Re: [jlayton:exportd-netlink 3/18] net/sunrpc/cache.c:1074 cache_release() error: dereferencing freed memory 'rq' (line 1070)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Jeff Layton <jlayton@kernel.org>
To: Dan Carpenter <dan.carpenter@linaro.org>,
	oe-kbuild@lists.linux.dev,  Chuck Lever <chuck.lever@oracle.com>
Cc: lkp@intel.com, oe-kbuild-all@lists.linux.dev
Subject: Re: [jlayton:exportd-netlink 3/18] net/sunrpc/cache.c:1074 cache_release() error: dereferencing freed memory 'rq' (line 1070)
Date: Wed, 18 Mar 2026 06:56:39 -0400	[thread overview]
Message-ID: <03d95fada335610f65f8590e02e1ff724e854b68.camel@kernel.org> (raw)
In-Reply-To: <202603180258.r8Bt94T2-lkp@intel.com>

On Wed, 2026-03-18 at 10:42 +0300, Dan Carpenter wrote:
> tree:   https://git.kernel.org/pub/scm/linux/kernel/git/jlayton/linux.git exportd-netlink
> head:   4599c5d95d86c6bc932897f19b1f5a573e7c4637
> commit: e344b49528c8ef457ee714bb65e2da4c121132c2 [3/18] Merge branch 'mrchuck/nfsd-testing'
> config: x86_64-randconfig-161-20260317 (https://download.01.org/0day-ci/archive/20260318/202603180258.r8Bt94T2-lkp@intel.com/config)
> compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261)
> rustc: rustc 1.88.0 (6b00bc388 2025-06-23)
> smatch: v0.5.0-9004-gb810ac53
> 
> If you fix the issue in a separate patch/commit (i.e. not just a new version of
> the same patch/commit), kindly add following tags
> > Reported-by: kernel test robot <lkp@intel.com>
> > Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
> > Closes: https://lore.kernel.org/r/202603180258.r8Bt94T2-lkp@intel.com/
> 
> smatch warnings:
> net/sunrpc/cache.c:1074 cache_release() error: dereferencing freed memory 'rq' (line 1070)
> 
> vim +/rq +1074 net/sunrpc/cache.c
> 
> 173912a6add00f Trond Myklebust  2009-08-09  1040  static int cache_release(struct inode *inode, struct file *filp,
> 173912a6add00f Trond Myklebust  2009-08-09  1041  			 struct cache_detail *cd)
> ^1da177e4c3f41 Linus Torvalds   2005-04-16  1042  {
> ^1da177e4c3f41 Linus Torvalds   2005-04-16  1043  	struct cache_reader *rp = filp->private_data;
> ^1da177e4c3f41 Linus Torvalds   2005-04-16  1044  
> ^1da177e4c3f41 Linus Torvalds   2005-04-16  1045  	if (rp) {
> 17ad31b3a43b72 Jeff Layton      2026-02-23  1046  		struct cache_request *rq = NULL;
> 17ad31b3a43b72 Jeff Layton      2026-02-23  1047  
> b00567a1495f66 Jeff Layton      2026-02-23  1048  		spin_lock(&cd->queue_lock);
> ^1da177e4c3f41 Linus Torvalds   2005-04-16  1049  		if (rp->offset) {
> 812936f74067e6 Jeff Layton      2026-02-23  1050  			struct cache_request *cr;
> 812936f74067e6 Jeff Layton      2026-02-23  1051  
> 812936f74067e6 Jeff Layton      2026-02-23  1052  			cr = cache_next_request(cd, rp->next_seqno);
> 812936f74067e6 Jeff Layton      2026-02-23  1053  			if (cr) {
> 17ad31b3a43b72 Jeff Layton      2026-02-23  1054  				cr->readers--;
> 17ad31b3a43b72 Jeff Layton      2026-02-23  1055  				if (cr->readers == 0 &&
> 17ad31b3a43b72 Jeff Layton      2026-02-23  1056  				    !test_bit(CACHE_PENDING,
> 17ad31b3a43b72 Jeff Layton      2026-02-23  1057  					      &cr->item->flags)) {
> 812936f74067e6 Jeff Layton      2026-02-23  1058  					list_del(&cr->list);
> 17ad31b3a43b72 Jeff Layton      2026-02-23  1059  					rq = cr;
> 17ad31b3a43b72 Jeff Layton      2026-02-23  1060  				}
> ^1da177e4c3f41 Linus Torvalds   2005-04-16  1061  			}
> ^1da177e4c3f41 Linus Torvalds   2005-04-16  1062  			rp->offset = 0;
> ^1da177e4c3f41 Linus Torvalds   2005-04-16  1063  		}
> 812936f74067e6 Jeff Layton      2026-02-23  1064  		list_del(&rp->list);
> b00567a1495f66 Jeff Layton      2026-02-23  1065  		spin_unlock(&cd->queue_lock);
> ^1da177e4c3f41 Linus Torvalds   2005-04-16  1066  
> 0b88d5fcde160d Jeff Layton      2026-02-23  1067  		if (rq) {
> 0b88d5fcde160d Jeff Layton      2026-02-23  1068  			cache_put(rq->item, cd);
> 0b88d5fcde160d Jeff Layton      2026-02-23  1069  			kfree(rq->buf);
> 0b88d5fcde160d Jeff Layton      2026-02-23 @1070  			kfree(rq);
>                                                                         ^^^^^^^^^
> 
> 0b88d5fcde160d Jeff Layton      2026-02-23  1071  		}
> ^1da177e4c3f41 Linus Torvalds   2005-04-16  1072  
> 17ad31b3a43b72 Jeff Layton      2026-02-23  1073  		if (rq) {
> 17ad31b3a43b72 Jeff Layton      2026-02-23 @1074  			cache_put(rq->item, cd);
> 17ad31b3a43b72 Jeff Layton      2026-02-23  1075  			kfree(rq->buf);
> 17ad31b3a43b72 Jeff Layton      2026-02-23  1076  			kfree(rq);
>                                                                         ^^^^^^^^^
> 
> 17ad31b3a43b72 Jeff Layton      2026-02-23  1077  		}
> 
> Looks like a bad merge.
> 

Thanks Dan,

Yes it does. I based this series on top of Linus' master, and then
merged in Chuck's nfsd-fixes, nfsd-next and nfsd-testing branches
before layering these patches on top.

It looks like the problem occurred when the nfsd-next branch was
merged. Both it and -fixes have the same patch.

I'll rebase the series on top of a sane merge later today.

> 17ad31b3a43b72 Jeff Layton      2026-02-23  1078  
> ^1da177e4c3f41 Linus Torvalds   2005-04-16  1079  		filp->private_data = NULL;
> ^1da177e4c3f41 Linus Torvalds   2005-04-16  1080  		kfree(rp);
> 64a38e840ce594 Dave Wysochanski 2019-07-26  1081  	}
> 64a38e840ce594 Dave Wysochanski 2019-07-26  1082  	if (filp->f_mode & FMODE_WRITE) {
> 64a38e840ce594 Dave Wysochanski 2019-07-26  1083  		atomic_dec(&cd->writers);
> c5b29f885afe89 NeilBrown        2010-08-12  1084  		cd->last_close = seconds_since_boot();
> ^1da177e4c3f41 Linus Torvalds   2005-04-16  1085  	}
> f7e86ab92f2198 Trond Myklebust  2009-08-19  1086  	module_put(cd->owner);
> ^1da177e4c3f41 Linus Torvalds   2005-04-16  1087  	return 0;
> ^1da177e4c3f41 Linus Torvalds   2005-04-16  1088  }

-- 
Jeff Layton <jlayton@kernel.org>

next prev parent reply	other threads:[~2026-03-18 10:56 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-17 19:03 [jlayton:exportd-netlink 3/18] net/sunrpc/cache.c:1074 cache_release() error: dereferencing freed memory 'rq' (line 1070) kernel test robot
2026-03-18  7:42 ` Dan Carpenter
2026-03-18 10:56 ` Jeff Layton [this message]
2026-03-18 13:22   ` Chuck Lever
2026-03-18 13:30     ` Jeff Layton
2026-03-18 13:32       ` Chuck Lever
2026-03-18 13:33         ` Jeff Layton

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=03d95fada335610f65f8590e02e1ff724e854b68.camel@kernel.org \
    --to=jlayton@kernel.org \
    --cc=chuck.lever@oracle.com \
    --cc=dan.carpenter@linaro.org \
    --cc=lkp@intel.com \
    --cc=oe-kbuild-all@lists.linux.dev \
    --cc=oe-kbuild@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.