1. Patchew
  2. linux
  3. View series

[PATCH] nfsd: avoid leaking pre-allocated openowner on unconfirmed retry race

Jeff Layton posted 1 patch 2 days, 4 hours ago 
fs/nfsd/nfs4state.c | 1 +
1 file changed, 1 insertion(+)
[PATCH] nfsd: avoid leaking pre-allocated openowner on unconfirmed retry race
Posted by Jeff Layton 2 days, 4 hours ago 
When find_or_alloc_open_stateowner() encounters an unconfirmed owner, it
calls release_openowner() and sets oo = NULL. Control then falls through
past the `if (oo)` guard — which would have freed any pre-allocated
`new` — and unconditionally executes `new = alloc_stateowner(...)`. If
`new` was already allocated on a prior iteration, the pointer is
silently overwritten and the previous allocation (slab object + owner
name buffer) is leaked.

This requires a race: two NFSv4.0 OPEN threads with the same owner
string, where a concurrent thread inserts a new unconfirmed owner into
the hash between retry iterations. The window is narrow but repeatable
under adversarial conditions.

Fix by adding `goto retry` after `oo = NULL` so the already-allocated
`new` is reused on the next iteration rather than overwritten.

Fixes: 23df17788c62 ("nfsd: perform all find_openstateowner_str calls in the one place.")
Reported-by: Chris Mason <clm@meta.com>
Assisted-by: kres:claude-opus-4-6
Signed-off-by: Jeff Layton <jlayton@kernel.org>
---
 fs/nfsd/nfs4state.c | 1 +
 1 file changed, 1 insertion(+)

diff --git a/fs/nfsd/nfs4state.c b/fs/nfsd/nfs4state.c
index 2cf021b202a6..a42f34842d77 100644
--- a/fs/nfsd/nfs4state.c
+++ b/fs/nfsd/nfs4state.c
@@ -5276,6 +5276,7 @@ find_or_alloc_open_stateowner(unsigned int strhashval, struct nfsd4_open *open,
 		/* Replace unconfirmed owners without checking for replay. */
 		release_openowner(oo);
 		oo = NULL;
+		goto retry;
 	}
 	if (oo) {
 		if (new)

---
base-commit: 33e9ab952a864ae00bce7e47c3e9add1c4b3d3a3
change-id: 20260522-find_or_alloc_open_stateowner_unconfirmed_refcount_leak-997336e1ae1e

Best regards,
-- 
Jeff Layton <jlayton@kernel.org>
Re: [PATCH] nfsd: avoid leaking pre-allocated openowner on unconfirmed retry race
Posted by Chuck Lever 2 days, 3 hours ago 
From: Chuck Lever <chuck.lever@oracle.com>

On Fri, 22 May 2026 10:36:14 -0400, Jeff Layton wrote:
> When find_or_alloc_open_stateowner() encounters an unconfirmed owner, it
> calls release_openowner() and sets oo = NULL. Control then falls through
> past the `if (oo)` guard — which would have freed any pre-allocated
> `new` — and unconditionally executes `new = alloc_stateowner(...)`. If
> `new` was already allocated on a prior iteration, the pointer is
> silently overwritten and the previous allocation (slab object + owner
> name buffer) is leaked.
> 
> [...]

Applied to nfsd-testing, thanks!

[1/1] nfsd: avoid leaking pre-allocated openowner on unconfirmed retry race
      commit: f36ecdd78c6271239579ad7fb3d0a51697160877

--
Chuck Lever <chuck.lever@oracle.com>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.