Re: [PATCH] SUNRPC: always drain cache_cleaner before destroying a cache_detail

Next message: Rosen Penev: "[PATCH net-next] net: ibm: emac: Reserve VLAN header in MJS limit"
Previous message: Jakub Pisarczyk: "[PATCH] ALSA: hda/cs420x: Add CS4208 fixup for iMac16,1"
In reply to: Jeff Layton: "[PATCH] SUNRPC: always drain cache_cleaner before destroying a cache_detail"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Chuck Lever

Date: Tue May 26 2026 - 16:20:47 EST

From: Chuck Lever <chuck.lever@xxxxxxxxxx>

On Tue, 26 May 2026 15:35:06 -0400, Jeff Layton wrote:
> sunrpc_destroy_cache_detail() only cancels the global cache_cleaner
> delayed_work when cache_list is empty. During per-netns teardown
> cache_list is never empty because init_net's caches remain registered,
> so the cancel never fires. After unlink, the caller proceeds to
> cache_destroy_net() which kfrees the cache_detail while cache_clean()
> may still hold a dangling pointer to it. The result is a
> use-after-free: cache_dequeue() takes cd->queue_lock on freed memory,
> and cache_put() dereferences cd->cache_put as a function pointer from
> freed slab.
>
> [...]

Applied to nfsd-testing, thanks!

[1/1] SUNRPC: always drain cache_cleaner before destroying a cache_detail
commit: a6a67f4010de2424ae856d5e857079fe89f1178d

--
Chuck Lever <chuck.lever@xxxxxxxxxx>