On 4 Oct 2024, at 18:04, Olga Kornievskaia wrote: > When multiple FREE_STATEIDs are sent for the same delegation stateid, > it can lead to a possible either use-after-tree or counter refcount > underflow errors. > > In nfsd4_free_stateid() under the client lock we find a delegation > stateid, however the code drops the lock before calling nfs4_put_stid(), > that allows another FREE_STATE to find the stateid again. The first one > will proceed to then free the stateid which leads to either > use-after-free or decrementing already zerod counter. > > CC: stable@xxxxxxxxxxxxxxx > Signed-off-by: Olga Kornievskaia <okorniev@xxxxxxxxxx> Reviewed-by: Benjamin Coddington <bcodding@xxxxxxxxxx> Ben
