On Mon, 2021-07-19 at 08:01 -0400, Benjamin Coddington wrote: > Hi Trond, > > On 17 Jul 2021, at 13:20, trondmy@xxxxxxxxxx wrote: > > > @@ -943,7 +941,7 @@ rpc_release_client(struct rpc_clnt *clnt) > > do { > > if (list_empty(&clnt->cl_tasks)) > > wake_up(&destroy_wait); > > - if (!atomic_dec_and_test(&clnt->cl_count)) > > + if (refcount_dec_not_one(&clnt->cl_count)) > > I guess we're not worried about extra calls racing into > rpc_free_auth? The refcount would normally be going to zero in the above case. If anything outside the RPC code itself tries to bump the counter then that is a very clear cut case of use-after-free. > > .. hmm, it looks like current code can do that already since we're > bumping the > ref up again. Seems like we could end up in rpcauth_release twice > with > an underflow on au_count. > As I said, only if there is a use-after-free bug somewhere else. -- Trond Myklebust Linux NFS client maintainer, Hammerspace trond.myklebust@xxxxxxxxxxxxxxx