[jlayton:exportd-netlink 3/18] net/sunrpc/cache.c:1074 cache_release() error: dereferencing freed memory 'rq' (line 1070)

All of lore.kernel.org
 help / color / mirror / Atom feed

From: kernel test robot <lkp@intel.com>
To: oe-kbuild@lists.linux.dev
Cc: lkp@intel.com, Dan Carpenter <error27@gmail.com>
Subject: [jlayton:exportd-netlink 3/18] net/sunrpc/cache.c:1074 cache_release() error: dereferencing freed memory 'rq' (line 1070)
Date: Wed, 18 Mar 2026 03:03:38 +0800	[thread overview]
Message-ID: <202603180258.r8Bt94T2-lkp@intel.com> (raw)

BCC: lkp@intel.com
CC: oe-kbuild-all@lists.linux.dev
TO: Chuck Lever <chuck.lever@oracle.com>
CC: Jeff Layton <jlayton@kernel.org>

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/jlayton/linux.git exportd-netlink
head:   4599c5d95d86c6bc932897f19b1f5a573e7c4637
commit: e344b49528c8ef457ee714bb65e2da4c121132c2 [3/18] Merge branch 'mrchuck/nfsd-testing'
:::::: branch date: 29 hours ago
:::::: commit date: 30 hours ago
config: x86_64-randconfig-161-20260317 (https://download.01.org/0day-ci/archive/20260318/202603180258.r8Bt94T2-lkp@intel.com/config)
compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261)
rustc: rustc 1.88.0 (6b00bc388 2025-06-23)
smatch: v0.5.0-9004-gb810ac53

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Reported-by: Dan Carpenter <error27@gmail.com>
| Closes: https://lore.kernel.org/r/202603180258.r8Bt94T2-lkp@intel.com/

smatch warnings:
net/sunrpc/cache.c:1074 cache_release() error: dereferencing freed memory 'rq' (line 1070)

vim +/rq +1074 net/sunrpc/cache.c

^1da177e4c3f41 Linus Torvalds   2005-04-16  1039  
173912a6add00f Trond Myklebust  2009-08-09  1040  static int cache_release(struct inode *inode, struct file *filp,
173912a6add00f Trond Myklebust  2009-08-09  1041  			 struct cache_detail *cd)
^1da177e4c3f41 Linus Torvalds   2005-04-16  1042  {
^1da177e4c3f41 Linus Torvalds   2005-04-16  1043  	struct cache_reader *rp = filp->private_data;
^1da177e4c3f41 Linus Torvalds   2005-04-16  1044  
^1da177e4c3f41 Linus Torvalds   2005-04-16  1045  	if (rp) {
17ad31b3a43b72 Jeff Layton      2026-02-23  1046  		struct cache_request *rq = NULL;
17ad31b3a43b72 Jeff Layton      2026-02-23  1047  
b00567a1495f66 Jeff Layton      2026-02-23  1048  		spin_lock(&cd->queue_lock);
^1da177e4c3f41 Linus Torvalds   2005-04-16  1049  		if (rp->offset) {
812936f74067e6 Jeff Layton      2026-02-23  1050  			struct cache_request *cr;
812936f74067e6 Jeff Layton      2026-02-23  1051  
812936f74067e6 Jeff Layton      2026-02-23  1052  			cr = cache_next_request(cd, rp->next_seqno);
812936f74067e6 Jeff Layton      2026-02-23  1053  			if (cr) {
17ad31b3a43b72 Jeff Layton      2026-02-23  1054  				cr->readers--;
17ad31b3a43b72 Jeff Layton      2026-02-23  1055  				if (cr->readers == 0 &&
17ad31b3a43b72 Jeff Layton      2026-02-23  1056  				    !test_bit(CACHE_PENDING,
17ad31b3a43b72 Jeff Layton      2026-02-23  1057  					      &cr->item->flags)) {
812936f74067e6 Jeff Layton      2026-02-23  1058  					list_del(&cr->list);
17ad31b3a43b72 Jeff Layton      2026-02-23  1059  					rq = cr;
17ad31b3a43b72 Jeff Layton      2026-02-23  1060  				}
^1da177e4c3f41 Linus Torvalds   2005-04-16  1061  			}
^1da177e4c3f41 Linus Torvalds   2005-04-16  1062  			rp->offset = 0;
^1da177e4c3f41 Linus Torvalds   2005-04-16  1063  		}
812936f74067e6 Jeff Layton      2026-02-23  1064  		list_del(&rp->list);
b00567a1495f66 Jeff Layton      2026-02-23  1065  		spin_unlock(&cd->queue_lock);
^1da177e4c3f41 Linus Torvalds   2005-04-16  1066  
0b88d5fcde160d Jeff Layton      2026-02-23  1067  		if (rq) {
0b88d5fcde160d Jeff Layton      2026-02-23  1068  			cache_put(rq->item, cd);
0b88d5fcde160d Jeff Layton      2026-02-23  1069  			kfree(rq->buf);
0b88d5fcde160d Jeff Layton      2026-02-23 @1070  			kfree(rq);
0b88d5fcde160d Jeff Layton      2026-02-23  1071  		}
^1da177e4c3f41 Linus Torvalds   2005-04-16  1072  
17ad31b3a43b72 Jeff Layton      2026-02-23  1073  		if (rq) {
17ad31b3a43b72 Jeff Layton      2026-02-23 @1074  			cache_put(rq->item, cd);
17ad31b3a43b72 Jeff Layton      2026-02-23  1075  			kfree(rq->buf);
17ad31b3a43b72 Jeff Layton      2026-02-23  1076  			kfree(rq);
17ad31b3a43b72 Jeff Layton      2026-02-23  1077  		}
17ad31b3a43b72 Jeff Layton      2026-02-23  1078  
^1da177e4c3f41 Linus Torvalds   2005-04-16  1079  		filp->private_data = NULL;
^1da177e4c3f41 Linus Torvalds   2005-04-16  1080  		kfree(rp);
64a38e840ce594 Dave Wysochanski 2019-07-26  1081  	}
64a38e840ce594 Dave Wysochanski 2019-07-26  1082  	if (filp->f_mode & FMODE_WRITE) {
64a38e840ce594 Dave Wysochanski 2019-07-26  1083  		atomic_dec(&cd->writers);
c5b29f885afe89 NeilBrown        2010-08-12  1084  		cd->last_close = seconds_since_boot();
^1da177e4c3f41 Linus Torvalds   2005-04-16  1085  	}
f7e86ab92f2198 Trond Myklebust  2009-08-19  1086  	module_put(cd->owner);
^1da177e4c3f41 Linus Torvalds   2005-04-16  1087  	return 0;
^1da177e4c3f41 Linus Torvalds   2005-04-16  1088  }
^1da177e4c3f41 Linus Torvalds   2005-04-16  1089  

:::::: The code at line 1074 was first introduced by commit
:::::: 17ad31b3a43b72aec3a3d83605891e1397d0d065 sunrpc: fix cache_request leak in cache_release

:::::: TO: Jeff Layton <jlayton@kernel.org>
:::::: CC: Chuck Lever <chuck.lever@oracle.com>

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

WARNING: multiple messages have this Message-ID (diff)

From: Dan Carpenter <dan.carpenter@linaro.org>
To: oe-kbuild@lists.linux.dev, Chuck Lever <chuck.lever@oracle.com>
Cc: lkp@intel.com, oe-kbuild-all@lists.linux.dev,
	Jeff Layton <jlayton@kernel.org>
Subject: [jlayton:exportd-netlink 3/18] net/sunrpc/cache.c:1074 cache_release() error: dereferencing freed memory 'rq' (line 1070)
Date: Wed, 18 Mar 2026 10:42:55 +0300	[thread overview]
Message-ID: <202603180258.r8Bt94T2-lkp@intel.com> (raw)
Message-ID: <20260318074255.LXy7pS6oGPvopv2dJcxfFoWCHs2X8TwP8nU_6p0zbog@z> (raw)

tree:   https://git.kernel.org/pub/scm/linux/kernel/git/jlayton/linux.git exportd-netlink
head:   4599c5d95d86c6bc932897f19b1f5a573e7c4637
commit: e344b49528c8ef457ee714bb65e2da4c121132c2 [3/18] Merge branch 'mrchuck/nfsd-testing'
config: x86_64-randconfig-161-20260317 (https://download.01.org/0day-ci/archive/20260318/202603180258.r8Bt94T2-lkp@intel.com/config)
compiler: clang version 20.1.8 (https://github.com/llvm/llvm-project 87f0227cb60147a26a1eeb4fb06e3b505e9c7261)
rustc: rustc 1.88.0 (6b00bc388 2025-06-23)
smatch: v0.5.0-9004-gb810ac53

If you fix the issue in a separate patch/commit (i.e. not just a new version of
the same patch/commit), kindly add following tags
| Reported-by: kernel test robot <lkp@intel.com>
| Reported-by: Dan Carpenter <dan.carpenter@linaro.org>
| Closes: https://lore.kernel.org/r/202603180258.r8Bt94T2-lkp@intel.com/

smatch warnings:
net/sunrpc/cache.c:1074 cache_release() error: dereferencing freed memory 'rq' (line 1070)

vim +/rq +1074 net/sunrpc/cache.c

173912a6add00f Trond Myklebust  2009-08-09  1040  static int cache_release(struct inode *inode, struct file *filp,
173912a6add00f Trond Myklebust  2009-08-09  1041  			 struct cache_detail *cd)
^1da177e4c3f41 Linus Torvalds   2005-04-16  1042  {
^1da177e4c3f41 Linus Torvalds   2005-04-16  1043  	struct cache_reader *rp = filp->private_data;
^1da177e4c3f41 Linus Torvalds   2005-04-16  1044  
^1da177e4c3f41 Linus Torvalds   2005-04-16  1045  	if (rp) {
17ad31b3a43b72 Jeff Layton      2026-02-23  1046  		struct cache_request *rq = NULL;
17ad31b3a43b72 Jeff Layton      2026-02-23  1047  
b00567a1495f66 Jeff Layton      2026-02-23  1048  		spin_lock(&cd->queue_lock);
^1da177e4c3f41 Linus Torvalds   2005-04-16  1049  		if (rp->offset) {
812936f74067e6 Jeff Layton      2026-02-23  1050  			struct cache_request *cr;
812936f74067e6 Jeff Layton      2026-02-23  1051  
812936f74067e6 Jeff Layton      2026-02-23  1052  			cr = cache_next_request(cd, rp->next_seqno);
812936f74067e6 Jeff Layton      2026-02-23  1053  			if (cr) {
17ad31b3a43b72 Jeff Layton      2026-02-23  1054  				cr->readers--;
17ad31b3a43b72 Jeff Layton      2026-02-23  1055  				if (cr->readers == 0 &&
17ad31b3a43b72 Jeff Layton      2026-02-23  1056  				    !test_bit(CACHE_PENDING,
17ad31b3a43b72 Jeff Layton      2026-02-23  1057  					      &cr->item->flags)) {
812936f74067e6 Jeff Layton      2026-02-23  1058  					list_del(&cr->list);
17ad31b3a43b72 Jeff Layton      2026-02-23  1059  					rq = cr;
17ad31b3a43b72 Jeff Layton      2026-02-23  1060  				}
^1da177e4c3f41 Linus Torvalds   2005-04-16  1061  			}
^1da177e4c3f41 Linus Torvalds   2005-04-16  1062  			rp->offset = 0;
^1da177e4c3f41 Linus Torvalds   2005-04-16  1063  		}
812936f74067e6 Jeff Layton      2026-02-23  1064  		list_del(&rp->list);
b00567a1495f66 Jeff Layton      2026-02-23  1065  		spin_unlock(&cd->queue_lock);
^1da177e4c3f41 Linus Torvalds   2005-04-16  1066  
0b88d5fcde160d Jeff Layton      2026-02-23  1067  		if (rq) {
0b88d5fcde160d Jeff Layton      2026-02-23  1068  			cache_put(rq->item, cd);
0b88d5fcde160d Jeff Layton      2026-02-23  1069  			kfree(rq->buf);
0b88d5fcde160d Jeff Layton      2026-02-23 @1070  			kfree(rq);
                                                                        ^^^^^^^^^

0b88d5fcde160d Jeff Layton      2026-02-23  1071  		}
^1da177e4c3f41 Linus Torvalds   2005-04-16  1072  
17ad31b3a43b72 Jeff Layton      2026-02-23  1073  		if (rq) {
17ad31b3a43b72 Jeff Layton      2026-02-23 @1074  			cache_put(rq->item, cd);
17ad31b3a43b72 Jeff Layton      2026-02-23  1075  			kfree(rq->buf);
17ad31b3a43b72 Jeff Layton      2026-02-23  1076  			kfree(rq);
                                                                        ^^^^^^^^^

17ad31b3a43b72 Jeff Layton      2026-02-23  1077  		}

Looks like a bad merge.

17ad31b3a43b72 Jeff Layton      2026-02-23  1078  
^1da177e4c3f41 Linus Torvalds   2005-04-16  1079  		filp->private_data = NULL;
^1da177e4c3f41 Linus Torvalds   2005-04-16  1080  		kfree(rp);
64a38e840ce594 Dave Wysochanski 2019-07-26  1081  	}
64a38e840ce594 Dave Wysochanski 2019-07-26  1082  	if (filp->f_mode & FMODE_WRITE) {
64a38e840ce594 Dave Wysochanski 2019-07-26  1083  		atomic_dec(&cd->writers);
c5b29f885afe89 NeilBrown        2010-08-12  1084  		cd->last_close = seconds_since_boot();
^1da177e4c3f41 Linus Torvalds   2005-04-16  1085  	}
f7e86ab92f2198 Trond Myklebust  2009-08-19  1086  	module_put(cd->owner);
^1da177e4c3f41 Linus Torvalds   2005-04-16  1087  	return 0;
^1da177e4c3f41 Linus Torvalds   2005-04-16  1088  }

-- 
0-DAY CI Kernel Test Service
https://github.com/intel/lkp-tests/wiki

next             reply	other threads:[~2026-03-17 19:04 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2026-03-17 19:03 kernel test robot [this message]
2026-03-18  7:42 ` [jlayton:exportd-netlink 3/18] net/sunrpc/cache.c:1074 cache_release() error: dereferencing freed memory 'rq' (line 1070) Dan Carpenter
2026-03-18 10:56 ` Jeff Layton
2026-03-18 13:22   ` Chuck Lever
2026-03-18 13:30     ` Jeff Layton
2026-03-18 13:32       ` Chuck Lever
2026-03-18 13:33         ` Jeff Layton

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=202603180258.r8Bt94T2-lkp@intel.com \
    --to=lkp@intel.com \
    --cc=error27@gmail.com \
    --cc=oe-kbuild@lists.linux.dev \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.