commit: 9e9fdd0ad0fba799dbae7ecfd167199885fb63a1 (patch)
tree: da2504450d52531b7c39a75e6075bda3bc896d5f
parent: 6f8b26c90a4d645fd5c944c41a6f0fd61ec27c50 (diff)
1 files changed, 1 insertions, 1 deletions
diff --git a/fs/nfs/callback.c b/fs/nfs/callback.c
index 8b674ee093a6..fabda0f6ec1a 100644
--- a/fs/nfs/callback.c
+++ b/fs/nfs/callback.c
@@ -270,7 +270,7 @@ void nfs_callback_down(int minorversion, struct net *net, struct rpc_xprt *xprt)
 	if (cb_info->users == 0) {
 		svc_set_num_threads(serv, NULL, 0);
 		dprintk("nfs_callback_down: service destroyed\n");
-		svc_destroy(&cb_info->serv);
+		xprt_svc_destroy_nullify_bc(xprt, &cb_info->serv);
 	}
 	mutex_unlock(&nfs_callback_mutex);
 }
author	Olga Kornievskaia <okorniev@redhat.com>	2025-11-04 17:29:27 -0500
committer	Trond Myklebust <trond.myklebust@hammerspace.com>	2025-11-23 15:30:12 -0500
commit	9e9fdd0ad0fba799dbae7ecfd167199885fb63a1 (patch)
tree	da2504450d52531b7c39a75e6075bda3bc896d5f
parent	6f8b26c90a4d645fd5c944c41a6f0fd61ec27c50 (diff)