K 10 svn:author V 8 rmacklem K 8 svn:date V 27 2021-06-26T23:43:04.134237Z K 7 svn:log V 981 krpc: Acquire ref count of CLIENT for backchannel use Michael Dexter reported a crash in FreeNAS, where the first argument to clnt_bck_svccall() was no longer valid. This argument is a pointer to the callback CLIENT structure, which is free'd when the associated NFSv4 ClientID is free'd. This appears to have occurred because a callback reply was still in the socket receive queue when the CLIENT structure was free'd. This patch acquires a reference count on the CLIENT that is not CLNT_RELEASE()'d until the socket structure is destroyed. This should guarantee that the CLIENT structure is still valid when clnt_bck_svccall() is called. It also adds a check for closed or closing to clnt_bck_svccall() so that it will not process the callback RPC reply message after the ClientID is free'd. (cherry picked from commit e1a907a25cfa422c0d1acaf9f91352ada04f4bca) Git Hash: 6ae32cc8182f4a48f0606f4b561a98010e1946b8 Git Author: rmacklem@FreeBSD.org END