nfsd4: fix delegation recall race use-after-free

When the rarely-used callback-connection-changing setclientid occurs
simultaneously with a delegation recall, we rerun the recall by
requeueing it on a workqueue.  But we also need to take a reference on
the delegation in that case, since the delegation held by the rpc itself
will be released by the rpc_release callback.

Signed-off-by: J. Bruce Fields <bfields@citi.umich.edu>

diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c
index a468632..1e6497e 100644 (file)
--- a/fs/nfsd/nfs4callback.c
+++ b/fs/nfsd/nfs4callback.c
@@ -689,6 +689,7 @@ static void nfsd4_cb_recall_done(struct rpc_task *task, void *calldata)
                warn_no_callback_path(clp, task->tk_status);
                if (current_rpc_client != task->tk_client) {
                        /* queue a callback on the new connection: */
+                       atomic_inc(&dp->dl_count);
                        nfsd4_cb_recall(dp);
                        return;
                }