svcrpc: fix list-corrupting race on nfsd shutdown

After commit 3262c816a3 "[PATCH] knfsd:
split svc_serv into pools", svc_delete_xprt (then svc_delete_socket) no
longer removed its xpt_ready (then sk_ready) field from whatever list it
was on, noting that there was no point since the whole list was about to
be destroyed anyway.

That was mostly true, but forgot that a few svc_xprt_enqueue()'s might
still be hanging around playing with the about-to-be-destroyed list, and
could get themselves into trouble writing to freed memory if we left
this xprt on the list after freeing it.

(This is actually functionally identical to a patch made first by Ben
Greear, but with more comments.)

Cc: stable@kernel.org
Cc: gnb@fmeh.org
Reported-by: Ben Greear <greearb@candelatech.com>
Tested-by: Ben Greear <greearb@candelatech.com>
Signed-off-by: J. Bruce Fields <bfields@redhat.com>

net/sunrpc/svc_xprt.c

@@ -902,12 +902,13 @@ void svc_delete_xprt(struct svc_xprt *xprt)
 	if (!test_and_set_bit(XPT_DETACHED, &xprt->xpt_flags))
 		list_del_init(&xprt->xpt_list);
 	/*
-	 * We used to delete the transport from whichever list
+	 * The only time we're called while xpt_ready is still on a list
-	 * it's sk_xprt.xpt_ready node was on, but we don't actually
+	 * is while the list itself is about to be destroyed (in
-	 * need to.  This is because the only time we're called
+	 * svc_destroy).  BUT svc_xprt_enqueue could still be attempting
-	 * while still attached to a queue, the queue itself
+	 * to add new entries to the sp_sockets list, so we can't leave
-	 * is about to be destroyed (in svc_destroy).
+	 * a freed xprt on it.
 	 */
+	list_del_init(&xprt->xpt_ready);
 	if (test_bit(XPT_TEMP, &xprt->xpt_flags))
 		serv->sv_tmpcnt--;
 	spin_unlock_bh(&serv->sv_lock);