Re: [PATCH v2] NFSD: restart ssc_expire_umount walk after dropping nfsd_ssc_lock

Next message: Ashwin Gundarapu: "[PATCH v4] ext2: Remove deprecated DAX support"
Previous message: Guenter Roeck: "Re: [PATCH] hwmon: (nct6683) Add support for ASRock Z890 Pro-A"
In reply to: Michael Bommarito: "[PATCH v2] NFSD: restart ssc_expire_umount walk after dropping nfsd_ssc_lock"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Chuck Lever

Date: Sun May 24 2026 - 11:31:44 EST

From: Chuck Lever <chuck.lever@xxxxxxxxxx>

On Sun, 24 May 2026 09:06:54 -0400, Michael Bommarito wrote:
> nfsd4_ssc_expire_umount() walks nn->nfsd_ssc_mount_list with
> list_for_each_entry_safe(ni, tmp, ...). For each expired entry it
> sets nsui_busy = true, drops nfsd_ssc_lock to run mntput() on the
> source vfsmount, then reacquires the lock to list_del + kfree the
> entry and continue iterating via the macro's saved tmp pointer.
>
> The nsui_busy flag protects the current ni from concurrent
> nfsd4_ssc_setup_dul() finders during the lock-drop window, but it
> does not pin tmp. Another nfsd RPC thread that fails its source-
> server mount and reaches nfsd4_ssc_cancel_dul() will, during that
> same window, take nfsd_ssc_lock, list_del + kfree its own ssc_umount
> item, and release the lock. If that item is the saved tmp of the
> expire walk, the next iteration dereferences a freed
> nfsd4_ssc_umount_item.
>
> [...]

Applied to nfsd-testing, thanks!

[1/1] NFSD: restart ssc_expire_umount walk after dropping nfsd_ssc_lock
commit: e6dc1fc7e8483f9b36dcfdbcd33665298b018ba9

--
Chuck Lever <chuck.lever@xxxxxxxxxx>