NFSD: Avoid corruption of a referring call list

chucklever · chucklever · commit 32ce6b3a83b7 · 2025-06-12T20:37:32.000-04:00
The new code neglects to remove a freshly-allocated RCL from the callback's referring call list when no matching referring call is found. Reported-by: kernel test robot <lkp@intel.com> Reported-by: Dan Carpenter <dan.carpenter@linaro.org> Closes: https://lore.kernel.org/r/202505171002.cE46sdj5-lkp@intel.com/ Fixes: 4f3c8d8 ("NFSD: Implement CB_SEQUENCE referring call lists") Reviewed-by: Jeff Layton <jlayton@kernel.org> Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c
@@ -1409,6 +1409,7 @@ void nfsd41_cb_referring_call(struct nfsd4_callback *cb,
 out:
 	if (!rcl->__nr_referring_calls) {
 		cb->cb_nr_referring_call_list--;
+		list_del(&rcl->__list);
 		kfree(rcl);
 	}
 }

Original file line number	Diff line number	Diff line change
`@@ -1409,6 +1409,7 @@ void nfsd41_cb_referring_call(struct nfsd4_callback *cb,`
`1409`	`1409`	`out:`
`1410`	`1410`	`if (!rcl->__nr_referring_calls) {`
`1411`	`1411`	`cb->cb_nr_referring_call_list--;`
	`1412`	`+ list_del(&rcl->__list);`
`1412`	`1413`	`kfree(rcl);`
`1413`	`1414`	`}`
`1414`	`1415`	`}`