From: Chuck Lever <chuck.lever@oracle.com>
Date: Sun, 8 Jun 2025 22:08:51 +0000 (-0400)
Subject: NFSD: Avoid corruption of a referring call list
X-Git-Tag: v6.16-rc3~9^2~3
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=32ce6b3a83b71d8abf0c0837dc78775f16c9902f;p=thirdparty%2Flinux.git

NFSD: Avoid corruption of a referring call list

The new code neglects to remove a freshly-allocated RCL from the
callback's referring call list when no matching referring call is
found.

Reported-by: kernel test robot <lkp@intel.com>
Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
Closes: https://lore.kernel.org/r/202505171002.cE46sdj5-lkp@intel.com/
Fixes: 4f3c8d8c9e10 ("NFSD: Implement CB_SEQUENCE referring call lists")
Reviewed-by: Jeff Layton <jlayton@kernel.org>
Signed-off-by: Chuck Lever <chuck.lever@oracle.com>
---

diff --git a/fs/nfsd/nfs4callback.c b/fs/nfsd/nfs4callback.c
index ccb00aa93be01..e00b2aea8da2b 100644
--- a/fs/nfsd/nfs4callback.c
+++ b/fs/nfsd/nfs4callback.c
@@ -1409,6 +1409,7 @@ void nfsd41_cb_referring_call(struct nfsd4_callback *cb,
 out:
 	if (!rcl->__nr_referring_calls) {
 		cb->cb_nr_referring_call_list--;
+		list_del(&rcl->__list);
 		kfree(rcl);
 	}
 }