1. Patchew
  2. linux
  3. View series

[PATCH] SUNRPC: always drain cache_cleaner before destroying a cache_detail

Jeff Layton posted 1 patch 1 week, 6 days ago 
net/sunrpc/cache.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
[PATCH] SUNRPC: always drain cache_cleaner before destroying a cache_detail
Posted by Jeff Layton 1 week, 6 days ago 
sunrpc_destroy_cache_detail() only cancels the global cache_cleaner
delayed_work when cache_list is empty.  During per-netns teardown
cache_list is never empty because init_net's caches remain registered,
so the cancel never fires.  After unlink, the caller proceeds to
cache_destroy_net() which kfrees the cache_detail while cache_clean()
may still hold a dangling pointer to it.  The result is a
use-after-free: cache_dequeue() takes cd->queue_lock on freed memory,
and cache_put() dereferences cd->cache_put as a function pointer from
freed slab.

Drop the list_empty guard so that cancel_delayed_work_sync() always
runs, ensuring any in-flight cache_clean() completes before the
cache_detail is freed.  Re-arm the cleaner afterwards if other caches
are still registered.

Fixes: 820f9442e711 ("SUNRPC: split cache creation and PipeFS registration")
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Jeff Layton <jlayton@kernel.org>
---
 net/sunrpc/cache.c | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/net/sunrpc/cache.c b/net/sunrpc/cache.c
index 391037f15292..1bc04109d213 100644
--- a/net/sunrpc/cache.c
+++ b/net/sunrpc/cache.c
@@ -430,10 +430,9 @@ void sunrpc_destroy_cache_detail(struct cache_detail *cd)
 	list_del_init(&cd->others);
 	spin_unlock(&cd->hash_lock);
 	spin_unlock(&cache_list_lock);
-	if (list_empty(&cache_list)) {
-		/* module must be being unloaded so its safe to kill the worker */
-		cancel_delayed_work_sync(&cache_cleaner);
-	}
+	cancel_delayed_work_sync(&cache_cleaner);
+	if (!list_empty(&cache_list))
+		queue_delayed_work(system_power_efficient_wq, &cache_cleaner, 0);
 }
 EXPORT_SYMBOL_GPL(sunrpc_destroy_cache_detail);
 

---
base-commit: 97bac3c7a039675d7ae71fbdf3a7c39e840339b6
change-id: 20260526-cache_cleaner_vs_destroy_no_sync-13299f61de5c

Best regards,
-- 
Jeff Layton <jlayton@kernel.org>
Re: [PATCH] SUNRPC: always drain cache_cleaner before destroying a cache_detail
Posted by Chuck Lever 1 week, 5 days ago 
From: Chuck Lever <chuck.lever@oracle.com>

On Tue, 26 May 2026 15:35:06 -0400, Jeff Layton wrote:
> sunrpc_destroy_cache_detail() only cancels the global cache_cleaner
> delayed_work when cache_list is empty.  During per-netns teardown
> cache_list is never empty because init_net's caches remain registered,
> so the cancel never fires.  After unlink, the caller proceeds to
> cache_destroy_net() which kfrees the cache_detail while cache_clean()
> may still hold a dangling pointer to it.  The result is a
> use-after-free: cache_dequeue() takes cd->queue_lock on freed memory,
> and cache_put() dereferences cd->cache_put as a function pointer from
> freed slab.
> 
> [...]

Applied to nfsd-testing, thanks!

[1/1] SUNRPC: always drain cache_cleaner before destroying a cache_detail
      commit: a6a67f4010de2424ae856d5e857079fe89f1178d

--
Chuck Lever <chuck.lever@oracle.com>

Patchew 2.1-devel-ea86937

© 2016 - 2026 Red Hat, Inc.