Commit 32ce6b3a authored Jun 08, 2025 by Chuck Lever

NFSD: Avoid corruption of a referring call list



The new code neglects to remove a freshly-allocated RCL from the
callback's referring call list when no matching referring call is
found.

Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/r/202505171002.cE46sdj5-lkp@intel.com/


Fixes: 4f3c8d8c ("NFSD: Implement CB_SEQUENCE referring call lists")
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>

parent 425364dc

fs/nfsd/nfs4callback.c

+1 −0

Original line number	Diff line number	Diff line
		@@ -1409,6 +1409,7 @@ void nfsd41_cb_referring_call(struct nfsd4_callback *cb,
		out:
		if (!rcl->__nr_referring_calls) {
		cb->cb_nr_referring_call_list--;
		list_del(&rcl->__list);
		kfree(rcl);
		}
		}