[PATCH] NFSD: Avoid corruption of a referring call list

From: Chuck Lever <cel@kernel.org>
Date: 2025-06-08 22:08:54
Subsystem: filesystems (vfs and infrastructure), kernel nfsd, sunrpc, and lockd servers, the rest · Maintainers: Alexander Viro, Christian Brauner, Chuck Lever, Jeff Layton, Linus Torvalds

From: Chuck Lever <redacted>

The new code neglects to remove a freshly-allocated RCL from the
callback's referring call list when no matching referring call is
found.

Reported-by: kernel test robot <redacted>
Reported-by: Dan Carpenter <redacted>
Closes: https://lore.kernel.org/r/202505171002.cE46sdj5-lkp@intel.com/ (local)
Fixes: 4f3c8d8c9e10 ("NFSD: Implement CB_SEQUENCE referring call lists")
Signed-off-by: Chuck Lever <redacted>
---
 fs/nfsd/nfs4callback.c | 1 +
 1 file changed, 1 insertion(+)

I don't recall seeing this on the mailing list. Targeting this
one for nfsd-fixes.

diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c
index ccb00aa93be0..e00b2aea8da2 100644
--- a/fs/nfsd/nfs4callback.c
+++ b/fs/nfsd/nfs4callback.c

@@ -1409,6 +1409,7 @@ void nfsd41_cb_referring_call(struct nfsd4_callback *cb,
 out:
 	if (!rcl->__nr_referring_calls) {
 		cb->cb_nr_referring_call_list--;
+		list_del(&rcl->__list);
 		kfree(rcl);
 	}
 }

-- 
2.49.0

`h`	back out one level
`j`	next message in thread
`k`	previous message in thread
`l`	drill in
`Esc`	close help / fold thread tree
`?`	toggle this help