On 19 Jul 2021, at 8:07, Trond Myklebust wrote:
> On Mon, 2021-07-19 at 08:01 -0400, Benjamin Coddington wrote:
>> Hi Trond,
>>
>> On 17 Jul 2021, at 13:20, trondmy@xxxxxxxxxx wrote:
>>
>>> @@ -943,7 +941,7 @@ rpc_release_client(struct rpc_clnt *clnt)
>>> do {
>>> if (list_empty(&clnt->cl_tasks))
>>> wake_up(&destroy_wait);
>>> - if (!atomic_dec_and_test(&clnt->cl_count))
>>> + if (refcount_dec_not_one(&clnt->cl_count))
>>
>> I guess we're not worried about extra calls racing into
>> rpc_free_auth?
>
> The refcount would normally be going to zero in the above case. If
> anything outside the RPC code itself tries to bump the counter then
> that is a very clear cut case of use-after-free.
I am thinking about users of rpc_release_client() calling it multiple times,
but perhaps that's not something that happens. This is a different issue
that's not added by your patch, I was noticing it.
Reviewed-by: Benjamin Coddington <bcodding@xxxxxxxxxx>
Ben
