Index: fs/nfs/nfs.h =================================================================== --- fs/nfs/nfs.h +++ fs/nfs/nfs.h @@ -797,6 +797,9 @@ struct mbuf *nfssl_reply; }; +/* Enumerated type for nfsuserd state. */ +typedef enum { NOTRUNNING=0, STARTSTOP=1, RUNNING=2 } nfsuserd_state; + #endif /* _KERNEL */ #endif /* _NFS_NFS_H */ Index: fs/nfs/nfs_commonport.c =================================================================== --- fs/nfs/nfs_commonport.c +++ fs/nfs/nfs_commonport.c @@ -56,7 +56,7 @@ #include extern int nfscl_ticks; -extern int nfsrv_nfsuserd; +extern nfsuserd_state nfsrv_nfsuserd; extern struct nfssockreq nfsrv_nfsuserdsock; extern void (*nfsd_call_recall)(struct vnode *, int, struct ucred *, struct thread *); @@ -774,7 +774,7 @@ break; case MOD_UNLOAD: - if (newnfs_numnfsd != 0 || nfsrv_nfsuserd != 0 || + if (newnfs_numnfsd != 0 || nfsrv_nfsuserd != NOTRUNNING || nfs_numnfscbd != 0) { error = EBUSY; break; Index: fs/nfs/nfs_commonsubs.c =================================================================== --- fs/nfs/nfs_commonsubs.c +++ fs/nfs/nfs_commonsubs.c @@ -64,7 +64,7 @@ int nfscl_ticks; int nfsrv_useacl = 1; struct nfssockreq nfsrv_nfsuserdsock; -int nfsrv_nfsuserd = 0; +nfsuserd_state nfsrv_nfsuserd = NOTRUNNING; struct nfsreqhead nfsd_reqq; uid_t nfsrv_defaultuid = UID_NOBODY; gid_t nfsrv_defaultgid = GID_NOGROUP; @@ -3522,18 +3522,22 @@ int error; NFSLOCKNAMEID(); - if (nfsrv_nfsuserd) { + if (nfsrv_nfsuserd != NOTRUNNING) { NFSUNLOCKNAMEID(); error = EPERM; goto out; } - nfsrv_nfsuserd = 1; - NFSUNLOCKNAMEID(); + nfsrv_nfsuserd = STARTSTOP; /* * Set up the socket record and connect. + * Set nr_client NULL before unlocking, just to ensure that no other + * process/thread/core will use a bogus old value. This could only + * occur if the use of the nameid lock to protect nfsrv_nfsuserd is + * broken. */ rp = &nfsrv_nfsuserdsock; rp->nr_client = NULL; + NFSUNLOCKNAMEID(); rp->nr_sotype = SOCK_DGRAM; rp->nr_soproto = IPPROTO_UDP; rp->nr_lock = (NFSR_RESERVEDPORT | NFSR_LOCALHOST); @@ -3569,9 +3573,15 @@ rp->nr_vers = RPCNFSUSERD_VERS; if (error == 0) error = newnfs_connect(NULL, rp, NFSPROCCRED(p), p, 0); - if (error) { + if (error == 0) { + NFSLOCKNAMEID(); + nfsrv_nfsuserd = RUNNING; + NFSUNLOCKNAMEID(); + } else { free(rp->nr_nam, M_SONAME); - nfsrv_nfsuserd = 0; + NFSLOCKNAMEID(); + nfsrv_nfsuserd = NOTRUNNING; + NFSUNLOCKNAMEID(); } out: NFSEXITCODE(error); @@ -3586,14 +3596,17 @@ { NFSLOCKNAMEID(); - if (nfsrv_nfsuserd == 0) { + if (nfsrv_nfsuserd != RUNNING) { NFSUNLOCKNAMEID(); return; } - nfsrv_nfsuserd = 0; + nfsrv_nfsuserd = STARTSTOP; NFSUNLOCKNAMEID(); newnfs_disconnect(&nfsrv_nfsuserdsock); free(nfsrv_nfsuserdsock.nr_nam, M_SONAME); + NFSLOCKNAMEID(); + nfsrv_nfsuserd = NOTRUNNING; + NFSUNLOCKNAMEID(); } /* @@ -3610,13 +3623,23 @@ struct nfsrv_descript nfsd; struct ucred *cred; int error; + struct __rpc_client *client; NFSLOCKNAMEID(); - if (nfsrv_nfsuserd == 0) { + if (nfsrv_nfsuserd != RUNNING) { NFSUNLOCKNAMEID(); error = EPERM; goto out; } + /* + * Acquire a reference count on the client, so that the structure will + * not be destroyed due to an nfsuserd(8) shutdown while an RPC is + * in progress. + * Do this while holding the nameid lock, so it is guaranteed non-NULL. + */ + client = nfsrv_nfsuserdsock.nr_client; + KASSERT(client != NULL, ("nfsrv_getuser: NULL client")); + CLNT_ACQUIRE(client); NFSUNLOCKNAMEID(); nd = &nfsd; cred = newnfs_getcred(); @@ -3636,6 +3659,7 @@ } error = newnfs_request(nd, NULL, NULL, &nfsrv_nfsuserdsock, NULL, NULL, cred, RPCPROG_NFSUSERD, RPCNFSUSERD_VERS, NULL, 0, NULL, NULL); + CLNT_RELEASE(client); NFSFREECRED(cred); if (!error) { mbuf_freem(nd->nd_mrep);