From mboxrd@z Thu Jan 1 00:00:00 1970 Received: from smtp.kernel.org (aws-us-west-2-korg-mail-alma10-1.taild15c8.ts.net [100.103.45.18]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by smtp.subspace.kernel.org (Postfix) with ESMTPS id D9B6C328B7F; Wed, 20 May 2026 20:01:25 +0000 (UTC) Authentication-Results: smtp.subspace.kernel.org; arc=none smtp.client-ip=100.103.45.18 ARC-Seal:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779307287; cv=none; b=iuOOlHvBs81EP422wqMfgUO68sXEUWo9BdLCFFfm5htRaXnPPek4Z25hl9iLRXHyI0VjOMTZq8rBE+JHewV3KJ1XG1xrfqw5MJCIFv9WjO20jwtIyLVOockD/I6J+McqXRjQMkhSPN7G9fzYjGz9e/pagV0N87c691AtH5e7FB4= ARC-Message-Signature:i=1; a=rsa-sha256; d=subspace.kernel.org; s=arc-20240116; t=1779307287; c=relaxed/simple; bh=mR3EHZNIxlDtYd96+3DCif9wFzAwO5uTYTdY8lGAdZU=; h=Message-ID:Subject:From:To:Cc:Date:In-Reply-To:References: Content-Type:MIME-Version; b=LFFILka5bFXzJp5NXcEbL4LYHg85hwgOH7lA3e1eJoYPJuwgmWDjPOdflAlqvpn0TcYGPDasFWgq52Cj7yKSjE8kMzIZ2ERAbLdIvYEIeJLHVGtaZwWPLSvYo7+6D5v1bf5lvtnkINCyzgF4K52ODB7WyxwA9UUkbXELTBMSa/4= ARC-Authentication-Results:i=1; smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b=O1kVU5sN; arc=none smtp.client-ip=100.103.45.18 Authentication-Results: smtp.subspace.kernel.org; dkim=pass (2048-bit key) header.d=kernel.org header.i=@kernel.org header.b="O1kVU5sN" Received: by smtp.kernel.org (Postfix) with ESMTPSA id D34CC1F000E9; Wed, 20 May 2026 20:01:23 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=kernel.org; s=k20260515; t=1779307285; bh=Edf+1tFMGRtpko3Fr3phjH6+rzd+p+lG7MIZqVAGnZg=; h=Subject:From:To:Cc:Date:In-Reply-To:References; b=O1kVU5sNs41i+hanIghC3RKFG6MRodIa1xHa7VPzcW/pPxSLA1MiI0q1wCnuvD9dD qQ8QmVYcKaqUGzQuZP5JkuWYrFLY95CfTMDidbu9STGaWyFXDFg0bL5umizdKXCBOD rkpjGOPIdQzpEtke1CVtcG2ZJmJNpzsc6k4mDuRrz8B83MzgTAoV3UDDtgEwt6JLSv bdEMl3JwjEPx6rMu2F0EKfPuXza3DrmaB9F9qSKz09cfhqZp0GNxNbyAzCc7wHjHlP vNl0D0fb8npD/GZBXB3VWlJGcANWI5Ug/J2pHFVbMNqLQYgZti1rJ8vcukKLNQeXl+ kN4rLn1aEx0Gg== Message-ID: <62a7f19f02ea65774d8b24e97dc17443202ba4bc.camel@kernel.org> Subject: Re: [PATCH] sunrpc: use kref_get_unless_zero in auth_domain_lookup From: Jeff Layton To: Chuck Lever , Trond Myklebust , Anna Schumaker , Chuck Lever , NeilBrown , Olga Kornievskaia , Dai Ngo , Tom Talpey , "David S. Miller" , Eric Dumazet , Jakub Kicinski , Paolo Abeni , Simon Horman Cc: Chris Mason , linux-nfs@vger.kernel.org, netdev@vger.kernel.org, linux-kernel@vger.kernel.org Date: Wed, 20 May 2026 16:01:21 -0400 In-Reply-To: <42fc0eda-111c-43ec-9413-53d42bf758c7@app.fastmail.com> References: <20260520-nfsd-fixes-v1-1-664ba702d698@kernel.org> <42fc0eda-111c-43ec-9413-53d42bf758c7@app.fastmail.com> Autocrypt: addr=jlayton@kernel.org; prefer-encrypt=mutual; keydata=mQINBE6V0TwBEADXhJg7s8wFDwBMEvn0qyhAnzFLTOCHooMZyx7XO7dAiIhDSi7G1NPxw n8jdFUQMCR/GlpozMFlSFiZXiObE7sef9rTtM68ukUyZM4pJ9l0KjQNgDJ6Fr342Htkjxu/kFV1Wv egyjnSsFt7EGoDjdKqr1TS9syJYFjagYtvWk/UfHlW09X+jOh4vYtfX7iYSx/NfqV3W1D7EDi0PqV T2h6v8i8YqsATFPwO4nuiTmL6I40ZofxVd+9wdRI4Db8yUNA4ZSP2nqLcLtFjClYRBoJvRWvsv4lm 0OX6MYPtv76hka8lW4mnRmZqqx3UtfHX/hF/zH24Gj7A6sYKYLCU3YrI2Ogiu7/ksKcl7goQjpvtV YrOOI5VGLHge0awt7bhMCTM9KAfPc+xL/ZxAMVWd3NCk5SamL2cE99UWgtvNOIYU8m6EjTLhsj8sn VluJH0/RcxEeFbnSaswVChNSGa7mXJrTR22lRL6ZPjdMgS2Km90haWPRc8Wolcz07Y2se0xpGVLEQ cDEsvv5IMmeMe1/qLZ6NaVkNuL3WOXvxaVT9USW1+/SGipO2IpKJjeDZfehlB/kpfF24+RrK+seQf CBYyUE8QJpvTZyfUHNYldXlrjO6n5MdOempLqWpfOmcGkwnyNRBR46g/jf8KnPRwXs509yAqDB6sE LZH+yWr9LQZEwARAQABtCVKZWZmIExheXRvbiA8amxheXRvbkBwb29jaGllcmVkcy5uZXQ+iQI7BB MBAgAlAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAUCTpXWPAIZAQAKCRAADmhBGVaCFc65D/4 gBLNMHopQYgG/9RIM3kgFCCQV0pLv0hcg1cjr+bPI5f1PzJoOVi9s0wBDHwp8+vtHgYhM54yt43uI 7Htij0RHFL5eFqoVT4TSfAg2qlvNemJEOY0e4daljjmZM7UtmpGs9NN0r9r50W82eb5Kw5bc/r0km R/arUS2st+ecRsCnwAOj6HiURwIgfDMHGPtSkoPpu3DDp/cjcYUg3HaOJuTjtGHFH963B+f+hyQ2B rQZBBE76ErgTDJ2Db9Ey0kw7VEZ4I2nnVUY9B5dE2pJFVO5HJBMp30fUGKvwaKqYCU2iAKxdmJXRI ONb7dSde8LqZahuunPDMZyMA5+mkQl7kpIpR6kVDIiqmxzRuPeiMP7O2FCUlS2DnJnRVrHmCljLkZ Wf7ZUA22wJpepBligemtSRSbqCyZ3B48zJ8g5B8xLEntPo/NknSJaYRvfEQqGxgk5kkNWMIMDkfQO lDSXZvoxqU9wFH/9jTv1/6p8dHeGM0BsbBLMqQaqnWiVt5mG92E1zkOW69LnoozE6Le+12DsNW7Rj iR5K+27MObjXEYIW7FIvNN/TQ6U1EOsdxwB8o//Yfc3p2QqPr5uS93SDDan5ehH59BnHpguTc27Xi QQZ9EGiieCUx6Zh2ze3X2UW9YNzE15uKwkkuEIj60NvQRmEDfweYfOfPVOueC+iFifbQgSmVmZiBM YXl0b24gPGpsYXl0b25AcmVkaGF0LmNvbT6JAjgEEwECACIFAk6V0q0CGwMGCwkIBwMCBhUIAgkKC wQWAgMBAh4BAheAAAoJEAAOaEEZVoIViKUQALpvsacTMWWOd7SlPFzIYy2/fjvKlfB/Xs4YdNcf9q LqF+lk2RBUHdR/dGwZpvw/OLmnZ8TryDo2zXVJNWEEUFNc7wQpl3i78r6UU/GUY/RQmOgPhs3epQC 3PMJj4xFx+VuVcf/MXgDDdBUHaCTT793hyBeDbQuciARDJAW24Q1RCmjcwWIV/pgrlFa4lAXsmhoa c8UPc82Ijrs6ivlTweFf16VBc4nSLX5FB3ls7S5noRhm5/Zsd4PGPgIHgCZcPgkAnU1S/A/rSqf3F LpU+CbVBDvlVAnOq9gfNF+QiTlOHdZVIe4gEYAU3CUjbleywQqV02BKxPVM0C5/oVjMVx3bri75n1 TkBYGmqAXy9usCkHIsG5CBHmphv9MHmqMZQVsxvCzfnI5IO1+7MoloeeW/lxuyd0pU88dZsV/riHw 87i2GJUJtVlMl5IGBNFpqoNUoqmvRfEMeXhy/kUX4Xc03I1coZIgmwLmCSXwx9MaCPFzV/dOOrju2 xjO+2sYyB5BNtxRqUEyXglpujFZqJxxau7E0eXoYgoY9gtFGsspzFkVNntamVXEWVVgzJJr/EWW0y +jNd54MfPRqH+eCGuqlnNLktSAVz1MvVRY1dxUltSlDZT7P2bUoMorIPu8p7ZCg9dyX1+9T6Muc5d Hxf/BBP/ir+3e8JTFQBFOiLNdFtB9KZWZmIExheXRvbiA8amxheXRvbkBzYW1iYS5vcmc+iQI4BBM BAgAiBQJOldK9AhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAAKCRAADmhBGVaCFWgWD/0ZRi4h N9FK2BdQs9RwNnFZUr7JidAWfCrs37XrA/56olQl3ojn0fQtrP4DbTmCuh0SfMijB24psy1GnkPep naQ6VRf7Dxg/Y8muZELSOtsv2CKt3/02J1BBitrkkqmHyni5fLLYYg6fub0T/8Kwo1qGPdu1hx2BQ RERYtQ/S5d/T0cACdlzi6w8rs5f09hU9Tu4qV1JLKmBTgUWKN969HPRkxiojLQziHVyM/weR5Reu6 FZVNuVBGqBD+sfk/c98VJHjsQhYJijcsmgMb1NohAzwrBKcSGKOWJToGEO/1RkIN8tqGnYNp2G+aR 685D0chgTl1WzPRM6mFG1+n2b2RR95DxumKVpwBwdLPoCkI24JkeDJ7lXSe3uFWISstFGt0HL8Eew P8RuGC8s5h7Ct91HMNQTbjgA+Vi1foWUVXpEintAKgoywaIDlJfTZIl6Ew8ETN/7DLy8bXYgq0Xzh aKg3CnOUuGQV5/nl4OAX/3jocT5Cz/OtAiNYj5mLPeL5z2ZszjoCAH6caqsF2oLyAnLqRgDgR+wTQ T6gMhr2IRsl+cp8gPHBwQ4uZMb+X00c/Amm9VfviT+BI7B66cnC7Zv6Gvmtu2rEjWDGWPqUgccB7h dMKnKDthkA227/82tYoFiFMb/NwtgGrn5n2vwJyKN6SEoygGrNt0SI84y6hEVbQlSmVmZiBMYXl0b 24gPGpsYXl0b25AcHJpbWFyeWRhdGEuY29tPokCOQQTAQIAIwUCU4xmKQIbAwcLCQgHAwIBBhUIAg kKCwQWAgMBAh4BAheAAAoJEAAOaEEZVoIV1H0P/j4OUTwFd7BBbpoSp695qb6HqCzWMuExsp8nZjr uymMaeZbGr3OWMNEXRI1FWNHMtcMHWLP/RaDqCJil28proO+PQ/yPhsr2QqJcW4nr91tBrv/MqItu AXLYlsgXqp4BxLP67bzRJ1Bd2x0bWXurpEXY//VBOLnODqThGEcL7jouwjmnRh9FTKZfBDpFRaEfD FOXIfAkMKBa/c9TQwRpx2DPsl3eFWVCNuNGKeGsirLqCxUg5kWTxEorROppz9oU4HPicL6rRH22Ce 6nOAON2vHvhkUuO3GbffhrcsPD4DaYup4ic+DxWm+DaSSRJ+e1yJvwi6NmQ9P9UAuLG93S2MdNNbo sZ9P8k2mTOVKMc+GooI9Ve/vH8unwitwo7ORMVXhJeU6Q0X7zf3SjwDq2lBhn1DSuTsn2DbsNTiDv qrAaCvbsTsw+SZRwF85eG67eAwouYk+dnKmp1q57LDKMyzysij2oDKbcBlwB/TeX16p8+LxECv51a sjS9TInnipssssUDrHIvoTTXWcz7Y5wIngxDFwT8rPY3EggzLGfK5Zx2Q5S/N0FfmADmKknG/D8qG IcJE574D956tiUDKN4I+/g125ORR1v7bP+OIaayAvq17RP+qcAqkxc0x8iCYVCYDouDyNvWPGRhbL UO7mlBpjW9jK9e2fvZY9iw3QzIPGKtClKZWZmIExheXRvbiA8amVmZi5sYXl0b25AcHJpbWFyeWRh dGEuY29tPokCOQQTAQIAIwUCU4xmUAIbAwcLCQgHAwIBBhUIAgkKCwQWAgMBAh4BAheAAAoJEAAOa EEZVoIVzJoQALFCS6n/FHQS+hIzHIb56JbokhK0AFqoLVzLKzrnaeXhE5isWcVg0eoV2oTScIwUSU apy94if69tnUo4Q7YNt8/6yFM6hwZAxFjOXR0ciGE3Q+Z1zi49Ox51yjGMQGxlakV9ep4sV/d5a50 M+LFTmYSAFp6HY23JN9PkjVJC4PUv5DYRbOZ6Y1+TfXKBAewMVqtwT1Y+LPlfmI8dbbbuUX/kKZ5d dhV2736fgyfpslvJKYl0YifUOVy4D1G/oSycyHkJG78OvX4JKcf2kKzVvg7/Rnv+AueCfFQ6nGwPn 0P91I7TEOC4XfZ6a1K3uTp4fPPs1Wn75X7K8lzJP/p8lme40uqwAyBjk+IA5VGd+CVRiyJTpGZwA0 jwSYLyXboX+Dqm9pSYzmC9+/AE7lIgpWj+3iNisp1SWtHc4pdtQ5EU2SEz8yKvDbD0lNDbv4ljI7e flPsvN6vOrxz24mCliEco5DwhpaaSnzWnbAPXhQDWb/lUgs/JNk8dtwmvWnqCwRqElMLVisAbJmC0 BhZ/Ab4sph3EaiZfdXKhiQqSGdK4La3OTJOJYZphPdGgnkvDV9Pl1QZ0ijXQrVIy3zd6VCNaKYq7B AKidn5g/2Q8oio9Tf4XfdZ9dtwcB+bwDJFgvvDYaZ5bI3ln4V3EyW5i2NfXazz/GA/I/ZtbsigCFc 8ftCBKZWZmIExheXRvbiA8amxheXRvbkBrZXJuZWwub3JnPokCOAQTAQIAIgUCWe8u6AIbAwYLCQg HAwIGFQgCCQoLBBYCAwECHgECF4AACgkQAA5oQRlWghUuCg/+Lb/xGxZD2Q1oJVAE37uW308UpVSD 2tAMJUvFTdDbfe3zKlPDTuVsyNsALBGclPLagJ5ZTP+Vp2irAN9uwBuacBOTtmOdz4ZN2tdvNgozz uxp4CHBDVzAslUi2idy+xpsp47DWPxYFIRP3M8QG/aNW052LaPc0cedYxp8+9eiVUNpxF4SiU4i9J DfX/sn9XcfoVZIxMpCRE750zvJvcCUz9HojsrMQ1NFc7MFT1z3MOW2/RlzPcog7xvR5ENPH19ojRD CHqumUHRry+RF0lH00clzX/W8OrQJZtoBPXv9ahka/Vp7kEulcBJr1cH5Wz/WprhsIM7U9pse1f1g Yy9YbXtWctUz8uvDR7shsQxAhX3qO7DilMtuGo1v97I/Kx4gXQ52syh/w6EBny71CZrOgD6kJwPVV AaM1LRC28muq91WCFhs/nzHozpbzcheyGtMUI2Ao4K6mnY+3zIuXPygZMFr9KXE6fF7HzKxKuZMJO aEZCiDOq0anx6FmOzs5E6Jqdpo/mtI8beK+BE7Va6ni7YrQlnT0i3vaTVMTiCThbqsB20VrbMjlhp f8lfK1XVNbRq/R7GZ9zHESlsa35ha60yd/j3pu5hT2xyy8krV8vGhHvnJ1XRMJBAB/UYb6FyC7S+m QZIQXVeAA+smfTT0tDrisj1U5x6ZB9b3nBg65kc= Content-Type: text/plain; charset="UTF-8" Content-Transfer-Encoding: quoted-printable User-Agent: Evolution 3.60.1 (3.60.1-1.fc44) Precedence: bulk X-Mailing-List: linux-nfs@vger.kernel.org List-Id: List-Subscribe: List-Unsubscribe: MIME-Version: 1.0 On Wed, 2026-05-20 at 15:47 -0400, Chuck Lever wrote: >=20 > On Wed, May 20, 2026, at 2:10 PM, Jeff Layton wrote: > > auth_domain_put() uses kref_put_lock(), which atomically decrements the > > refcount before acquiring auth_domain_lock. This creates a window where > > an auth_domain entry is still linked on the hash list with refcount =3D= =3D 0. > >=20 > > auth_domain_lookup() walks the hash under auth_domain_lock but uses pla= in > > kref_get() to acquire a reference. If it finds an entry in this transie= nt > > zero-refcount state, refcount_inc() triggers a WARN and refuses to > > increment (saturating refcount_t semantics), but the function returns t= he > > pointer anyway. The caller then holds a dangling reference: when the > > concurrent auth_domain_put() finally acquires the lock and runs > > auth_domain_release(), the object is freed while the lookup caller stil= l > > has a pointer to it. > >=20 > > The sibling function auth_domain_find() already handles this correctly > > using kref_get_unless_zero(). Apply the same pattern in > > auth_domain_lookup(): treat a zero-refcount entry as absent and continu= e > > searching. The loop then either finds another live entry or falls throu= gh > > to insert the new domain, preserving existing semantics. > >=20 > > Reported-by: Chris Mason > > Assisted-by: kres:claude-opus-4-6 > > Signed-off-by: Jeff Layton > > --- > > net/sunrpc/svcauth.c | 6 ++++-- > > 1 file changed, 4 insertions(+), 2 deletions(-) > >=20 > > diff --git a/net/sunrpc/svcauth.c b/net/sunrpc/svcauth.c > > index 55b4d2874188..8e01f0626759 100644 > > --- a/net/sunrpc/svcauth.c > > +++ b/net/sunrpc/svcauth.c > > @@ -245,8 +245,10 @@ auth_domain_lookup(char *name, struct auth_domain = *new) > > spin_lock(&auth_domain_lock); > >=20 > > hlist_for_each_entry(hp, head, hash) { > > - if (strcmp(hp->name, name)=3D=3D0) { > > - kref_get(&hp->ref); > > + if (strcmp(hp->name, name) =3D=3D 0) { > > + if (!kref_get_unless_zero(&hp->ref)) > > + continue; > > + > > spin_unlock(&auth_domain_lock); > > return hp; > > } > >=20 > > --- > > base-commit: 508c9eaa7e0b952c4fe019880796e6207e3cd201 > > change-id: 20260520-nfsd-fixes-f137572d0480 > >=20 > > Best regards, > > --=20 > > Jeff Layton >=20 > Forwarding sashiko review results: >=20 > > auth_domain_put() uses kref_put_lock(), which atomically decrements the > > refcount before acquiring auth_domain_lock. This creates a window where > > an auth_domain entry is still linked on the hash list with refcount =3D= =3D 0. >=20 > [Severity: High] > Is this description of kref_put_lock() accurate? >=20 > Looking at kref_put_lock(), it uses refcount_dec_and_lock() which acquire= s > the spinlock before the 1->0 transition is completed. Since > auth_domain_lookup() holds the same auth_domain_lock, is it actually poss= ible > for it to encounter a 0-refcount entry under normal conditions? >=20 > > diff --git a/net/sunrpc/svcauth.c b/net/sunrpc/svcauth.c > > index 55b4d2874188..8e01f0626759 100644 > > --- a/net/sunrpc/svcauth.c > > +++ b/net/sunrpc/svcauth.c > > @@ -245,8 +245,10 @@ auth_domain_lookup(char *name, struct auth_domain = *new) > > spin_lock(&auth_domain_lock); > > =20 > > hlist_for_each_entry(hp, head, hash) { > > - if (strcmp(hp->name, name)=3D=3D0) { > > - kref_get(&hp->ref); > > + if (strcmp(hp->name, name) =3D=3D 0) { > > + if (!kref_get_unless_zero(&hp->ref)) > > + continue; > > + > > spin_unlock(&auth_domain_lock); > > return hp; > > } >=20 > [Severity: High] > If a 0-refcount entry is encountered here, wouldn't it indicate a severe > underlying refcount imbalance or use-after-free rather than a normal race= ? >=20 > By using kref_get_unless_zero() and continuing the search, might this sil= ently > mask the root cause of the WARN instead of resolving it? >=20 > Furthermore, if the loop skips the 0-refcount entry and falls through to = the > end of the function, won't it insert a duplicate auth_domain with the sam= e > name into the hash list? >=20 Sashiko is correct. This codepath can't see a 0 refcount here. The patch won't break anything, but it's not fixing anything either. Let's just drop this one. --=20 Jeff Layton