Re: [PATCH] pnfs: fix refcount leak in pnfs_report_layoutstat()

[Trond Myklebust]

On Thu, 2026-06-11 at 23:47 +0800, WenTao Liang wrote:
> When pnfs_report_layoutstat() calls pnfs_get_layout_hdr() and passes
> the reference through the inode field of the layoutstats data to
> nfs42_proc_layoutstats_generic(), if rpc_run_task() in that function
> fails (IS_ERR), nfs42_proc_layoutstats_generic() returns immediately
> without releasing the reference.  This leaks the layout header
> reference, leaks the allocated data, and leaves the
> NFS_INO_LAYOUTSTATS flag stuck on the inode, preventing further
> layoutstat reporting.
> 
> Fix by calling nfs42_layoutstat_release(data) before returning on
> rpc_run_task() error, matching the existing error handling for a
> missing inode.
> 
> Cc: stable@xxxxxxxxxxxxxxx
> Fixes: be3a5d233922 ("NFSv.2/pnfs Add a LAYOUTSTATS rpc function")
> Signed-off-by: WenTao Liang <vulab@xxxxxxxxxxx>
> ---
>  fs/nfs/nfs42proc.c | 4 +++-
>  1 file changed, 3 insertions(+), 1 deletion(-)
> 
> diff --git a/fs/nfs/nfs42proc.c b/fs/nfs/nfs42proc.c
> index 7602ede6f75f..7637ad894563 100644
> --- a/fs/nfs/nfs42proc.c
> +++ b/fs/nfs/nfs42proc.c
> @@ -1076,8 +1076,10 @@ int nfs42_proc_layoutstats_generic(struct
> nfs_server *server,
>  	nfs4_init_sequence(server->nfs_client, &data->args.seq_args,
>  			   &data->res.seq_res, 0, 0);
>  	task = rpc_run_task(&task_setup);
> -	if (IS_ERR(task))
> +	if (IS_ERR(task)) {
> +		nfs42_layoutstat_release(data);
>  		return PTR_ERR(task);

NACK! If you'd bothered to read the code, you would have found that
rpc_run_task() already cleans up on failure. This patch just introduces
a massive use-after-free.

> +	}
>  	rpc_put_task(task);
>  	return 0;
>  }

-- 
Trond Myklebust
Linux NFS client maintainer, Hammerspace
trondmy@xxxxxxxxxx, trond.myklebust@xxxxxxxxxxxxxxx