[PATCH 1/1] sunrpc: clear rq_procinfo in svc_release_rqst to prevent double-free

[PATCH 1/1] sunrpc: clear rq_procinfo in svc_release_rqst to prevent double-free

[Ren Wei]

From: Luxiao Xu <rakukuip@gmail.com>

The svc_release_rqst() function unconditionally calls
rqstp->rq_procinfo->pc_release. However, svc_process_common()
does not clear rq_procinfo when a worker thread starts processing
a new request.

If a previous RPC selected a procedure with a non-idempotent
release hook, and the subsequent RPC takes an early error path
before a new rq_procinfo is installed (e.g., due to an oversized
RPC fragment, bad auth, or unknown program), the stale release
hook will run against reused state from the earlier RPC. This
leads to a double-free or use-after-free vulnerability.

Fix this by setting rqstp->rq_procinfo to NULL immediately after
executing the release hook in svc_release_rqst(), ensuring that
stale procedure hooks cannot be re-triggered on early errors.

Fixes: d9adbb6e10bf ("sunrpc: delay pc_release callback until after the reply is sent")
Cc: stable@kernel.org
Reported-by: Yuan Tan <yuantan098@gmail.com>
Reported-by: Yifan Wu <yifanwucs@gmail.com>
Reported-by: Juefei Pu <tomapufckgml@gmail.com>
Reported-by: Xin Liu <bird@lzu.edu.cn>
Signed-off-by: Luxiao Xu <rakukuip@gmail.com>
Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
---
 net/sunrpc/svc.c | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
index d8ccb8e4b5c2..0332f05e7061 100644
--- a/net/sunrpc/svc.c
+++ b/net/sunrpc/svc.c
@@ -1572,8 +1572,10 @@ static void svc_release_rqst(struct svc_rqst *rqstp)
 {
 	const struct svc_procedure *procp = rqstp->rq_procinfo;
 
-	if (procp && procp->pc_release)
+	if (procp && procp->pc_release) {
 		procp->pc_release(rqstp);
+		rqstp->rq_procinfo = NULL;
+	}
 }
 
 /**
-- 
2.43.0

Re: [PATCH 1/1] sunrpc: clear rq_procinfo in svc_release_rqst to prevent double-free

[Jeff Layton]

On Wed, 2026-05-20 at 16:13 +0800, Ren Wei wrote:
> From: Luxiao Xu <rakukuip@gmail.com>
> 
> The svc_release_rqst() function unconditionally calls
> rqstp->rq_procinfo->pc_release. However, svc_process_common()
> does not clear rq_procinfo when a worker thread starts processing
> a new request.
> 
> If a previous RPC selected a procedure with a non-idempotent
> release hook, and the subsequent RPC takes an early error path
> before a new rq_procinfo is installed (e.g., due to an oversized
> RPC fragment, bad auth, or unknown program), the stale release
> hook will run against reused state from the earlier RPC. This
> leads to a double-free or use-after-free vulnerability.
> 
> Fix this by setting rqstp->rq_procinfo to NULL immediately after
> executing the release hook in svc_release_rqst(), ensuring that
> stale procedure hooks cannot be re-triggered on early errors.
> 
> Fixes: d9adbb6e10bf ("sunrpc: delay pc_release callback until after the reply is sent")
> Cc: stable@kernel.org
> Reported-by: Yuan Tan <yuantan098@gmail.com>
> Reported-by: Yifan Wu <yifanwucs@gmail.com>
> Reported-by: Juefei Pu <tomapufckgml@gmail.com>
> Reported-by: Xin Liu <bird@lzu.edu.cn>
> Signed-off-by: Luxiao Xu <rakukuip@gmail.com>
> Signed-off-by: Ren Wei <n05ec@lzu.edu.cn>
> ---
>  net/sunrpc/svc.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/net/sunrpc/svc.c b/net/sunrpc/svc.c
> index d8ccb8e4b5c2..0332f05e7061 100644
> --- a/net/sunrpc/svc.c
> +++ b/net/sunrpc/svc.c
> @@ -1572,8 +1572,10 @@ static void svc_release_rqst(struct svc_rqst *rqstp)
>  {
>  	const struct svc_procedure *procp = rqstp->rq_procinfo;
>  
> -	if (procp && procp->pc_release)
> +	if (procp && procp->pc_release) {
>  		procp->pc_release(rqstp);
> +		rqstp->rq_procinfo = NULL;
> +	}
>  }
>  
>  /**

Reviewed-by: Jeff Layton <jlayton@kernel.org>