[PATCH] pnfs: fix refcount leak in pnfs_report_layoutstat()

Next message: Frank Li: "Re: [PATCHv4 15/15] dmaengine: fsldma: fix kernel-doc param names to match function signatures"
Previous message: Sasha Levin: "Re: [PATCH 6.12.y v2] xfrm: hold dev ref until after transport_finish NF_HOOK"
Next in thread: Trond Myklebust: "Re: [PATCH] pnfs: fix refcount leak in pnfs_report_layoutstat()"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: WenTao Liang

Date: Thu Jun 11 2026 - 11:48:09 EST

When pnfs_report_layoutstat() calls pnfs_get_layout_hdr() and passes
the reference through the inode field of the layoutstats data to
nfs42_proc_layoutstats_generic(), if rpc_run_task() in that function
fails (IS_ERR), nfs42_proc_layoutstats_generic() returns immediately
without releasing the reference. This leaks the layout header
reference, leaks the allocated data, and leaves the
NFS_INO_LAYOUTSTATS flag stuck on the inode, preventing further
layoutstat reporting.

Fix by calling nfs42_layoutstat_release(data) before returning on
rpc_run_task() error, matching the existing error handling for a
missing inode.

Cc: stable@xxxxxxxxxxxxxxx
Fixes: be3a5d233922 ("NFSv.2/pnfs Add a LAYOUTSTATS rpc function")
Signed-off-by: WenTao Liang <vulab@xxxxxxxxxxx>
---
fs/nfs/nfs42proc.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/fs/nfs/nfs42proc.c b/fs/nfs/nfs42proc.c
index 7602ede6f75f..7637ad894563 100644
--- a/fs/nfs/nfs42proc.c
+++ b/fs/nfs/nfs42proc.c
@@ -1076,8 +1076,10 @@ int nfs42_proc_layoutstats_generic(struct nfs_server *server,
nfs4_init_sequence(server->nfs_client, &data->args.seq_args,
&data->res.seq_res, 0, 0);
task = rpc_run_task(&task_setup);
- if (IS_ERR(task))
+ if (IS_ERR(task)) {
+ nfs42_layoutstat_release(data);
return PTR_ERR(task);
+ }
rpc_put_task(task);
return 0;
}
--
2.50.1 (Apple Git-155)