From: Chuck Lever <chuck.lever@xxxxxxxxxx> [ Upstream commit 8286f8b622990194207df9ab852e0f87c60d35e9 ] The error flow in nfsd4_copy() calls cleanup_async_copy(), which already decrements nn->pending_async_copies. Reported-by: Olga Kornievskaia <okorniev@xxxxxxxxxx> Fixes: aadc3bbea163 ("NFSD: Limit the number of concurrent async COPY operations") Signed-off-by: Chuck Lever <chuck.lever@xxxxxxxxxx> Signed-off-by: Greg Kroah-Hartman <gregkh@xxxxxxxxxxxxxxxxxxx> --- fs/nfsd/nfs4proc.c | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) --- a/fs/nfsd/nfs4proc.c +++ b/fs/nfsd/nfs4proc.c @@ -1820,10 +1820,8 @@ nfsd4_copy(struct svc_rqst *rqstp, struc refcount_set(&async_copy->refcount, 1); /* Arbitrary cap on number of pending async copy operations */ if (atomic_inc_return(&nn->pending_async_copies) > - (int)rqstp->rq_pool->sp_nrthreads) { - atomic_dec(&nn->pending_async_copies); + (int)rqstp->rq_pool->sp_nrthreads) goto out_err; - } async_copy->cp_src = kmalloc(sizeof(*async_copy->cp_src), GFP_KERNEL); if (!async_copy->cp_src) goto out_err; Patches currently in stable-queue which might be from cel@xxxxxxxxxx are queue-6.6/nfsd-never-decrement-pending_async_copies-on-error.patch queue-6.6/nfsd-limit-the-number-of-concurrent-async-copy-operations.patch queue-6.6/nfsd-initialize-struct-nfsd4_copy-earlier.patch queue-6.6/nfsd-async-copy-result-needs-to-return-a-write-verifier.patch queue-6.6/nfsd-initialize-copy-cp_clp-early-in-nfsd4_copy-for-use-by-trace-point.patch