Re: [PATCH 1/1] sunrpc: clear rq_procinfo in svc_release_rqst to prevent double-free

[Jeff Layton <jlayton@kernel.org>]

On Wed, 2026-05-20 at 16:13 +0800, Ren Wei wrote:
> From: Luxiao Xu <rakukuip@gmail.com>
> 
> The svc_release_rqst() function unconditionally calls
> rqstp->rq_procinfo->pc_release. However, svc_process_common()
> does not clear rq_procinfo when a worker thread starts processing
> a new request.
> 
> If a previous RPC selected a procedure with a non-idempotent
> release hook, and the subsequent RPC takes an early error path
> before a new rq_procinfo is installed (e.g., due to an oversized
> RPC fragment, bad auth, or unknown program), the stale release
> hook will run against reused state from the earlier RPC. This
> leads to a double-free or use-after-free vulnerability.
> 
> Fix this by setting rqstp->rq_procinfo to NULL immediately after
> executing the release hook in svc_release_rqst(), ensuring that
> stale procedure hooks cannot be re-triggered on early errors.
> 
> Fixes: d9adbb6e10bf ("sunrpc: delay pc_release callback until after the reply is sent")
> Cc: stable@kernel.org
> Reported-by: Yuan Tan <yuantan098@gmail.com>
> Reported-by: Yifan Wu <yifanwucs@gmail.com>
> Reported-by: Juefei Pu <tomapufckgml@gmail.com>
> Reported-by: Xin Liu <bird@lzu.edu.cn>
> Signed-off-by: Luxiao Xu <rakukuip@gmail.com>
> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
> ---
>  net/sunrpc/svc.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
> index d8ccb8e4b5c2..0332f05e7061 100644
> --- a/net/sunrpc/svc.c
> +++ b/net/sunrpc/svc.c
> @@ -1572,8 +1572,10 @@ static void svc_release_rqst(struct svc_rqst *rqstp)
>  {
>  	const struct svc_procedure *procp = rqstp->rq_procinfo;
>  
> -	if (procp && procp->pc_release)
> +	if (procp && procp->pc_release) {
>  		procp->pc_release(rqstp);
> +		rqstp->rq_procinfo = NULL;
> +	}
>  }
>  
>  /**

Reviewed-by: Jeff Layton <jlayton@kernel.org>