On Mon, 2021-07-19 at 08:01 -0400, Benjamin Coddington wrote:
> Hi Trond,
>
> On 17 Jul 2021, at 13:20, trondmy@xxxxxxxxxx wrote:
>
> > @@ -943,7 +941,7 @@ rpc_release_client(struct rpc_clnt *clnt)
> > do {
> > if (list_empty(&clnt->cl_tasks))
> > wake_up(&destroy_wait);
> > - if (!atomic_dec_and_test(&clnt->cl_count))
> > + if (refcount_dec_not_one(&clnt->cl_count))
>
> I guess we're not worried about extra calls racing into
> rpc_free_auth?
The refcount would normally be going to zero in the above case. If
anything outside the RPC code itself tries to bump the counter then
that is a very clear cut case of use-after-free.
>
> .. hmm, it looks like current code can do that already since we're
> bumping the
> ref up again. Seems like we could end up in rpcauth_release twice
> with
> an underflow on au_count.
>
As I said, only if there is a use-after-free bug somewhere else.
--
Trond Myklebust
Linux NFS client maintainer, Hammerspace
trond.myklebust@xxxxxxxxxxxxxxx
